September 2021
Beginner to intermediate
392 pages
12h 13m
Chinese
book
Google系统架构解密: 构建安全可靠的系统
by Heather Adkins, Betsy Beyer, Paul Blankinship, Piotr Lewandowski, Ana Oprea, Adam Stubblefield
Content preview from Google系统架构解密: 构建安全可靠的系统
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
编写代码
|
171
跨站脚本(
XSS
)漏洞而要审查成百上千份
HTML
模板文件,或检查应用程序中每个
RPC
的错误处理逻辑有点无聊。
尽管代码审查不能找出所有漏洞,但会带来一些别的好处。浓厚的代码审查文化能促使开
发人员以一种更便于审查安全性和可靠性问题的方式来编程。本章讨论的策略有助于使相
关特性更显著,以便于审查,同时也有助于在开发阶段融入自动化机制。这些策略能释放
团队的精力来关注其他问题,进而塑造起关注安全性和可靠性的文化(参见第
21
章
)。
12.1
框架级安全性和可靠性保证措施
正如第
6
章所述,站点的安全性和可靠性有赖于特定策略。举例来说,如果所有数据库查
询请求只包含开发人员可控的代码,并且所有外部输入都通过查询参数绑定的方式提供,
那么应用程序就不会有
SQL
注入问题
。如果所有由用户输入的内容,在插入
HTML
表单
前,都经过恰当的转义或通过移除可执行代码进行了过滤,那么这个
We
b
应用程序也不会
有
XSS
漏洞。
常见的安全性和可靠性策略
几乎所有多用户的应用程序都会有特定的安全策略,它们控制哪些用户可以对数据执
行哪些操作,所有操作都应遵守此类策略。为了防止分布式系统出现级联故障,每个
应用程序都应遵循合理的策略。例如,
RPC
请求失败后做回滚重试。类似地,为防止
内存泄漏崩溃和安全问题,
C++
应用程序只允许访问合法的内存地址。
理论上讲,编写应用程序代码时谨慎遵循这些策略,就能使软件安全且可靠。但是,随着
规划的功能特性和代码仓库体量不断增长,这种方式几乎是不可能实现的。要让开发人员
精通所有门类,或在编写、审查代码时始终保持警惕是不现实的。 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.