IOS安全编码指南 Secure Coding Guide -- 01 Introduction 上

IOS安全编码指南 Secure Coding Guide -- 01 Introduction 上

Introduction to Secure Coding Guide

    Secure coding is the practice of writing programs that are resistant to attack by malicious or mischievous people or programs. Secure coding helps protect a user’s data from theft or corruption. In addition(此外), an insecure program can provide access for an attacker to take control of a server(n 侍者、服务器) or a user’s computer, resulting in anything from a denial of service(|ˈsɜːvɪs|) to a single user to the compromise of secrets, loss of service, or damage to the systems of thousands of users.

        secure |sɪˈkjʊə(r)| adj 牢固的

        practice |ˈpræktɪs| noun 实践、练习、习惯

        resistant |rɪˈzɪstənt| adj 抵抗…的

        malicious |məˈlɪʃəs| adj 怀有恶意的

        mischievous |ˈmɪstʃɪvəs| adj 淘气的、恶意的

        theft |θeft| noun 偷窃；thief |θiːf| n 小偷

        corruption |kəˈrʌpʃn| n 腐化堕落、贪污贿赂、出错

        denial |dɪˈnaɪəl| n 拒绝、否认

        compromise |ˈkɒmprəmaɪz| n 妥协 v 妥协、危及

    Secure coding is important for all software; if you write any code that runs on Macintosh computers or on iOS devices, from scripts for your own use to commercial software applications, you should be familiar with the information in this document.

        commercial |kəˈmɜːʃl| adj 商业的

At a Glance

        glance |glɑːns, American glæns| noun 一瞥 yīpiē、匆匆看一眼

    Every program is a potential target. Attackers will try to find security vulnerabilities in your applications or servers. They will then try to use these vulnerabilities to steal(|stiːl|) secrets, corrupt programs and data, and gain control of computer systems and networks. Your customers’ property and your reputation are at stake.

        potential |pəˈtenʃl| adj 潜在的、可能的 noun Uncountable 潜力

        attacker |əˈtækə(r)| noun 袭击者

        vulnerability |ˌvʌlnərəˈbɪləti| noun 漏洞、脆弱点

        security |sɪˈkjʊərəti| noun 安全

        corrupt |kəˈrʌpt| adj 堕落的，道德败坏的;  贪污的，腐败的;  腐烂的;  （文献等）错误百出的 vt 使腐败;  使堕落;  使腐烂

          gain |geɪn| v 获得;  赢得;  增加;  （钟、表）走快

          property |ˈprɒpəti| noun 财产、特性

          reputation |ˌrepjʊˈteɪʃn| noun 名声

          stake |steɪk| noun 桩、标桩、火刑柱、赌注、股本

    Security is not something that can be added to software as an afterthought; just as a shed made out of cardboard cannot be made secure by adding a padlock to the door, an insecure tool or application may require extensive redesign to secure it. You must identify the nature(本质、本性、自然界) of the threats to your software and incorporate secure coding practices(实践、练习) throughout(遍及、贯穿) the planning and development of your product. This chapter explains the types of threats that your software may face. Other chapters in this document describe specific types of vulnerabilities and give guidance on code hardening techniques to fix them.

          afterthought noun 事后想法、事后添加的东西

          shed  |ʃed| noun 储物棚、牲口棚

          cardboard |ˈkɑːdbɔːd| noun 硬纸板

          padlock |ˈpædlɒk| noun 挂锁

          identify |aɪˈdentɪfaɪ| verb 辨认、认出 

          identity card noun 身份证

          threat |θret| noun 恐吓、威胁

          incorporate |ɪnˈkɔːpəreɪt| verb 纳入、收录、合并

          harden |ˈhɑːdn| verb 使…变硬、使…更严肃、使变强壮

          technique |tekˈniːk| noun 方法、技术、技巧

Hackers, Crackers, and Attackers

        hacker |ˈhækə(r)| noun 黑客、劈砍者、劈砍工具

        cracker |ˈkrækə(r)| noun 薄脆饼干、爆竹 

    Contrary to the usage by most news media, within the computer industry the term hacker refers to an expert programmer—one who enjoys learning about the intricacies of code or an operating system. In general, hackers are not malicious. When most hackers find security vulnerabilities in code, they inform the company or organization that’s responsible for the code so that they can fix the problem. Some hackers—especially if they feel their warnings are being ignored—publish the vulnerabilities or even devise and publish exploits (code that takes advantage of(利用) the vulnerability).

