精通网络安全的步骤 [英] Steps to become web security savvy

问题描述

我已经用 C++、Matlab 和类似的语言进行编码，用于科学目的已经有一段时间了，但我最近想进入网络编程.我自学了 HTML 和 CSS，并涉足了 Javascript、PHP 和 mySQL.我真的很想开始制作更高级的、用户驱动的网站(如果有道理的话——最终网站类似于 twittera> 和 facebook 功能)，但我担心我对互联网安全和漏洞，以确保我做出的编程决策是安全的.

I've been coding in C++, Matlab, and similar languages for scientific purposes for quite some time now, but I recently wanted to get into web programming. I've taught myself HTML and CSS and I've dabbled in Javascript, PHP, and mySQL. I would really like to start making more advanced, user-driven websites (if that makes sense - ultimately sites similar to twitter and facebook in functionality), but I am worried that I don't know enough about internet security and vulnerabilities to make sure that the programming decisions I make are secure/safe.

您有什么建议或信息可以提供给我，以帮助我对我生成的代码的安全性充满信心.

What suggestions do you have or information can you offer me that will help me be confident in the security of the code that I produce.

如果这些都说不通，或者您想澄清一些问题，请直接提问.

If none of this makes sense or you would like some clarification, just ask.

推荐答案

其他提交的答案提供了很好的建议，但将其分解为规则系统:

The other submitted answers offer good advice, but to break it down into a system of rules:

1. 多疑

1. 假设您的用户充满敌意.
2. 假设您的代码不安全.

3. 验证(客户端和服务器端)一切:

1. Assume that your users are actively hostile.
2. Assume that your code isn't secure.

3. Verify (client-side and server-side) everything:

1. ...您的用户提交.
2. ...您存储在数据库中的内容.
3. ...您从数据库中读取的内容.

不要让您的用户看到任何不是您创建的错误消息.如果verify_username() 需要两个参数"，请不要让您的用户永远看到该错误消息.他们不应该知道您的函数的名称，也不应该知道他们期望使用、输出或失败的内容.

Don't allow your users to see any error messages that you didn't create. If `verify_username() expects exactly two parameters` don't let your users ever see that error message. They shouldn't know the names of your functions, nor what they expect to work with, output or fail on.

要聪明

1. 你和我的代码都很烂；随时掌握新工作.
2. 阅读整个主题，即使是您觉得枯燥的主题，以及绝对您理解有困难的主题.
3. 假设您的用户比您更聪明(那些积极敌对的人可能比您更有经验打破锁).
4. 对您能想到的所有内容进行错误检查，然后让大约四岁的孩子按所有内容并填写您可能拥有的任何表格/字段.如果出现异常(字母数字而不是整数或其他任何内容)，请添加错误条件以阻止它向外界公开您的脚本内部结构.
5. 将所有可能的内容移到网络根目录之外，以防止用户从其他站点或他们的机器访问您的脚本.

1. Your code, and mine, sucks; keep on top of new work.
2. Read around the subject, even the ones you find dull, and definitely the ones you have trouble understanding.
3. Assume your users are smarter than you (those that are actively hostile are probably more experienced than you at breaking your locks).
4. Have error checks for everything you can think of, and then ask a child of around four to press everything and fill in any forms/fields you might have. If something goes crazy (an alphanumeric instead of an integer, or anything else) add error conditions to stop it exposing your script's internals to the world.
5. Move everything you possibly can outside of the web root to prevent any chance of a user accessing your scripts from another site or their machine.

这可能有点令人沮丧或愤世嫉俗，但即使有这些规则，我也不认为我们会安全".安全是战争升级的最古老形式之一；有些我们赢了，有些我们输了，但我们只会听说输了.而且我们不太可能听说过所有这些.

That might be a little bleak, or cynical, but even with those rules I don't think we'll be 'safe.' Security's one of the oldest forms of a war of escalation; some we win and some we lose, but we'll only ever hear about the losses. And we're unlikely to ever hear about all of those.

尽最大努力记住这些，然后，如果您想到任何更偏执的方法来影响您网站的安全，请不要犹豫，变得更多实际上偏执.并回馈社区；我们都需要这方面的帮助.

Just do your best to keep those in mind, and then, if you think of any more-paranoid means to effect your site's security, don't hesitate to become more practically-paranoid. And tfeed back to the community; we all need help with this.

这篇关于精通网络安全的步骤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！