Cybersecurity is a global goal that is central to national security planning in many countries.One of the most active research fields is design of practices for the development of so-called highly secure software as a...Cybersecurity is a global goal that is central to national security planning in many countries.One of the most active research fields is design of practices for the development of so-called highly secure software as a kind of protection and reduction of the risks from cyber threats.The use of a secure software product in a real environment enables the reduction of the vulnerability of the system as a whole.It would be logical to find the most optimal solution for the integration of secure coding in the classic SDLC(software development life cycle).This paper aims to suggest practices and tips that should be followed for secure coding,in order to avoid cost and time overruns because of untimely identification of security issues.It presents the implementation of secure coding practices in software development,and showcases several real-world scenarios from different phases of the SDLC,as well as mitigation strategies.The paper covers techniques for SQL injection mitigation,authentication management for staging environments,and access control verification using JSON Web Tokens.展开更多
Web应用通常用于对外提供服务,由于具有开放性的特点,逐渐成为网络攻击的重要对象,而漏洞利用是实现Web攻击的主要技术途径。越权漏洞作为一种常见的高危安全漏洞,被开放Web应用安全项目(Open Web Application Security Project,OWASP)...Web应用通常用于对外提供服务,由于具有开放性的特点,逐渐成为网络攻击的重要对象,而漏洞利用是实现Web攻击的主要技术途径。越权漏洞作为一种常见的高危安全漏洞,被开放Web应用安全项目(Open Web Application Security Project,OWASP)列入10个最关键Web应用程序安全漏洞列表。结合近几年披露的与越权相关的Web应用通用漏洞披露(Common Vulnerability and Exposures,CVE)漏洞,通过分析Web越权漏洞成因和常见攻击方法,提出了针对Web越权漏洞攻击的防范方法。展开更多
文摘Cybersecurity is a global goal that is central to national security planning in many countries.One of the most active research fields is design of practices for the development of so-called highly secure software as a kind of protection and reduction of the risks from cyber threats.The use of a secure software product in a real environment enables the reduction of the vulnerability of the system as a whole.It would be logical to find the most optimal solution for the integration of secure coding in the classic SDLC(software development life cycle).This paper aims to suggest practices and tips that should be followed for secure coding,in order to avoid cost and time overruns because of untimely identification of security issues.It presents the implementation of secure coding practices in software development,and showcases several real-world scenarios from different phases of the SDLC,as well as mitigation strategies.The paper covers techniques for SQL injection mitigation,authentication management for staging environments,and access control verification using JSON Web Tokens.
文摘Web应用通常用于对外提供服务,由于具有开放性的特点,逐渐成为网络攻击的重要对象,而漏洞利用是实现Web攻击的主要技术途径。越权漏洞作为一种常见的高危安全漏洞,被开放Web应用安全项目(Open Web Application Security Project,OWASP)列入10个最关键Web应用程序安全漏洞列表。结合近几年披露的与越权相关的Web应用通用漏洞披露(Common Vulnerability and Exposures,CVE)漏洞,通过分析Web越权漏洞成因和常见攻击方法,提出了针对Web越权漏洞攻击的防范方法。
