.NET Web 应用程序的应用程序安全审计? [英] Application Security Audit of an .NET Web Application?
问题描述
有人对 .NET Web 应用程序的安全审计有什么建议吗?
Anyone have suggestions for security auditing of an .NET Web Application?
我对所有选项都感兴趣.我希望能够以某种不可知的方式探测我的应用程序是否存在安全风险.
I'm interested in all options. I'd like to be able to have something agnostically probe my application for security risks.
澄清一下,该系统的设计考虑了安全性.环境的设置考虑到了安全性.我想要一个独立的安全措施,除了 - '是的,它是安全的'......让某人审核 100 万行以上的代码的成本可能比开发成本更高.看起来真的没有一个很好的自动化/便宜的方法来解决这个问题.感谢您的建议.
To clarify, the system has been designed with security in mind. The environment has been setup with security in mind. I want an independent measure of security, other than - 'yeah it's secure'... The cost of having someone audit 1M+ lines of code is probably more expensive than the development. It looks like there really isn't a good automated/inexpensive approach to this yet. Thanks for your suggestions.
审计的目的是独立验证团队实施的安全性.
The point of an audit would be to independently verify the security that was implemented by the team.
顺便说一句 - 有几个自动化的黑客/探测工具来探测应用程序/网络服务器,但我有点担心它们是否是蠕虫......
BTW - there are several automated hack/probe tools to probe applications/web servers, but i'm a bit concerned about whether they are worms or not...
推荐答案
最好的做法:
- 聘请安全人员进行源代码分析
- 聘请安全人员/渗透测试公司进行黑盒分析的第二个最佳做法
以下工具将有所帮助:
- 静态分析工具 Fortify/Ounce Labs - 代码审查
- 考虑 HP WebInspects 的安全对象 (VS.NET 插件) 等解决方案
- 购买黑盒应用程序扫描器,例如 Netsparker、Appscan、WebInspect、Hailstorm、Acunetix 或 Netsparker
聘请一些安全专家是一个更好的主意(虽然会花费更多),因为他们不仅会发现自动化工具可能会发现的注入和技术问题,他们还会发现所有逻辑问题.
Hiring some security specialist is so much better idea (will cost more though) because they won't only find injection and technical issues where an automated tool might find, they will also find all logical issues as well.
这篇关于.NET Web 应用程序的应用程序安全审计?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
