每个程序员都应该了解哪些安全方面的知识? [英] What should every programmer know about security?
问题描述
我是一名 IT 学生,现在在读大学三年级.到目前为止,我们一直在研究与计算机相关的许多学科(编程、算法、计算机体系结构、数学等).
I am an IT student and I am now in the 3rd year in university. Until now we've been studing a lot of subjects related to computers in general (programming, algorithms, computer architecture, maths, etc).
我非常确定没有人可以了解有关安全的所有知识,但确定每个程序员或 IT 学生都应该了解它的最低"知识,我的问题是这个最低知识是什么?
I am very sure that nobody can learn every thing about security but sure there is a "minimum" knowledge every programmer or IT student should know about it and my question is what is this minimum knowledge?
您能否推荐一些电子书或课程或任何有助于开始这条道路的东西?
Can you suggest some e-books or courses or anything can help to start with this road?
推荐答案
如果您希望应用程序安全,请记住以下原则:
Principles to keep in mind if you want your applications to be secure:
- 永远不要相信任何输入!
- 验证来自所有不受信任来源的输入 - 使用白名单而不是黑名单
- 从一开始就为安全做好计划 - 这不是您可以在最后完成的事情
- 保持简单 - 复杂性会增加出现安全漏洞的可能性
- 尽量减少攻击面
- 确保您安全失败
- 使用深度防御立>
- 坚持最低权限原则
- 使用威胁建模
- 分区化 - 所以你的系统不是全有或全无
- 隐藏秘密很难 - 隐藏在代码中的秘密不会长期保密
- 不要编写自己的加密货币
- 使用加密并不意味着您是安全的(攻击者会寻找较弱的链接)
- 注意缓冲区溢出以及如何防止它们
- Never trust any input!
- Validate input from all untrusted sources - use whitelists not blacklists
- Plan for security from the start - it's not something you can bolt on at the end
- Keep it simple - complexity increases the likelihood of security holes
- Keep your attack surface to a minimum
- Make sure you fail securely
- Use defence in depth
- Adhere to the principle of least privilege
- Use threat modelling
- Compartmentalize - so your system is not all or nothing
- Hiding secrets is hard - and secrets hidden in code won't stay secret for long
- Don't write your own crypto
- Using crypto doesn't mean you're secure (attackers will look for a weaker link)
- Be aware of buffer overflows and how to protect against them
网上有一些关于确保应用程序安全的优秀书籍和文章:
There are some excellent books and articles online about making your applications secure:
- 编写安全代码第二版 - 我认为每个程序员都应该阅读这个
- 构建安全软件:如何以正确的方式避免安全问题
- 安全编程手册
- 利用软件
- 安全工程 - 优秀读物
- Linux 和 Unix 安全编程 HOWTO
- Writing Secure Code 2nd Edition - I think every programmer should read this
- Building Secure Software: How to Avoid Security Problems the Right Way
- Secure Programming Cookbook
- Exploiting Software
- Security Engineering - an excellent read
- Secure Programming for Linux and Unix HOWTO
就应用安全最佳实践对您的开发人员进行培训
Codebashing(付费)
安全创新(付费)
安全指南针(付费)
OWASP WebGoat(免费)
这篇关于每个程序员都应该了解哪些安全方面的知识?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!