We often hear a lot of information about security, which can be said to be varied. For comrades who are not very professional in network security, they are a little dazzled and cannot figure out the details. Here, I will help you sort it out.
With my years of experience in Web security and the understanding of some authoritative security organizations in foreign countries on Web security, we usually divide it into three levels:
1. network security. Security issues such as firewalls, routers, and network structures;
2. system and service security. For example, Windows/Linux/Unix system vulnerabilities or service security on Windows/Linux/Unix systems, Apache/OpenSSL/Weblogic and other security vulnerabilities;
3. Web Application Security. Security vulnerabilities of specific applications. For example, if a website email system has a script security problem, the user of the email system may not be aware of the malicious code-related emails, the password and account information are stolen.
Speaking of this, we should know that no matter whether you see all aspects of computer security issues anywhere, you cannot escape these three parts. At the same time, I would like to declare to the readers: Here, I mainly want to introduce the third part of this article, that is, knowledge and skills related to Web Application Security.
According to statistics from authoritative search engine companies, more than 70% of websites currently have more or less security risks. The security risks here refer to the security of Web applications. As for the security of networks, systems, and services, I personally think that its survival cycle is basically: discovery-> reporting to software developers-> patching-> downloading update programs. As our users, the latest system and service patches can be provided in a timely manner. In combination with certain firewall security policies, the security of the systems and services can be basically guaranteed. However, Web applications are basically a set of programs owned by each organization, and all problems must be solved by themselves, precisely because of this feature, the security of Web applications running on the internet is widespread. Why? Because only a few organizations or individuals have the ability to control the technology and experience related to network security, most companies that are specialized in website development do not have the ability or the ability to consciously consider security issues. It is worth noting that organizations and individuals without security awareness cannot guarantee the security of their products. This is very important. Many people only hear security issues from the media, and they always feel that security issues are far away from themselves, it does not know that security issues are causing more and more serious damage to it ....... Not long ago, a friend in Shanghai found that the bank card funds had not been transferred and were taken away. After an alarm, the police investigated and tracked the funds and found out that: it often uses the "gray pigeon" trojan in the laptop of online banking, which completely exposes its computer operations and its current resources. Someone has to ask: How did the "gray pigeon" run to its computer? Of course, there are many ways to go in. For example, if we are a netizen, I will send it to you via QQ to let you run it. Or I recommend you a free software that you are interested in, the software has been bound to the "gray pigeon" Trojan program ......, Another important thing is to spread through webpages. For example, the script injection method forcibly prompts you to download and run the program. The upload vulnerability is uploaded to a website you trust. When it prompts you to download and install the program, you find that it comes from a website you trust, so you accept it ......
In short, Web applications are the most likely carriers to bring security risks to us.