Looking for security / performance experts

:-)

Ok, I see your point. Fair enough. You want exact and authoritative answers to difficult security questions applicable to your situation and your app.

The only suggestion I would make is to build your app as best you can. Filter input, sanitize output, use a trusted auth library, use CI CSRF protection, do not trust any data, clean it and validate it in your models, your controllers and your views, use SSL, adopt all the best practices you can apply. Your app will be pretty tight and secure at that point. Be vigilant but don't over obsess about it (depending of course on the nature of your app). Have a database back up in place and keep back ups of your code, and when your app start to deliver either a user base or some financial return, you could then pay for a security overhaul, a test if you like, to see what holes, if any you have left, or missed, or overlooked.

You can start with very cheap automated test suites, or offer a fixed sum on people per hour or similar freelance websites, choosing your employee carefully from previous references and specialisms etc. You can then start to mature your security as your income or user base increases.

For me, and admittedly there is a lot of bad advice on the internet, it is about trust in the source of information, and the date of the information. Clearly articles that are two years old can be out of date. A Bob Smith blog might not carry as much weight as an online journal dedicated to security issues etc.

As for global xss_clean, it is a resource intensive process that to run on every piece of output makes no sense. For instance your output might just be a view you have loaded as a string for some reason and coded with no user generated content, why xss_clean that? However, there is a great answer on special chars and entities here http://stackoverflow.com/questions/46483...ecialchars. Which you use depends on the nature of your data at that time.

But, I understand your comment, and yes we would all like specialist individual input. But unfortunately it does come down to capital investment when going beyond your own abilities. The sums you talk about will not get that unfortunately. So as long as you do the best you can with security, following all the easily accessible advice on securing your app, and not doing anything daft, that probably would be enough in most cases. If you are developing an online currency, then unfortunately your budget will never allow you to achieve the level of security you would need to have any chance of success. That is just the world as it is, and we have to lump it, even if we do not like it.

The other alternative is to open source your app and allow the community to use it, fork it, develop it and mature it over time. Not a guaranteed passport to success but one route certainly. Another is to crowd source your idea to raise the funds to pay for the level of security you are seeking. But remember, even the US Navy gets hacked sometimes. Any project with any prominence is always going to become a target and virtually every web app has a weakness of one sort or another.

Best wishes,

Paul.

PS Many people have spent their entire lives dedicated to security issues. They will still argue and debate over best practices and approaches. That is unfortunately the nature of the beast. A continually changing ocean of ideas, opinions, attacks and weaknesses. The only thing you can do is be aware, try your best, be informed and repair and improve as you go. Good luck with your app BTW.