Parse Security - How to improve default security?

The ambivalence of Parse Server should not solely fall on the developer, but is also for us maintainers to be considered. Historically, hosted Parse.com intended to be easily accessible for beginning developers, but the industry’s security landscape has changed over the years and especially the open-sourcing of Parse Server puts additional challenges to developers in terms of security considerations when self-hosting. If we want to be an open community - also for beginning developers, we should not a priori assume a lack of knowledge to be rooted in “laziness”.

We can expect Parse Server to continue to attract developers who may be overwhelmed with the scope of security considerations. But even for non-beginning developers who are new to the product, the security specifics require considerable research effort. In some cases it may not even be documented as in the case of file uploads, I believe.

I support @davimacedo’s suggestions, all 3 are valid points and and seem to be an adequate response to the criticism raised by the video author. Especially a new security section in the Parse Dashboard would be a significant step to help developers identify vulnerabilities more easily and secure their Parse Server instances.

Finally I should say that I am more surprised about the emotional reactions in this thread than about the video itself. Open source implies transparency and open discussion. I believe our community is mature enough to properly handle critical comments, even if some may consider the narrative objectionable. The web is full of narratives and the sensical approach can only be to extract the facts from emotions and discuss which action to take. At best - as in this case - we can derive action points to improve the product and shine as a community that embraces and acts on criticism.

4 Likes