One of my thoughts on web security in white hats

This week's technical book "white hats talk about web Security".

This book reminds me of Wu Hanqing, a young technical master. One of the owners of quickshield. I think the attack defense is amazing and I want to know more about it. So I chose this Redbook.

Now, let's move on to the subject. Today I saw Part 1-world security concept. It is a relatively simple concept to explain security awareness. Summary:

1. The essence of security issues is trust issues. The foundation of all security design schemes is built on the trust relationship.

2. Security is a continuous process. There is no permanent and effective security solution.

3. Three elements of security: confidentiality, integrity, and availability.

Confidentiality: data content must not be disclosed. encryption is a common method.

Integrity: The data is complete and not tampered

Availability: protect resources on demand. The opposite example is ddos attacks, making resources unavailable.

4. Four phases of security assessment:

Asset Classification: data security classification based on specific businesses trust Domains

Threat Analysis: Calls threats as the source of potential hazards; brainstorming or Modeling

Risk analysis: the potential source of loss is called risk.

Design security solutions: good solutions are transparent to users and part of the business. Security cannot be achieved at the expense of user experience

5. White Hat Art of War

Secure by default principle: 1. blacklist and whitelist. Use the whitelist whenever possible to eliminate security risks. Second, the minimum permission is required. For example, linux is a common user permission, and sudo is required only when a high permission is obtained.

Defense in depth Principle: A security solution with a three-dimensional sense of attention. It is not the same solution that has been designed from different perspectives. Do the right thing in the right place.

Data and code separation principle: the best way to prevent injection.

The principle of unpredictability: effectively defends against tampering and forgery attacks. For example, in a content management system, if the document id is incremented by an integer, attackers can obtain the id of one of the articles to delete all the articles. However, if the IDs are random and unpredictable, attackers need to obtain the IDs of all articles through crawlers to delete them, which makes the attack more difficult.

The following is his personal space:

Http://hi.baidu.com/aullik5

Http://taosay.net/