The 1th chapter of the study Note on "White hat Talk web security" my safe worldview

The 1th chapter of my Security Worldview 1.1 WebA brief History of security1.1.1A brief history of Chinese hackers

Now hackers in China and around the world, or hackers, have entered the "Dark Ages" because the Internet has a lot of interest.

1.1.2The development course of hacker technology1.1.3 WebThe rise of security

Web Security is an important branch in the field of information security, but China's current emphasis on Web security is far from enough.

Why are you attacking Web applications, I think there are several main reasons for this:

q Web apps are everywhere.

q compared with the operating system and other security defense capabilities, to break the Web easier .

q attack The Web can be no shadow to go without a trace, with anonymity.

q There are many loopholes in the level and security awareness of people who write Web applications.

q WEB Application Security technology is not mature.

q The most important thing is to attack the Web app to get money and other benefits.

The attacks and defenses of the web are evolving in alternate ways.

1.2Black Hat, white hat

With more people studying safety, the world is no longer safe.

1.3Returning to nature, revealing the essence of security

The book mentions many times that "the essence of security is the question of trust", but I think the essence of security is the question of authority.

1.4superstition, no silver bullets.

Security technology is improved in the attack and defense.

1.5three elements of security

The basic three elements of security are explained in the book, but security is more than just three elements.

Availability ( Availability ): authorized entities can access resources and services when needed. Availability means that the information system must be available whenever the user needs it, i.e. the information system cannot refuse the service. The most basic function of the network is to provide users with the necessary information and communication services, and the user's communication requirements are random, multi-faceted (voice, data, text and images, etc.), and sometimes require timeliness. The network must meet user communication requirements at all times. Attackers often use resource-intensive means to hinder the work of the grantee. Access control mechanisms can be used to prevent unauthorized users from entering the network, thereby guaranteeing the availability of network systems. Enhanced usability also includes how to effectively avoid system failures caused by various disasters (war, earthquakes, etc.). Integrity ( Integrity ): information is not accidentally or deliberately deleted, modified, forged, disorderly, replay, insert and other characteristics of destruction. Only those who are allowed to modify the entity or process can determine whether the entity or process has been tampered with. That is, the content of the information cannot be modified by unauthorized third parties. The information is stored or transmitted without modification, destruction, loss of information packets, disorderly sequence, etc. Reliability ( Reliability ): reliability refers to the probability that the system completes the specified function under the stipulated conditions and the stipulated time. Reliability is one of the most basic requirements of network security, the network is unreliable, accidents continue, there is no network security. At present, the research on the reliability of network mainly focuses on the hardware reliability. It is still the most basic reliability countermeasure to develop high reliability component equipment and reasonable redundant backup measures, however, there are many faults and accidents, which are related to software reliability, personnel reliability and environmental reliability. Confidentiality ( Confidentiality ): confidentiality refers to ensuring that information is not exposed to unauthorized entities or processes. That is, the content of the information is not known to unauthorized third parties. The information referred to here includes not only state secrets, but also the work secrets and trade secrets of various social groups, business organizations, personal secrets and personal privacy (such as browsing habits, shopping habits). Security technologies that prevent information theft and disclosure are known as privacy technologies. Non-repudiation ( non-repudiation ): also known as non-repudiation. The non-repudiation is the security requirement that the information of both parties (person, entity or process) is true, which includes both the receiving and sending parties. The first is the proof of the source, which provides the recipient of the information with evidence, which will make it impossible for the sender to misrepresent that the message has not been sent or to deny its content, and the proof of delivery, which it provides to the sender of the information, to prove that it will make it impossible for the recipient to misrepresent that it has not received the information or denies

1.6How to implement a security assessment1.6.1Asset class Division

The higher the value, the higher the level of security required. The basis of the classification of assets--the value of resources.

The value of data is the highest in the production practice for the Internet.

1.6.2Threat Analysis

Analyze existing systems or defenses to identify vulnerabilities that could pose a threat.

1.6.3Risk Analysis

to identify the vulnerability, according to its occurrence probability, the degree of harm and so on to order, indicating its priority .

1.6.4Design Security Solutions

The safety scheme is designed based on the assessment of safety, not without the imagination of research.

Security and cost need to strike a balance. The need to explain is that the cost here is not only money, but also business efficiency, business logic and so on.

A good security plan, should conform to the user's usage habits, should be humanized, intelligent, efficient and simple .

1.7The art of white hats1.7.1 Secure BydefaultPrinciples

Security is like an interface design, just for the user needs. So the "white list" mode is better.

Security is the most important security awareness . security awareness is more useful than any security precaution.

There is also the principle of minimum access, before I write to determine whether the user exists SQL code, typically "select* from admin where Name='Qiang' andpassword='123456'". It is not safe for me to write later as "Select COUNT (*) from admin where Name='Qiang' andpassword='123456' "

1.7.2defense in Depth principle

Meaning: First, at all levels, various aspects of the implementation of security, to avoid omissions, the different security programs need to cooperate with each other, constitute a whole; Ii. security programmes need to be a permanent solution.

for Rich text XSS defenses , I can now do this by using the " Whitelist ". But there are still some more serious loopholes in the white list . so I still need to focus on the rich text XSS attack .

1.7.3data and code separation principles

This principle applies mainly to "injection" scenarios.

1.7.4The principle of non-predictability

for unpredictable use, I have thought about it before . when I was using the Cheetah browser, I found that Baidu's ads were filtered . so I took a serious look, found that the original Baidu ads are written in a In the id=content_right div , this gives the browser a chance to filter. You should randomize the attribute ID or other attributes of the div so that the browser cannot know exactly where it is.

1.8Summary

I'm very much in favor of , safety is a balanced art statement , because what we need to do is a balance between security and cost.

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1859544

The 1th chapter of the study Note on "White hat Talk web security" my safe worldview