想要了解应用程序的攻击界面(Attack Surface)吗？ 微软今天发布了攻击界面分析器 1.0(Attack Surface Analyzer 1.0)， 其中包括了对beta版的性能提高，bug修复和参考文档， 现在就来下载吧！ http://www.microsoft.com/en-us/download/details.aspx?id=24487
The Certified Secure Software Lifecycle Professional (CSSLP) Certification Program will show software lifecycle stakeholders not only how to implement security, but how to glean security requirements, design, architect, test and deploy secure software.
Step 1: Obtain the Required Experience
- Possess a minimum of four years professional experience in the software development lifecycle (SDLC) in one or more of the seven domains of the (ISC)²® CSSLP CBK®
- Or three years recent work experience with an applicable college degree in an IT discipline.
Title ........................... Better PHP Practices
Author .......................... cwade12c
Site ........................... http://haxme.org/
Language ........................ PHP
Skill Level ..................... Any - code right
[:: =========> Table of Contents <=========::]
1 +++++++++++++++++++++++++++++++ Introduction
2 +++++++++++++++++++++++++++++++ Intro Practices
3 +++++++++++++++++++++++++++++++ Embrace Better Practices
4 +++++++++++++++++++++++++++++++ Security
++++++++++++++++++++++++++++++++ Web Based Attacks
++++++++++++++++++++++++++++++++ Stress (DoS/Bandwith Leeching/BoF)
5 +++++++++++++++++++++++++++++++ Final Thoughts
When you start a web application design, it is essential to apply threat risk modeling; otherwise you will squander resources, time, and money on useless controls that fail to focus on the real risks.
The method used to assess risk is not nearly as important as actually performing a structured threat risk modeling. Microsoft notes that the single most important factor in their security improvement program was the corporate adoption of threat risk modeling.
The following is a (slightly modified) version of a document I wrote for the VSTO team way back in the day. You might find it useful as you plan threat modelling for your product(s). You should of course read the Threat Modelling book from Microsoft Press if you want to go into great details about how to do a good job of threat modelling, but this might be enough to get you started on a plan.
I’m not talking about writing a threat model for a large, furry ape (although that would be fun); I’m talking about writing quick-and-dirty threat models when you don’t have time to do the real thing. If you want to do threat modelling properly, I highly recommend you read Frank and Window’s “Threat Modeling” [sic] book from Microsoft Press; but if you just need to get one done, you might not have the time or inclination for that.
How can I get a great and secure product without killing myself? This is not just a question for how-to diet magazines; it’s a legitimate business problem. I teach the ACE Threat Modeling class (First Wednesday of every month!), and that is the question I hear most often.