June 2021
Beginner to intermediate
355 pages
5h 5m
Chinese
Content preview from Web应用程序安全
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
现代
Web
应用加固
|
225
在接下来的章节中,我们将学习一些技术来合理地评估应用架构中的安全性。
这些技术包括从数据流分析到新功能特性带来的威胁建模等。
17.2
全面的代码审查
在实际编写一个已经被评估为架构安全的
Web
应用程序的过程中,下一步要
做的,就是在发布到代码库之前,仔细评估每一个提交的过程。大多数公司
已经采用了强制性的代码审查流程,从而提高其质量保障,减少技术欠缺、
消除容易被发现的编程错误。
代码审查也是确保发布的代码符合安全标准的关键步骤。为了减少利益冲突,
对源代码版本控制的提交不仅要由提交者团队的成员进行审查,还应该由不
相关的团队进行审查(尤其是在安全方面)。
在每次提交的基础上,在代码审查层面抓住安全漏洞其实比想象中要容易。
主要需要注意几点:
•
数据是如何从
A
点传输到
B
点的(通常是通过网络,并以特定的格式)?
•
数据是如何存储的?
•
当数据到达客户端时,是如何呈现给用户的?
•
当数据到达服务器时,对它进行了哪些操作,如何持久保存?
在接下来的章节中,我们将评估执行安全代码审查的具体措施。但这个检查
表提供了一个基础,在此基础上,任何人都可以开始进行安全审查。
17.3
漏洞发现
假设你的组织和
/
或代码库在编写代码之前(架构设计)和开发过程中(代
码审查)已经进行了安全评估的步骤,那么下一步就是在代码中寻找由于代
码审查过程中不容易识别(或遗漏)的
bug
而出现的漏洞。发现漏洞的方式
有很多,其中有些方式会损害你的业务
/
声誉,而有些方式则不会。
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.