白名单或黑名单安全哪个更好，或两者兼而有之? [英] Which is better, white list or black list security, or both?

问题描述

我将很快构建一个网络应用程序，我需要一个安全模型，以便不同的用户可以访问应用程序的不同部分和/或应用程序特定部分中的不同数据集.我正在讨论以下两种实现安全性的方法:

I am going to be building a web app soon where I will need to have a security model such that different users have access to different parts of the application and/or different sets of data within those specific parts of the app. I am debating between the following two methods of implementing security:

白名单:默认情况下，用户无权访问任何东西，并被授予访问他们需要的东西的权限.

White List: By default users have access to nothing and are granted access to the things they need.

或

黑名单:默认情况下，用户可以访问所有内容，而他们的访问权限会从他们不需要的内容中删除.

Black List: By default users have access to everything and their access is removed from the things that they do not need.

是否有首选哪种方法的最佳实践?如果有另一种方法可以更好地解决这个问题，那也很有趣.

Is there a best-practice on which method is preferred? If there is another method that would better address this problem that would be interesting to know as well.

谢谢.

推荐答案

来自经典论文 计算机系统中的信息保护"(Saltzer & Schroeder 1975)，其中描述了八项重要的设计原则，其中之一是:

From the classic paper "The Protection of Information in Computer Systems" (Saltzer & Schroeder 1975), which describes eight important design principles, one of which is:

故障安全默认值:基本访问关于许可的决定而不是排除.这个原则，建议由 E. Glaser 于 1965 年提出，8 意味着默认情况是无法访问，和保护方案确定访问条件允许.替代方案，其中机制试图识别访问的条件被拒绝，提出错误安全系统的心理基础设计.保守的设计必须是基于为什么对象应该可以访问，而不是为什么他们不应该.在一个大系统中，一些对象将不充分考虑到，所以默认缺乏许可更安全.一个设计或机制中的执行错误给予明确许可的倾向因拒绝许可而失败，一个保险箱情况，因为它会很快检测到.另一方面，设计或执行错误明确排除的机制通过允许访问往往会失败访问，可能会失败正常使用时不注意.这原则适用于外保护机制外观以及它的底层实现.

Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation.

这篇关于白名单或黑名单安全哪个更好，或两者兼而有之?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！