        contrary  |ˈkɒntrəri, American also -treri| adj 相反的、逆向的 

        usage |ˈjuːsɪdʒ,ˈjuːzɪdʒ| noun 习俗、[词语的] 用法 

        term |tɜːm| noun 任期、学期、术语

        intricacy |ˈɪntrɪkəsi| nounUncountable 错综复杂、错综复杂的事物、纷繁难懂的细节

        inform |ɪnˈfɔːm| verb 通知

        responsible |rɪˈspɒnsəbl| adj 负有责任的

        especially |ɪˈspeʃəli| adverb 尤其、十分

        devise |dɪˈvaɪz| verb 设计 shèjì ‹plan, style›(invent)发明

        exploit noun 英雄业绩

        exploit 英 [ɪkˈsplɔɪt]  美 [ɪkˈsplɔɪt]  vt. 开拓;  剥削;  开采;  利用（…为自己谋利） n. 功绩;  功劳;  勋绩

        advantage |ədˈvɑːntɪdʒ, American -ˈvæn-| noun 有利条件

    The malicious individuals who break into programs and systems in order to do damage or to steal something are referred to as crackers, attackers, or black hats. Most attackers are not highly skilled, but take advantage of published exploit code and known techniques to do their damage. People (usually, though not always, young men) who use published code (scripts) to attack software and computer systems are sometimes called script kiddies(脚本小子).

        individual |ˌɪndɪˈvɪdʒʊəl| adj 单独的、个人的 noun 个人 、一类人

        skilled |skɪld| adj 熟练的、老练的、技术性的

        kiddie, kiddy |ˈkɪdi| noun 小家伙

    Attackers may be motivated by a desire to steal money, identities, and other secrets for personal gain; corporate secrets for their employer’s or their own use(为他们的雇主或他们自己所用); or state secrets(国家机密) for use by hostile governments or terrorist organizations. Some crackers break into applications or operating systems just to show that they can do it; nevertheless, they can cause considerable damage. Because attacks can be automated and replicated, any weakness, no matter how slight, can be exploited.

        motivate |ˈməʊtɪveɪt| v 促动、调动…的积极性

        corporate |ˈkɔːpərət| adjective 全体的、共同的、公司的、联合的

        hostile |ˈhɒstaɪl, American ˈhɒstl| adjective 不友善的、有敌意的

        terrorist |ˈterərɪst| noun 恐怖分子

        nevertheless |ˌnevəðəˈles| adverb 尽管如此

        considerable |kənˈsɪdərəbl|adj 相当大的

        automate |ˈɔːtəmeɪt| verb 使自动化 

        replicate |ˈreplɪkeɪt| verb 复制、重复获得、使自我复制

        weakness |ˈwiːknɪs| noun 虚弱、弱、不牢靠

        slight |slaɪt| adjective 小的

        exploited v. 剥削;  开采( exploit的过去式和过去分词 );  利用（…为自己谋利）;  运用

    The large number of insiders who are attacking systems is of importance to security design because, whereas malicious hackers and script kiddies are most likely to rely on remote access to computers to do their dirty work, insiders might have physical access to the computer being attacked. Your software must be resistant to both attacks over a network and attacks by people sitting at the computer keyboard—you cannot rely on firewalls and server passwords to protect you.

        insider |ɪnˈsaɪdə(r)| noun 圈内人、知情者 

        importance |ɪmˈpɔːtns| noun Uncountable 重要性 

        whereas |ˌweərˈæz, American ˌhweər-| conjunction 然而、鉴于

        rely |rɪˈlaɪ| verb 依靠、信赖

        remote |rɪˈməʊt| adj 遥远的、偏远的、关系远的、细微的、冷傲的 noun 遥控器