Shulou(Shulou.com)06/01 Report--

0002 the root causes of security problems 1. Grasp safety in an all-round way and don't pursue partial one-sided security.

I have to say, if you want to achieve something in the security industry. The knowledge to learn is very wide, security is not one-sided, although from one aspect it seems that your system is secure, but what about other aspects? There is a saying that one rat shit can spoil a pot of soup. Security is even more so, for a system, knowing that there is a small security loophole, it can be exploited, thus destroying the whole system. As the saying goes, there is no absolutely secure system, so when dealing with security, we should fully grasp the overall structure of the system and understand the security of the system from all aspects. As a test, we should comprehensively analyze the security of the system, take into account all the circumstances as far as possible, maximize the vulnerabilities of the system, and not be satisfied with finding major security vulnerabilities in some aspect.

two。 When developing the function, we only pursue the realization of the function, without taking into account the security risks.

One of the sources of security problems is that developers only pursue the implementation of functions and never consider the issue of security, or have no awareness of security at all. In China, this phenomenon is very common. In the eyes of developers, as long as the function is implemented, everything will be fine, but it is not. In order to solve the security problem at the root, developers should not only implement the function, but also consider the robustness of the program, whether it can work properly in various scenarios, whether there are permissions, whether ordinary users can see the data of root users, and so on. The meltdown vulnerability is a good example of how horrible it is that user-space programs can see data in kernel space. Linux kernel development of those people, their level is very high, even if there are such serious security problems, then as ordinary developers, the development of programs do not have such problems? Therefore, if we want to solve the security problem from the root, we need to improve the ability of the developer to consider the existing security risks while completing the function.

3. The greatest threat-human desire

If there is no sale, there will be no × ×, and the state strictly forbids the hunting and killing of Tibetan antelopes, but every year many Tibetan antelopes die under the guns of hunters. No one will buy it and no one wants to eat it, so how can anyone sell it, and how can anyone hunt and kill the Tibetan antelope on the legal line? The same is true of the security industry. The reason why the loopholes will be exposed is the desire of the people in the interest chain in the underground industry. There are still too many people who want to get something for nothing, and there are also many people who want to gain benefits through improper means. If people have more than their desires, there will always be security problems, and there will always be people who will want to sabotage and steal things that do not belong to them. Therefore, as us in the new era, in such an environment, if we can obtain knowledge and learn safety-related knowledge through the Internet, we must always maintain a pure heart, the gentleman loves money, take it wisely, and do not touch the yardstick of the law.

4. The goal that information security needs to achieve.

The goal of information security is to plug all loopholes before they are killed, so that people with bad desires can not take advantage of them. To achieve this goal, it is generally achieved through the following two methods.

4.1. Protective safety

For protective security, people who work on the operation and maintenance posts of enterprises should have great feelings. Check the logs of the server every day to find abnormal traffic and obtain whether there is *. If so, take appropriate measures to repair it. To prevent being * again. Although defensive * * can quickly locate the loopholes in the system, this strategy itself is not safe. If you wait for others to take corresponding measures, it will be too late to mend. So this approach should be an alternative.

4.2. * type security

* sexual security is for security maintenance personnel to play the identity of * *, initiate various kinds of * * to the system they maintain, find loopholes in the system, and then fix them and prevent them from happening. This requires a higher level of security practitioners, not only to know how to protect, but also to know how to *. But as long as you persist in doing so, over time, security practitioners will have the same ability as *. The biggest difference between the so-called white hat and black hat is that they can maintain their own standards. never touch the boundaries of the law.

5. The train of thought of testing

* testing is to find the loopholes in the system before being *. The idea is to find the loopholes in your own system by playing the role of *.

5.1. Discover system security vulnerabilities as a *

If you want to find the loopholes in the system as a person, you must give up all your control of the system and be safe as if you were exposed to the system for the first time. Use a variety of information collection methods to obtain the information of the system, so as to start further testing.

5.2. Just prove the existence of security problems and don't sabotage them.

As a tester, you only need to find the security loopholes in the system, and do not take advantage of the vulnerabilities to destroy the system.

6. * the personal conduct of the tester

As a tester, you must have your own ethics and do not use the loophole information obtained during the testing process to do a grey industry.

6.1. Moral restraint

Again, a gentleman loves money and takes it wisely. Don't be carried away by temporary interests, otherwise you will break through the bottom line of morality and eventually embark on a road of no return without moral restraint.

6.2. Legal restraint

The country of network information security is legally bound, so don't touch the bottom line of the law. China's new version of the Network Information Security Law will come into force on June 1, 2017. The following are some of the contents of the Network Information Security Law.

Article 27 No individual or organization may engage in activities that endanger network security, such as illegally intruding into other people's networks, interfering with the normal functions of other people's networks, or stealing network data. Programs or tools specially used to engage in network intrusion, interference with network normal functions and protective measures, theft of network data and other activities endangering network security shall not be provided. Those who know that others are engaged in activities that endanger network security shall not provide them with technical support, advertising promotion, payment and settlement, etc.

Article 63 whoever, in violation of the provisions of Article 27 of this Law, engages in activities that endanger network security, or provides procedures or tools specially used to engage in activities that endanger network security, or provides technical support, advertising promotion, payment and settlement assistance for others to engage in activities that endanger network security, if it does not constitute a crime, the illegal income shall be confiscated by the public security organ and shall be detained for not more than five days. May concurrently impose a fine of not less than 50, 000 yuan and not more than 500000 yuan If the circumstances are relatively serious, the offender shall be detained for not less than five days and not more than fifteen days, and may also be fined not less than 100,000 yuan but not more than 1 million yuan.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.