每个程序员都应该了解哪些安全知识? [英] What should every programmer know about security?

问题描述

我是一名 IT 学生，现在在读大学三年级.到目前为止，我们一直在研究与计算机相关的许多学科(编程、算法、计算机体系结构、数学等).

I am an IT student and I am now in the 3rd year in university. Until now we've been studing a lot of subjects related to computers in general (programming, algorithms, computer architecture, maths, etc).

我非常确定没有人可以了解有关安全的所有知识，但可以肯定的是，每个程序员或 IT 学生都应该了解它的最低"知识，我的问题是这个最低知识是什么?

I am very sure that nobody can learn every thing about security but sure there is a "minimum" knowledge every programmer or IT student should know about it and my question is what is this minimum knowledge?

您能否推荐一些电子书或课程或任何有助于开始这条道路的东西?

Can you suggest some e-books or courses or anything can help to start with this road?

推荐答案

如果您希望应用程序安全，请记住以下原则:

Principles to keep in mind if you want your applications to be secure:

• 永远不要相信任何输入！
• 验证来自所有不受信任来源的输入 - 使用白名单而不是黑名单
• 从一开始就为安全做好计划 - 这不是您可以在最后完成的事情
• 保持简单 - 复杂性会增加出现安全漏洞的可能性
• 尽量减少攻击面
• 确保您安全失败
• 使用深入防御
• 坚持最低权限的原则
• 使用威胁建模
• 分区化 - 所以你的系统不是全有或全无
• 隐藏秘密很难 - 隐藏在代码中的秘密不会长期保密
• 不要编写自己的加密货币
• 使用加密并不意味着您是安全的(攻击者会寻找较弱的链接)
• 注意缓冲区溢出以及如何防止它们

• Never trust any input!
• Validate input from all untrusted sources - use whitelists not blacklists
• Plan for security from the start - it's not something you can bolt on at the end
• Keep it simple - complexity increases the likelihood of security holes
• Keep your attack surface to a minimum
• Make sure you fail securely
• Use defence in depth
• Adhere to the principle of least privilege
• Use threat modelling
• Compartmentalize - so your system is not all or nothing
• Hiding secrets is hard - and secrets hidden in code won't stay secret for long
• Don't write your own crypto
• Using crypto doesn't mean you're secure (attackers will look for a weaker link)
• Be aware of buffer overflows and how to protect against them

网上有一些关于确保应用程序安全的优秀书籍和文章:

There are some excellent books and articles online about making your applications secure:

• 编写安全代码第二版 - 我认为每个程序员都应该阅读这个
• 构建安全软件:如何以正确的方式避免安全问题
• 安全编程手册
• 利用软件
• 安全工程 - 优秀读物
• Linux 和 Unix 安全编程 HOWTO

• Writing Secure Code 2nd Edition - I think every programmer should read this
• Building Secure Software: How to Avoid Security Problems the Right Way
• Secure Programming Cookbook
• Exploiting Software
• Security Engineering - an excellent read
• Secure Programming for Linux and Unix HOWTO

就应用程序安全最佳实践对您的开发人员进行培训

Codebashing(付费)

安全创新(付费)

安全指南针(付费)

OWASP WebGoat(免费)

这篇关于每个程序员都应该了解哪些安全知识?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！