First, the user authentication security test to consider the problem:
1. Clearly differentiate between different user rights in the system
2. User conflicts will occur in the system
3. The system will not cause confusion due to the change of user's permission
4. Whether the user login password is visible, can be copied
5. Whether the system can be accessed by absolute means (copy user login link directly into the system)
6. If the user has removed all authentication tokens after exiting the system, can I use the back key instead of entering the system by entering the password?
7. Limit the number of login failures to prevent brute force
8. Enter the account password can not have a special meaning of the symbol or command statement
9. If the old password is valid after setting the new password
Whether the user name password is saved in the cookie if the save is to be encrypted
11. Preventing SQL Injection
12. Password cannot be transmitted in plaintext
13. Whether the plaintext password is recorded in the log and database
14. Do not disclose sensitive information when the webpage is wrong
15 Validation of the page timeout mechanism
Second, the system network security testing to consider the problem:
1. Test whether the protective measures taken are properly assembled, and whether the patches on the system are
2. Simulate unauthorized attacks to see if the protection system is strong or not
3. Use a sophisticated Network vulnerability checker to check system-related vulnerabilities (i.e., use the most professional hacker attack tools to try, now most commonly used is the NBSI series and Iphacker IP)
4. Use a variety of Trojan inspection tools to check the system Trojan situation
5. Use a variety of anti-plug tools to check the system of each group of procedures of the guest plug-in vulnerability
Third, the security considerations of the database:
1. Whether the system data is confidential (such as to the banking system, this is particularly important, the general site is not too high requirements)
2. The integrity of the system data (I have just ended the enterprise real-name verification service system has been incomplete data, the function of the system to achieve a barrier)
3. System Data Manageability
4. Independence of System data
5. System data can be backed up and restored (data backup is complete, can be restored, recovery is complete)
Safety comparison between b/S and C/s
Many users in the B/s architecture design system, the first doubt is that. Is this software secure? Why users have such doubts, because the B/s architecture on the Internet, as long as there is IE browser computer can access the system. and C/ s architecture only users who have installed a specific client software can use the system, so our users have been worrying about B/s security issues. And some of the industry's C/S supporters have been the B/s security issues as a endlessly debated topic has been discussed. I can only say that such a discussion is very boring, I do not oppose C/s has many advantages. But from the security point of view, B/S is much higher than C/s.
1 before we talked about "C/s architecture only users who installed a specific client software can use the system", because of the user's computer installed on the client so this system is facing the program is analyzed, the data is intercepted security risks, Since all data must be read from the server to the client and then operated, and b/s All data operations are performed on the server in the client just post an HTML code .
2 At present a lot of traditional C/s system or 2 layer structure means that all the client directly read the data in the server, the client side includes the data user name \ Password and other deadly information, is such a system security? If such a system is placed on the Internet, the server is open to any user connected to the Internet, and the B/S architecture system has no information on the client. User-oriented is just webserber, and the information that really holds our data is all on DataServer, and this dataserver can be accessed entirely on the Internet and only by the webserver we specify.
3 of course now also popular a 3-tier architecture of the C/s system, but I would like to ask, you do the middleware is more secure than Microsoft write IIS? At present there are a lot of methods of truncation packet analysis, BS can be solved by using HTTPS encryption. But has your C/s server considered this problem? You say you encrypt the data, you encrypt more than https OK? You do not have encryption, that is clear text, casually find a sniff monitoring software can intercept the data.
There is another point of view: b/S less than C/s
C/S: can use a variety of network protocols, and even can customize the protocol, from this point of view, C/S security is guaranteed. And because it is based on customer service, not vulnerable to virus attack, but C/s is too inconvenient (mainly not easy to share data) is not easy to communicate with users at any time, which is a fatal disadvantage of C/s. and c/s structure software in the protection of data security has a congenital disadvantage. Due to the data distribution characteristic of C/s structure software, the fire, theft, earthquake and virus of the client will become the terrible data killers.
B/S:B/S is more susceptible to virus patronage than C/s, using the HTTP protocol, although the latest HTTPS protocol has improved security, but it is weaker than C/s.
After comparison, I feel that this is a pointless struggle ... First sweep in front of the snow, the safety of their products is the most important.
Safety test and comparison of B/s security