Posts tagged security

PHP Security / Overview / Basic Steps

5 years ago

in TechniquE, TranslatioN

Basic Steps

基本步骤

Consider illegitimate uses of your application.

A secure design is only part of the solution. During development, when the code is being written, it is important to consider illegitimate uses of your application. Often, the focus is on making the application work as intended, and while this is necessary to deliver a properly functioning application, it does nothing to help make the application secure.
考虑非法用户。

安全性设计仅仅是整体解决方案的一部分。在开发过程中，特别是书写代码的时候，考虑非法用户是非常重要的。通常情况下，注意力都是在如何让程序按照预期的想法工作，虽然这对交付一个能够正常运行的程序来说是必要的，但是这对让程序变安全是没有任何作用的。
Educate yourself.

The fact that you are here is evidence that you care about security, and as trite as it may sound, this is the most important step. There are numerous resources available on the Web and in print, and I mention several of these at the end of this talk.
自学。

你现在在看这本书的事实，说明了你关心安全问题，虽然就和听起来一样老生常谈，这是最重要的步骤。网上有非常多的资源，也有很多出版物，在最后我会提到一些。
If nothing else, FILTER ALL FOREIGN DATA.

Data filtering is the cornerstone of Web application security in any language and on any platform. By initializing your variables and filtering all data that comes from a foreign source, you will address a majority of security vulnerabilities with very little effort. A whitelist approach is better than a blacklist approach. This means that you should consider all data invalid unless it can be proven valid (rather than considering all data valid unless it can be proven invalid).
如果没有其他可作的，那么就*过滤所有的外来数据*。

不论什么语言，什么平台，数据过滤都是 Web 程序安全的基础。通过初始化变量和过滤所有外来数据的方式，你就能够用很小的代价定位到一个主要的安全漏洞。白名单方式要好于黑名单方式。也就是说，你应该假设所有的数据都是不合法的，除非能够证明这个数据是合法的（而不是说只要不能证明数据非法就认为是合法的。

PHP Security / Overview / What Is Security?

5 years ago

in TechniquE, TranslatioN

What Is Security?

安全究竟是什么？

Security is a measurement, not a characteristic.

It is unfortunate that many software projects list security as a simple requirement to be met. Is it secure? This question is as subjective as asking if something is hot.
安全是一种量度，而不是一种特征。

不过很不幸的是，很多软件项目都把安全性列为一个简单的需求。这个程序是否安全？这是一个非常主观的问题，就像问一个物品是不是热的一样主观。
Security must be balanced with expense.

It is easy and relatively inexpensive to provide a sufficient level of security for most applications. However, if your security needs are very demanding, because you’re protecting information that is very valuable, then you must achieve a higher level of security at an increased cost. This expense must be included in the budget of the project.
安全性要和花费想平衡。

为大多数应用程序提供足够的安全性是很简单的，也相对便宜的。不过，如果因为你要保护非常有价值的信息导致你的安全需求非常高，那么你必须要付出更多的代价以提高安全级别。这些费用必须包含在你的项目预算里面。
Security must be balanced with usability.

It is not uncommon that steps taken to increase the security of a Web application also decrease the usability. Passwords, session timeouts, and access control all create obstacles for a legitimate user. Sometimes these are necessary to provide adequate security, but there isn’t one solution that is appropriate for every application. It is wise to be mindful of your legitimate users as you implement security measures.
安全性要和易用性相平衡.

有一个很常见的现象就是，有一些步骤增强了 Web 程序的安全性，也同时降低了程序的易用性。密码、会话超时以及访问控制这些都给合法用户造成了障碍。有时候这些障碍是提供足够的安全性所必要的，但是对于每一个程序来说，这个问题没有四海一家的解决之道。所以在你实现安全措施的时候，留心合法用户的反馈是很明智的。
Security must be part of the design.

If you do not design your application with security in mind, you are doomed to be constantly addressing new security vulnerabilities. Careful programming cannot make up for a poor design.
设计必须包含安全性。

如果你一开始设计程序的时候大脑里没有安全意识的话，你的恶运来了，你要不断地定位新的安全漏洞在哪里。仔细的编程并不能弥补糟糕的设计。