中国科学院教育信息化中的Web应用安全增强实践

Security Enhancement for Web Applications in Education Platform at Chinese Academy of Sciences

中国科学院教育信息化旨在为培育高层次科研人才提供信息化支撑,其中Web应用体系规模大、交互性强、耦合性高,面临着许多潜在的安全风险。本文结合该Web应用体系有针对性地设计了一种安全增强方法。方法的有效实施挖掘并修复128个Web安全漏洞,同时SQL注入与XSS两大主要漏洞数目总和在安全编码培训后也下降了55.10%,Web应用体系安全性得到了显著增强。

Education platform at Chinese Academy of Sciences is aiming at providing information support for cultivating high-level scientific specialists. Its web applications are large-scale, high-coupling and strong-interactive. As a result, it confronts many potential security risks. In this paper, we developed a target-oriented security enhancement methodology, which is implemented effectively in the web applications. With it, we have discovered and fixed 128 web security vulnerabilities. After the secure programming training, the sum of the two principal vulnerabilities, i.e. SQL injection and XSS, has dropped by 55.10%. Thus the web applications are secured remarkably.