Java EE 项目中应该审核什么,不应该审核什么

发布于 2024-10-21 08:42:25 字数 444 浏览 10 评论 0原文

我需要有关项目审计方面的建议。

目前,我正在开发的项目有许多“用户”可以执行的操作,例如:

  • 更改自己的密码
  • 添加、删除权限
  • 添加、删除角色
  • 上传文件
  • 许多其他操作..

但是,用户可以访问的所有这些操作都会经过审核我不知道是否通常会审核以下内容:

密码策略规定用户密码必须至少包含 1 个符号和 1 个数字。某些用户在某个时间尝试更改密码而不关心策略,当然他会收到一条消息,指出不遵守密码策略,但是是否应该对此进行审核?我只是想听听以前审计过或了解此事的人的意见。

另一种可能的情况是,当用户尝试删除不存在的内容时,例如,权限列表为空并尝试删除不存在的权限,用户将再次收到一条消息,提示要选择至少有一个删除权限,但这一操作是否应该经过审核?

欢迎任何反馈,我第一次审核项目,谢谢:)

I am in a need for advice in the matters of auditing a project.

Currently the project I am developing has many actions a "user" can perform such as:

  • Changing his own password
  • Adding, removing permissions
  • Adding, removing roles
  • Upload files
  • Many others..

All these actions which are reachable to a User, are audited, however I don't know if its usual to for example audit the following:

Password policies state that the User password must include at least 1 symbol and 1 digit. Certain user at certain time tries to change his password without caring about the policies, of course he will get a message stating password policies are not respected, but should this be audited? I just want opinions from people that have audited before, or know on the matter.

Another possible case can be, when a user, tries to delete something that doesn't exist, for instance, having an empty list of permissions and trying to delete a non existing one, once again the user will get a message saying to select at least one permission to delete, but should this action be audited?

Any feedback is welcomed, my first time auditing a project, thanks :)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

三人与歌 2024-10-28 08:42:25

这很大程度上取决于您的要求。客户或业务法规有什么要求?您想进行审核以使您的系统更安全吗? (通过了解恶意用户的行为)

“审核”是指将其记录在文件中还是将其插入数据库以获取统计信息?

编辑
审核所有内容可能会有点昂贵,因此我建议您按优先级顺序列出项目列表。我的清单看起来像这样。

  • 任何 500 http 错误(这通常很容易做到)
  • 登录(成功和失败)
  • 对任何对业务重要的实体(例如对个人数据的更改)和/或对应用程序重要的实体的更改(正如您提到的添加/删除角色)给用户)。
  • 访问被拒绝错误(已登录的用户尝试访问他不允许访问的网站的一部分)
  • 伪造的 url(访问 666 的项目,尽管数据库中没有具有该 id 的项目)
  • 返回 404 的 URL(潜在的用户探测)申请)。

再说一次,我的清单,你可能需要拿出你自己的清单。因为您可能想要进行更高级的审核,例如“在网站上花费的时间”。

另一件重要的事情是:尽可能使日志可读且可搜索

It strongly depends on you requirements. What does the client or regulations of the business require? Do you want to audit to make your system more secure? (by learning what malevolent users do)

And by "auditing", do you mean to log it in a file or to insert it in a DB to grab statistics?

EDIT
Auditing everything might be a bit expensive, so I suggest you to make a list of items in order of priority. My list would look something like this.

  • Any 500 http error (this is usually very easy to do)
  • Logins (successful and failed)
  • changes to any entity that is important to business (e.g. changes to personal data) and/or important to the application (as you mentioned adding / removing roles to users).
  • Access denied errors (a logged in user, who tries to access a part of the site he's not allowed to access)
  • Forged urls (access item with 666 although there's no item with that id in the DB)
  • Urls that return 404 (potential user probing the application).

Again, that my list, you'll probably need to come up with your own. As you might want to have more advanced auditing such as "time spent on the site".

Another important thing: make the logs readable and search-able as much as you can.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文