Shulou(Shulou.com)06/01 Report--

It's not a problem.

   understands the technical solutions of other designers that technicians disdain to talk about, and to make fun of it, programmers with integrity are embarrassed to ask this question. Of course, some people think that in fact, everyone has to solve this problem, not only the security architect, or there is no way to cooperate. What I want to emphasize here is that because there is a lot of communication within the development team, the understanding of the solution does not rely very much on or does not rely on the design documents, and many design documents are a summary after the fact, but security architects usually do not have the opportunity to communicate so frequently.

Reading the misunderstandings of other people's designs

   is different from the resources of the development team, but security architects will not be divided into so many resources, such as Java, Cmax Clipper +, .net, and so on. We have to cover up the water, Java problems need to be dealt with, and we also have to participate in the Cmax Cure + project. At the same time, it is impossible for the project to wait until we learn the .net language before doing security design or evaluation.

     myth 1: pay attention to the details of the development language (the features of the language must depend on the ability of the specific developer to cooperate with the developer)

Most of the contents of the    technical solution are functional modules, and the definition of functional modules is often based on the convenience of development (Conway Theorem), so it is difficult to extract security problems and solutions from this technical solution from the perspective of function.

Misunderstanding 2 of     : paying too much attention to the details of function implementation

     misunderstanding 3: analyze design documents according to the thinking of development

The method of looking at the technical solution in two steps

   1, reorganize the design scheme, classify the logic modules into routing, registration, authentication, authorization, data life cycle management, system life cycle management. Life cycle refers to from birth to death.

   2, check the first-step regrouped design with a list of security issues.

Sell it.

   exactly how to operate the above two steps will be explained later.

Thinking about this section

   1, how do you read other people's solutions yourself, and what problems have you encountered?

Portal

Three-dimensional coordinate system on the way of growing up of    Security architect

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.