适用于 C++ 的企业安全 API
我们目前正在为 OWASP 开发一个开源项目,创建企业安全控制的 C++ API。
已经为 Java EE 定义了企业安全 API (ESAPI)。我们很清楚,C++ 语言的安全控制要求可能会有所不同。 毫无疑问,一些最大的安全问题源于内存管理,但我们目前尚未提供解决方案。到目前为止,我们重点关注来自 ESAPI 2.0 for Java 规范的几项内容。然而,我们对其中一些安全部分有一些特定的问题。主要是,Java ESAPI 非常倾向于 Web 应用程序,而我们知道这不是 C++ 的标准。因此,我们正在寻找通用安全控制可能对 C++ 社区有所帮助的其他领域。了解 C++ 开发人员通常面临哪些类型的安全问题将很有用。
我们正在尝试确定黑客如何攻击和破坏您的代码,以便我们可以帮助提供适当的安全控制来防止它们。
为了汇总对该项目的反馈,我们创建了一项 Google 调查;不过,也请随时在这里留下您的反馈。 https://docs.google.com/spreadsheet/viewform?formkey=dE5feWtjYlBNU05lV1FxTGNLVExIMVE6MQ
建议的安全控制 (取自 ESAPI 2.0 for Java):
- 身份验证 - 生成和处理确认帐户凭据和会话标识符的方法。
- 用户 - 代表应用程序用户或用户帐户。
- 访问控制 - 可在各种应用程序中用于强制访问控制的方法。
- 验证 - 规范化和验证不受信任的输入的方法。
- 编码 - 解码输入并编码输出,以便对各种解释器来说都是安全的。
- 执行 - 用于运行操作系统命令,降低安全风险。
- 加密 - 常见加密、加密随机数和字符串、散列运算和签名。加密功能将基于 Wei Dai 的 C++ Crypto++ 库构建。然而,我们的目的是提供足够简单的加密功能,让普通开发人员可以使用,除了一些基本术语之外,无需任何特定的加密知识。
- 日志记录 - 设计可用于记录安全事件的方法。
您会考虑使用此 API 吗?
这会给您的开发/业务带来好处吗?
有什么建议吗?
您可以就此提供任何其他信息吗 ?项目对我们有用。如果上面的列表中缺少一些有用的具体内容,或者您可能有的一般建议,那就太好了。您是否建议我们省略上面列表中的某些内容,因为您绝对不会使用它?如果是这样,请也告诉我们这些事情。
感谢您对此的关注。我们希望为 C++ 创建 ESAPI 将使开发人员更轻松地编写更安全的应用程序。
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API http://code.google.com/p/owasp-esapi-cplusplus/
We are currently working on an open source project for OWASP, creating a C++ API of enterprise security controls.
The Enterprise Security API (ESAPI) has already been defined for Java EE. We are well aware that requirements of security controls for the C++ language may vary to some degree.
Undoubtedly, some of the largest security concerns stem from memory management, which we are not providing a solution for at this time. So far, we are focusing on several items taken from the ESAPI 2.0 for Java specification. However, there are some questions we have specific to some of these security sections. Mainly, the Java ESAPI has a heavy slant towards web applications, which we know is not the norm for C++. Therefore, we are looking for other areas where common security controls might help the C++ community. It would be useful to know what types of security issues commonly face C++ developers.
We are trying to identify how hackers attack and break your code so we can help provide the appropriate security controls to prevent it.
To aggregate feedback on this project we have created a Google survey; however, please feel free to leave your feedback here as well.
https://docs.google.com/spreadsheet/viewform?formkey=dE5feWtjYlBNU05lV1FxTGNLVExIMVE6MQ
Proposed Security Controls (taken from ESAPI 2.0 for Java):
- Authentication - Methods for generating and handling corroborating account credentials and session identifiers.
- User - Represents an application user or user account.
- Access Control - Methods that can be used in a wide variety of applications to enforce access control.
- Validation - Methods for canonicalizing and validating untrusted input.
- Encoding - Decoding input and encoding output so that it will be safe for a variety of interpreters.
- Execution - Used to run an OS command with reduced security risk.
- Encryption - Common encryption, cryptographic random numbers and strings, and hashing operations, and signatures. The cryptographic functionality will be built upon Wei Dai's Crypto++ library for C++. However, our intent is to provide crypto functionality that is simple enough for the average developer to use without any specific knowledge of cryptography apart from some basic terminology.
- Logging - Methods designed that can be used to log security events.
Would you consider using this API?
Would this provide a benefit to your development / business?
Any Recommendations?
Any additional information you can provide on this project is useful to us. If there are specific things that would be useful to include that are missing from the above list, or general recommendations you may have, that would be great. Are there things on the above list that you recommend that we leave out because there would be absolutely no way you would use it? If so, then also tell us about those things too.
Thank you for giving this your attention. We hope that creating an ESAPI for C++ will make it easier for developers to write more secure applications.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
http://code.google.com/p/owasp-esapi-cplusplus/
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论