lpoulain wrote:
The (oversimplified) basics of security are pretty simple - no input shall be trusted and should always be sanitized.
But you should understand why it is required to sanitize everything. And understanding can tell you that sanitizing alone is not secure. For example - internet access is performed using untrusted intermediaries, so what can you sanitize when somebody just copies your data on the fly?
Security is about data access constraints. And you can prevent just some types of data access by sanitizing everything. First - you should plan what do you want hide and why. Next you can decide on the method. If you want to hide your site administrator console then may be it's enough just not to tell everybody the exact path part of the site's URL where the console is available. But if you think somebody can intercept your packets and find the path then it's better to encrypt the console access. Next question is about what algorithm to select for the encryption. Here you should understand the weaknesses of the algorithms you are going to select from. And one problem (among many, of course) is to prevent somebody else from using your secure connection instead of you. That's why you should sanitize the input of your site's administrator console. But without things to hide, the hiding method, interaction media, encryption and many other parts the sanitizing is just useless.
lpoulain wrote:
Applying them in practice is as hard as writing an OS without bugs. Even professionals like the guys who wrote OpenSSL created a huge vulnerability with Heartbleed.
It's about the "why" part of the equation. Why should many beginners be bothered with the security?
lpoulain wrote:
Also, I'd be curious to know the level of interest in security on this site.
The OSes here mostly are for learning, so, the security is also can be viewed as a part of the learning process. Just like is the case with you:
lpoulain wrote:
I implemented TLS in my OS to understand how TLS works and to be able to access HTTPS-only Websites more than security.