zoukankan      html  css  js  c++  java
  • Source Code Review

    1、berfore we talking abnout the Source Code review,here's what we want to know about the most popular programming langurages .

    •      Web application development :Java C#  NET and PHP
    •       Drivers and handware C C#   and assembly language
    •      Reverse engineering : Assembly langurage
    •      Database : Structured Query LangurageSQL
    •      Scripting lanurage: Python Perl and Ruby

    2、Secure coding cheklist

    •     Authentication and credentials must use TLS and not HTTP cleartext
    •    Authentication must be enforced on all page ,except the ones intended to the public
    •    the erroe messages pages should not lead to information-gathering disclosure
    •    Authenticication logic must be validated on the server
    •    Authentication passwords must be saved uner secure hashing algorithms and salting is perferable
    •    The password's hashing logic must be on the server side
    •   Session must be managed on the server side
    •    Session idetifier must be random
    •   Any cryptographic functionality to protect data shold be implemented on the server side
    •   All data validation must be performed on the server side
    •   Encode data before validation
    •   All validation failures should be rejected in a custom error message
    •   Conduct all the encoding logic on the server side
    •   Sanitize all the output of understed data foe SQl ,XML LDAP and operating system commands
    •   Do not disclose sensitive information in the error messages, including debuffing information such as stack track
    •   Use custom reeor messages and error pages
    •  Temporary sensitive data must be stored in a secure location ,and those itmes must be purged as soon as possible
    •  Remove comments in the source code that may reveal critical information about the application
    •  Sensitive information should should not be used in the query sting
    •  Data int the  transit must be encrypted with the lasest and greatest TLS algorithms
    • Make sure that you remove test codes before deployment

    3、Rest API ststus return code (this chapter I've already written about  on my previous blog )

    •     200   the action is ok
    •     202  the request to create
    •     204 the post request did not include a client-generated id
    •     400 the request is malformed
    •     401 Wrong authentication ID or credentials
    •     403 an authenticated user does not have permission to access the resource
    •     404 requesting a nonexistant resource
    •      405  Unexpected Http method in the request
    •     this error may occur when a dos attack is deleted

    4、Passive information gathering reconnaissance ----OSINT

           OSINT it mean's  Open Source Intelligence ,let's see the Web search engines

            besides baidu and google 、yahu . i often use the http://yandex.com  and  http://duckduckgo.com  as follow

      

  • 相关阅读:
    ios开发-单例抽取宏
    ios开发- NSOperation高级功能
    ios开发-NSOperation介绍
    ios开发,多线程简介
    ios 图片水印 (代码)
    ios 截屏(代码)
    ios 图片剪裁(代码)
    第06组 每周小结 (3/3)
    第06组 每周小结 (2/3)
    第06组 每周小结 (1/3)
  • 原文地址:https://www.cnblogs.com/xinxianquan/p/10230716.html
Copyright © 2011-2022 走看看