0

I need my code audited for security holes. My partner thinks that it would be less expensive to audit one lump JS file and no directories other than what is absolutely necessary.

I think that using Iron-Router and following a standard directory structure, even though creates more files to look at, would be easier to audit due to the fact everything is well organized.

The bottom line is to save money on apparently expensive auditing costs.

Any idea of the cost range for auditing a administration back-end with 25 or so 'pages' / 'routes' ? Do they rather not try to hack into the server as a test, or is that different from auditing?

Thanks!

mfr
  • 149
  • 3
  • 11
  • 1
    Generally, the security holes in your application will be due to unvalidated methods and publications which can allow MongoDB injection, or if you don't authorize your method/publish requests via some form of roles. Unless you're creating server-side routes for a JSON API, iron router runs mainly on the client side and shouldn't really introduce any vulnerabilities. Also, iron router doesn't have a prescribed file structure. You can put all your routes in one file, or you can create multiple RouteControllers and spread them across your app however works for you. – sbking Dec 04 '14 at 19:53
  • 1
    That said, the types of web apps most pen testing or security auditing firms work with are probably quite different from Meteor applications. I suspect that unless the firm has direct experience with Meteor, they will probably charge a lot just to learn its ins and outs. I recommend starting by creating automated tests for your authorization rules. Look up Velocity and The Meteor Testing Manual. – sbking Dec 04 '14 at 19:56
  • 1
    Meteor also has a core package you can add called `audit-argument-checks`. This throws an error if any of your methods or publications fails to run `check()` against all of its arguments, giving you some basic protection against MongoDB injection vulnerabilities. The `browser-policy` package is another one you should look into. – sbking Dec 04 '14 at 20:18

0 Answers0