软件设计安全威胁分析与探索

Security Threat Analysis and Exploration on Software Design

今天的互联网经济中,尤其对于金融、运营商、电子商务等企业,软件应用不光承载着其核心业务,同时还生成、处理、存储着各类企业的核心敏感信息:账户信息、隐私、业务数据、金融交易记录等,一旦软件应用的安全性不足,不但短期内业务中断、声誉受损,各种信息资产还将透过地下交易流入地下经济产业链,从而造成其业务受到持续影响,给企业造成巨大的财务和信誉风险。针对这一趋势变化,大多数企业已经着手实施了关于应用安全性改善的措施,但事实上,大多数企业基本选择在编码、测试及发布阶段实施相应的安全检测和风险管理措施,需求、架构安全设计基本处于被忽视的状态,而设计水平缺陷是很难通过代码审计、安全扫描、渗透测试等静态或动态的检测方式发现的。相关数据表明,在需求、架构设计阶段进行完善分析和设计,将比部署后进行修复漏洞的成本降低30倍之多。因此,必须建立一个强大、安全的系统,在应用程序开发的早期阶段提高系统的安全设计水平。文章通过详细的基于MVC应用程序的设计缺陷分析,探索常见设计漏洞形成的原理及安全设计原则,为应用程序的安全设计提供实践依据。

Today＇s lnternet economy, especially for finance, operators, e-commerce, software applications not only carries its core business, but also generates, processes, stores all kinds of core sensitive informations： account intbrmation, privacy, business data, financial transaction records, once the security of software application is not enough, not only short-term business interruption, reputation damage, all kinds of information assets will be continuely affecded through underground transactions into the underground economy industrial chain, resulting in huge financial and credit risk.In view of this trend, most enterprises have implemented measures to improve the security of the application, but in fact, most of the enterprises are basically in the implementation of the relevant security detection and risk management measures in encoding, testing and publishing. Related data show that in the demand, architecture design stage to improve the analysis and design, the cost will be more than 30 times the cost of repairing the vulnerability after deployment. Therefore, we must establish a strong and safe system, improve the security level of the system at the early stage of application development. In this paper, through the detailed analysis of the MVC application design flaws, to explore the principle of common design flaws and the principle of safety design, provide practical basis for the application of safety design.