精通网络安全的步骤 [英] Steps to become web security savvy
问题描述
我已经用 C++
、Matlab
和类似的语言进行编码,用于科学目的已经有一段时间了,但我最近想进入网络编程.我自学了 HTML
和 CSS
,并涉足了 Javascript
、PHP
和 mySQL
.我真的很想开始制作更高级的、用户驱动的网站(如果有道理的话——最终网站类似于 twittera> 和 facebook 功能),但我担心我对互联网安全和漏洞,以确保我做出的编程决策是安全的.
I've been coding in C++
, Matlab
, and similar languages for scientific purposes for quite some time now, but I recently wanted to get into web programming. I've taught myself HTML
and CSS
and I've dabbled in Javascript
, PHP
, and mySQL
. I would really like to start making more advanced, user-driven websites (if that makes sense - ultimately sites similar to twitter and facebook in functionality), but I am worried that I don't know enough about internet security and vulnerabilities to make sure that the programming decisions I make are secure/safe.
您有什么建议或信息可以提供给我,以帮助我对我生成的代码的安全性充满信心.
What suggestions do you have or information can you offer me that will help me be confident in the security of the code that I produce.
如果这些都说不通,或者您想澄清一些问题,请直接提问.
If none of this makes sense or you would like some clarification, just ask.
推荐答案
其他提交的答案提供了很好的建议,但将其分解为规则系统:
The other submitted answers offer good advice, but to break it down into a system of rules:
多疑
- 假设您的用户充满敌意.
- 假设您的代码不安全.
验证(客户端和服务器端)一切:
- Assume that your users are actively hostile.
- Assume that your code isn't secure.
Verify (client-side and server-side) everything:
- ...您的用户提交.
- ...您存储在数据库中的内容.
- ...您从数据库中读取的内容.
要聪明
- 你和我的代码都很烂;随时掌握新工作.
- 阅读整个主题,即使是您觉得枯燥的主题,以及绝对您理解有困难的主题.
- 假设您的用户比您更聪明(那些积极敌对的人可能比您更有经验打破锁).
- 对您能想到的所有内容进行错误检查,然后让大约四岁的孩子按所有内容并填写您可能拥有的任何表格/字段.如果出现异常(字母数字而不是整数或其他任何内容),请添加错误条件以阻止它向外界公开您的脚本内部结构.
- 将所有可能的内容移到网络根目录之外,以防止用户从其他站点或他们的机器访问您的脚本.
- Your code, and mine, sucks; keep on top of new work.
- Read around the subject, even the ones you find dull, and definitely the ones you have trouble understanding.
- Assume your users are smarter than you (those that are actively hostile are probably more experienced than you at breaking your locks).
- Have error checks for everything you can think of, and then ask a child of around four to press everything and fill in any forms/fields you might have. If something goes crazy (an alphanumeric instead of an integer, or anything else) add error conditions to stop it exposing your script's internals to the world.
- Move everything you possibly can outside of the web root to prevent any chance of a user accessing your scripts from another site or their machine.
这可能有点令人沮丧或愤世嫉俗,但即使有这些规则,我也不认为我们会安全".安全是战争升级的最古老形式之一;有些我们赢了,有些我们输了,但我们只会听说输了.而且我们不太可能听说过所有这些.
That might be a little bleak, or cynical, but even with those rules I don't think we'll be 'safe.' Security's one of the oldest forms of a war of escalation; some we win and some we lose, but we'll only ever hear about the losses. And we're unlikely to ever hear about all of those.
尽最大努力记住这些,然后,如果您想到任何更偏执的方法来影响您网站的安全,请不要犹豫,变得更多实际上偏执.并回馈社区;我们都需要这方面的帮助.
Just do your best to keep those in mind, and then, if you think of any more-paranoid means to effect your site's security, don't hesitate to become more practically-paranoid. And tfeed back to the community; we all need help with this.
这篇关于精通网络安全的步骤的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!