OpenHatch forums

There's the OWASP (Open Web App Security Project) effort, which has local meet-ups. One good way to to start, probably, is to see what that community can offer us.

Personally, my feeling is that security isn't about "how secure" something is, but instead what attacks it is designed to be resilient to. I think that's the first thing to define.

OWASP publishes the "Top 10" list of security problems. It would be a good start to write up how we address (or don't) those: https://www.owasp.org/index.php/Top_10_2010 (and then we can figure out what needs to change)

I have some security and cryptography background, but I'm not particularly interested in analyzing the OpenHatch site given the other things I want to be doing. I hope that we can put together the right people and efforts to make this work!

Also, yes, secure data is just a dream. (-:

I guess, for what it's worth, I find the term "security" kind of useless, and I'm irrationally annoyed by it.

Usually, "security" is the same as "correctness". In terms of the code, that's all it is: categories of bugs we could have. On the server-side level, it's more a matter of having policies, having goals we want those policies to meet, and

One of the best ways to find out the right things to want is to start by reading the OWASP Top 10 document, and that Diaspora document, and to write up a list of what problems others have had and why we won't have them.

Paul, thanks for bringing this up. If you (or someone else) starts asking specific questions about what we do, I will do my best to point to the parts of the code that can provide answers.

Thanks paulproteus - I will take a closer look now that you've given some recommendations.

Unfortunately security isn't one of my strong points, yet.

I am hoping that because our OpenHatch Project Lead is/has "some security and cryptography background" that maybe some/most of the code review and consequently the current code will already be pretty tight.