开发者

Beginning Web Security? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 5 years ago.

开发者_JS百科 Improve this question

I just came back from a hackers conference about internet security and I'm interested in learning web security and protecting companies from hackers. But I don't know where to start and what languages to learn..

Could anybody point me in the right direction for this?


Everyone has their own philosophy of security. Developing your own philosophy is vital. This is the reason why Bruce Schneier is so popular, and I read every blog post.

In the current state of security the landscape is littered with security systems that fail. I believe this is because of the following quote.

"What I cannot create, I do not understand."

--Richard Feynman

Learning how to break software is the most important step in learning in how to protect it from attack. You must find vulnerabilities in software and write exploit code.


This is kind of an enormous field. People make lifetime careers from it. As a beginner, you'll want to learn:

  • HTML, XML and XHTML
  • Javascript, and once you know it, read about cross-site scripting attacks
  • SQL, and once you know the basics, injection attacks
  • Basics about hashes, salts, public key encryption, and how HTTPS works
  • How certificates work

That should be a good start.


The classic article 'Smashing the Stack for Fun and Profit' is a must read.

It deals with buffer overflows - a very common exploit. Although it's relatively low-level, understanding buffer overflows is definitely a first step in learning about security.


Languages don't matter, not really, security is an approach more than an implementation. You can use numerous languages and frameworks to write internet applications, and the securing of the applications should be built in, not layered on top. If you want to protect existing web sites then it involves rewriting the vulnerable code, or putting a web application firewall between the application and the internet.

You'd be better off focussing on the concepts first, and learning how to apply them in languages of your choice. The Microsoft Secure Development Lifecycle, and the work they've done around Threat Modelling is something else should examine - as it covers building it in from the beginning and creating feedback loops with each iteration of development.

(Oh, and I did write a book on ASP.NET security grin)


One of the most important lessons to be learned when implementing security in any application is NOT to use home-brewed security systems - you always end up making the application less secure.

Do not attempt to write a new hash algorithm, or streaming encryption method, or any of 100 other pieces.

Always use well known, well tested modules and algorithms such as OpenSSL, Blowfish encryption and salted password hashes.


The best place to start is the OWASP (Open Web Application Security Project). They have lots of resources, including the OWASP Top Ten, including the 10 most critical vulnerabilities/risks for web applications and their Secure Code Development Guide that can be read online (wiki) or downloaded in PDF.

They also have the Web Goat, a vulnerable web application that people can download and play with to learn about vulnerabilities, how they work and the best approach to correct them. It's pretty interesting and it comes with tips and solutions.

They also organize conferences (check the video session of the web site, they usually publish the videos and slides of the talks) and the chapters in different cities organize meetings where people talk about interesting aspects of web app security. You should consider joining one in your area.

You can all the information in the OWASP web site: http://www.owasp.org

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