By Richard Tsuis, http://richardtsuis.cnblogs.com/ .
This posting is provided "AS IS" with no warranties, and confers no rights.
Web应用程序安全
传统Web应用程序和ASP.NET Web应用程序相关安全标准及要求文档汇总。
ISO(国际标准化组织)相关安全标准:
ISO/IEC 17799
INFORMATION TECHNOLOGY - SECURITY TECHNIQUES - CODE OF PRACTICE FOR INFORMATION SECURITY MANAGEMENT
ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management:
· security policy;
· organization of information security;
· asset management;
· human resources security;
· physical and environmental security;
· communications and operations management;
· access control;
· information systems acquisition, development and maintenance;
· information security incident management;
· business continuity management;
· Compliance.
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
注意:ISO相关文件需要付费下载。
Web应用程序联合组织(Web Application Security Consortium)
URL:http://www.webappsec.org/
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
WASC Projects:
· Web Security Articles
· The Web Hacking Incidents Database
· Distributed Open Proxy Honeypots
· Web Security Glossary
· Web Security Threat Classification
· Web Application Firewall Evaluation Criteria
· Web Application Security Statistics
微软安全参考站点(Microsoft Security Center)
URL:http://www.microsoft.com/security/guidance/default.mspx
微软Patterns & Practices小组指导站点(Patterns & Practices: Guides)
URL:http://msdn2.microsoft.com/en-us/practices/bb190360.aspx
ASP.NET相关安全性指导
Authentication in ASP.NET: .NET Security Guidance
URL:http://msdn2.microsoft.com/en-us/library/ms978378.aspx
Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
URL:http://msdn2.microsoft.com/en-us/library/aa302415.aspx