Paip. Enhanced security-Web Application Security Detection and Prevention

Paip. Enhanced security-web program Security Detection and Prevention

 

 

Security Issue severity...
1

Web program vulnerability severity...
1

From OWASP and wasc security standards...
1

Security training for programmers...
2

Security of business module design...
2

Development language selection (Java, Asp.net, PHP, asp ??)...
2

Online website Security Detection...
3

Other client-based Web scan detection programs...
3

Source code-level security check and design...
3

Website tamper-proofing to prevent Trojan monitoring system...
4

Web firewall...
4

 

Severity of security issues

What is the most important part of website programs ?? Many may say it is a feature .. In fact, the most important thing is security, or security ..

 

For example, there are many poor countries and small countries on the earth. Rich countries can buy everything they have, but they cannot buy one thing, that is, military secrets. Why? Because military secrets involve national security, no matter how small the country is, they will pay the most attention to their own security issues...

 

What is the most important thing for us personally ?? There is also security (Personal Safety), followed by property security... we can lose anything, but we cannot lose our lives, otherwise everything will be meaningless...

 

Therefore, the biggest benefit of a website is not to make money, but to ensure security...

Web application vulnerability severity

Whitehatch security company in a website security statistics report, adopted the network application Security Association (wasc) dangerous classification tool to identify the vulnerability and according to the PCI-DSS standard rating, the results show that 82% of the websites they test have at least one vulnerability, and 63% of the vulnerability levels are advanced, serious, or urgent.

Many are ignored.

Almost 150 common high-risk vulnerabilities on websites... (From), more than common vulnerabilities...

From OWASP and wasc security standards

This is Two Web security organizations. From their homepages, we can obtain the security classification of web programs ..

 

Security training for programmers

A large number of website programs are written by many people with insufficient security experience. Many vulnerabilities are very serious in the future. Therefore, security training should be conducted at the beginning of website development.

Organize the training of major technical high-risk security points. There may be about one hundred articles. It should take about three days to train them to prevent problems before they happen... For future security detection and security bug
Fix can greatly reduce costs...

 

Security of business module design

Some business module design security vulnerabilities are also very serious, but because it is not a technical security vulnerability, website detection tools are difficult to detect ..

 

In terms of business module design, we need to grasp business security... It is best to organize a set of business security specifications, with reference to implementation ..

 

For example, when changing the password, you must verify the current password of the user. This vulnerability does not exist on many websites ..

 

For example, if the website has an online recharge account, the account balance must be hash to prevent tampering. When users, especially internal employees, directly change the database, the balance check will fail, this account is automatically locked .. This vulnerability exists in almost 90% of e-commerce websites ..

 

In addition, when a user makes a transaction, the password function must be added or the mobile phone dynamic password verification must be used. However, many websites do not have this function in this security business aspect .. Is a major vulnerability...

 

Also, for e-commerce websites, the risk of cookie/seeesion theft can be greatly reduced by preventing multiple logins .. Most websites have this vulnerability without any protection...

 

Development language selection (Java, Asp.net, PHP, asp ??)

For web programs, development languages also have a major impact on website security. If a language with better security is used, web programs will have better security .. compiled Java, Asp.net
The security is much higher than that of script-type PHP and ASP ..

It can be said that the security is improved by an order of magnitude, and the performance is also better...

The only drawback is the development efficiency. As long as the rapid development method is used and the lightweight rapid development framework is used, it is almost too slow ....

Online website Security Detection

There are many good desktop tools, the most convenient of which is online detection .. online Detection mostly requires independent domain names and IP addresses .. in fact, you can use dynamic domain name tools and ADSL routes to enable DMZ or Nat...

 

Website Security Detection

Submit the website and check it. The results will be received in the email address within 30 minutes ..

The only drawback is that URLs with port numbers are not supported. Other URLs with other hosts or IP addresses can be detected ..

 

Rising website Password Security Detection System

Union.rising.com.cn/index/index.aspx

Compared with rising stars, the domain name of the WWW host is supported only .. Websites in the IP Format are not supported, and URLs in the form of port numbers are not supported ..

 

Eesafe Website Security Alliance

It is also very spam, does not support the IP form, does not support the port form URL .. only supports the WWW host website Detection

 

Other client-based web scanning and detection programs

There are many

Source code-level security check and Design

However, we all know that the lack of necessary source code-level security checks has serious consequences, for example, in the early stage of many Forum systems such as discuz, many serious security vulnerabilities may occur due to the lack of source code-level security detection, resulting in the acquisition of many websites and the theft of database data. Use the source code-level security detection tool to detect the source code of the website.

Code-level security detection tool-eesafe website security detection tool. I tried to achieve poor performance. I only found some dangerous functions such as IFRAME and exec ..

 

Website tampering prevention and Trojan Monitoring System

MS has a website security guard, I do not know how the effect ..

This is necessary to improve user experience and security .. When a user is taken away by a Trojan horse on your website, you lose the user ..

Web Firewall

Add a web firewall to your website. Do not run it naked.