Ask HN: What's the hardest thing to secure in a web-app?
"OWASP Top 10 Most Critical Web Application Security Risks" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...
> A1:2017-Injection, A2:2017-Broken Authentication, A3:2017-Sensitive Data Exposure, A4:2017-XML External Entities (XXE), A5:2017-Broken Access Control, A6:2017-Security Misconfiguration, A7:2017-Cross-Site Scripting (XSS), A8:2017-Insecure Deserialization, A9:2017-Using Components with Known Vulnerabilities, A10:2017-Insufficient Logging&Monitoring
"OWASP Top 10 compared to SANS CWE 25" https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-s...
Robust confidentiality against traffic analysis is one.
Can you explain what you mean by "confidentiality against traffic analysis"?
TA is a tern of art in crypto. It means you can deduce what the parties are communicating and who they are by statistically analysing the sizes, timings and addresses of messages. In practice - it's easy for an eavesdropper to see you are using Gmail, and also possible to deduce whether your email content matches some known messages the eavesdropper possibly has seen before. Etc. One widely known tech that tries to mitigate TA is Tor.
Do you mean like credit card number ?
Could be. What do we need to ensure credit card number security for example?
Don't ask for one is by far the best way.
If you absolutely need to do credit card payments, then consider using a third party system to handle it (like Stripe).