初学者 编程_初学者的安全编码

初学者 编程

Secure coding is the practice of writing code which is secure and protected from vulnerabilities. Insecure code is at risk of malicious attacks which can lead to dire consequences such as loss of service, loss of sensitive data, damage to the systems of thousands of users or worse.

安全编码是编写安全且不受漏洞影响的代码的实践。 不安全的代码具有遭受恶意攻击的风险，这些恶意攻击可能导致可怕的后果，例如服务丢失，敏感数据丢失，成千上万的用户系统受损甚至更糟。

The OWASP (Open Web Application Security Project) documents the Top 10 most critical security risks to web applications such as Injection, Cross-Site Scripting and Using Components with Known Vulnerabilities. Being aware of these security risks is an effective first step towards secure coding, along with the following best practices.

OWASP(开放Web应用程序安全项目)记录了Web应用程序的十大最关键的安全风险，例如注入，跨站点脚本和使用具有已知漏洞的组件。 意识到这些安全风险以及以下最佳实践是迈向安全编码的有效第一步。

安全编码不应该是事后的想法 (Secure coding should not be an afterthought)

Thinking about security when planning an application can save a lot of time and trouble in the long run. An insecure web application may need extensive redesign for it to become secure if security is not built in from the start of its development.

从长远来看，在计划应用程序时考虑安全性可以节省大量时间和麻烦。 如果从开发之初就没有内置安全性，那么不安全的Web应用程序可能需要进行大量重新设计才能使其变得安全。

考虑一下攻击者的动机 (Think about the motives of an attacker)

Think about what you are building and put yourself in the mindset of a malicious cyber attacker. Think about the many hypothetical motives they may have for attacking an application — could they be looking to steal money or information, and maybe identities? Could they be motivated by corporate secrets or just the urge to demonstrate their hacking skills? Identifying the motives behind possible attacks can help to anticipate vulnerabilities which need to be addressed.

考虑一下您要构建的内容，并将自己置于恶意网络攻击者的心态中。 考虑一下他们可能会攻击应用程序的多种假设动机-他们是否打算窃取金钱或信息，以及身份信息？ 他们会受到公司机密的激励，还是仅仅是出于展示自己的黑客技能的冲动？ 确定潜在攻击的动机可以帮助预期需要解决的漏洞。

不信任用户 (Don’t trust the user)

Users are primarily why we build applications; however, we should be aware that they have the power to break and attack an application. Four of the OWASP’s Top 10 critical security risks come from trusting user input too much (Injection, XML External Entities, Cross-site Scripting, and Insecure Deserialization). A user can input malicious code which can result in an application running whatever code the attacker wants to execute, for example leading to the installation of an attacker’s malware. You can safeguard against a user through validation of any data they input into an application, making sure that only safe expected input is obtained and that any possibly unsafe input is rejected.

用户是我们构建应用程序的主要原因。 但是，我们应该意识到，它们具有破坏和攻击应用程序的能力。 OWASP的十大严重安全风险中有四个来自过于信任用户的输入(注入，XML外部实体，跨站点脚本和不安全的反序列化)。 用户可以输入恶意代码，这可能导致应用程序运行攻击者想要执行的任何代码，例如导致安装攻击者的恶意软件。 您可以通过验证用户输入到应用程序中的任何数据来保护用户，以确保仅获得安全的预期输入，并拒绝任何可能的不安全输入。

密码学做得好，是你的朋友 (Cryptography, done well, is your friend)

Cryptography processes help to protect data stored in web applications. If cryptography is done poorly attackers can figure out cryptography methods with ease and get to your data, however if it is done well it is an extremely strong step in protecting stored data. Make sure you adhere to cryptography best practices such as using known good algorithms and encrypting data at rest and in transit.

密码学过程有助于保护存储在Web应用程序中的数据。 如果加密技术做得不好，攻击者可以轻松地找出加密方法并获取您的数据，但是，如果做得好，这是保护存储数据的极其重要的一步。 确保遵守加密最佳实践，例如使用已知的良好算法并对静态和传输中的数据进行加密。

了解每个Web应用程序都有风险 (Understand that every web application is at risk)

Attackers are constantly on the hunt for new vulnerabilities and writing code to exploit these. Invest time in understanding and protecting the vulnerabilities in your web application and stay alert.

攻击者一直在寻找新的漏洞，并编写代码来利用这些漏洞。 花时间了解和保护Web应用程序中的漏洞，并保持警惕。

翻译自: https://medium.com/swlh/secure-coding-for-beginners-adf673806e65

初学者 编程