保护 Web 应用程序的最佳实践.pdf

1、Best Practices to Secure Web ApplicationsLoiane Groner loianeApplication SecurityPlanDevelopmentBuildTestQA/UATProductionSecurity TestingProduction Delays due to late assessmentWorse:assessment is done after production every X monthsSource:NIST Ponemom InstituteShift leftPlanDevelopmentBuildTestQA/U

2、ATProductionSource:NIST Ponemom InstituteRemediation Costs:Security from day 1Loiane GronerDevelopment/Engineering Manager|Published AWhat is API security?Authentication and AuthorizationOWASP Top 10 API Security Risks 2023Broken Object Level AuthorizationUnrestricted Access to Sensitive Business Fl

3、owsBroken AuthenticationServer Side Request ForgeryBroken Object Property Level AuthorizationSecurity MisconfigurationUnrestricted Resource ConsumptionImproper Inventory ManagementBroken Function Level AuthorizationUnsafe Consumption of APIs12345678910https:/owasp.org/API-Security/editions/2023/en/0

4、 x11-t10/Better AuthorizationBad Practice:Checking not allowedpublic CourseDTO update(PathVariable Long id,RequestBody Course course)User user=getAuthenticatedUser();if(user.getRole().equals(Role.STUDENT)throw new AccessDeniedException(You dont have permission to update course);return courseService.

5、update(id,course);Good Practice:Deny by DefaultPutMapping(value=/id)public CourseDTO update(PathVariable Long id,RequestBody Course course)User user=getAuthenticatedUser();/allow to update if role is admin or teacher if(user.getRole().equals(Role.ADMIN)|user.getRole().equals(Role.TEACHER)return cour

6、seService.update(id,course);throw new AccessDeniedException(You dont have permission to update course);Role-based access controlPreAuthorize(hasRole(ADMIN)or hasRole(TEACHER)public CourseDTO update(PathVariable Long id,RequestBody Course course)return courseService.update(id,course);Potential Proble