Hey Tony! If Lightning has an OWASP Top Ten, what would be at the top of the list?
Good question, For one, I think ensuring some of the existing CVE's are not possible, which is mostly solved by having your node up to date. Cryptographic randomness when creating preimages is another requirement, there's been some improper preimages generated before flowing across the network. Also, auth access is important.
Those are a few things that come to mind about operationally deploying a node implementation and doing development on it. Things that an end developer can simply do. For the most part there's not been too much non-standard things I have had to do when deploying and using nodes. There's some somewhat advanced things like denying channel open requests to peers you don't know and I'm sure a few other config options that I haven't looked too much into.
And then there's things that are still outstanding on the protocol side that are the real concerns. Channel Jamming being a major DoS concern. Balance probing is another concern that people don't seem to care enough about. On <0.15 LND nodes, DB bloat is also a DoS concern. Seems to be fixed now. I'm sure there's other DoS concerns that have not been thoroughly stress tested before either, I hope to be able to explore this more in the near future.
reply