摘要
随着国家积极推进重要信息系统的等级保护建设,各行业关键业务系统均已满足等级保护较高等级的要求,并且在符合率上保持着比较高的水平。但是,在相关漏洞共享网站上,部分政府、银行等重要信息系统仍被不断曝出存在较多高风险漏洞。本文重点研究手工代码审查+自动审查工具对网站代码进行设计,旨在衡量Web应用程序的手工代码审查对提高其安全性的有效性。我们借用了多名开发人员来对Web应用进行安全性审核,他们被要求对应用程序进行逐行代码审查,并提交发现的所有安全漏洞的报告,同时对自动审计工具进行对比。
As the country actively promotes the construction of hierarchical protection of important information systems,key business systems in various industries have met the higher-level requirements of hierarchical protection and have maintained a relatively high level of compliance.However,on related vulnerability sharing websites,some important information systems such as governments and banks are still exposed to many high-risk vulnerabilities.This paper focuses on the design of website code by manual code review+automatic review tool,aiming to measure the effectiveness of manual code review of Web applications to improve its security.We borrowed multiple developers to conduct security audits on web applications.They were required to conduct a line-by-line code review of the application,and submit reports on all security vulnerabilities found,while comparing automatic audit tools.
作者
韩可
HAN Ke(Shanghai Newdon Technology Co.,Ltd.,Shanghai 200438)
出处
《数字技术与应用》
2021年第5期202-205,共4页
Digital Technology & Application
关键词
代码审计
WEB应用安全
技术研究
Code audit
Web application security
Technical research
