代碼審計(jì)服務(wù)技術(shù)白皮書v1.1

1、專業(yè)服務(wù)技術(shù)白皮書專業(yè)服務(wù)技術(shù)白皮書代碼審計(jì)服務(wù)代碼審計(jì)服務(wù)I目錄目錄一.概述.......................................................................................................................................................11.1基本概念......................

2、.....................................................................................................................11.2代碼審計(jì)與模糊測(cè)試..........................................................................................

3、.............................11.3服務(wù)的必要性...................................................................................................................................11.4客戶收益..........................................

4、.................................................................................................2二.服務(wù)的實(shí)施標(biāo)準(zhǔn)和原則..............................................................................................................

5、.........22.1政策文件或標(biāo)準(zhǔn)...............................................................................................................................22.2服務(wù)原則.................................................................

6、..........................................................................2三.XXXX代碼審計(jì)服務(wù)...............................................................................................................................33.1服務(wù)

7、范圍...........................................................................................................................................33.2服務(wù)分類.......................................................................

8、....................................................................33.2.1整體代碼審計(jì)和功能點(diǎn)人工代碼審計(jì)....................................................................................33.2.2單次服務(wù)和年度服務(wù)...............................

9、.................................................................................43.3服務(wù)流程...................................................................................................................................

10、........43.4服務(wù)特點(diǎn)...........................................................................................................................................53.5服務(wù)報(bào)告.........................................................

11、..................................................................................63.6服務(wù)注意事項(xiàng)................................................................................................................................

12、...6四.代碼審計(jì)方法論...................................................................................................................................74.1代碼檢查技術(shù)..................................................................

13、.................................................................74.1.1源代碼設(shè)計(jì)................................................................................................................................74.1.2錯(cuò)誤處理不當(dāng)....

14、........................................................................................................................74.1.3直接對(duì)象引用........................................................................................

15、....................................84.1.4資源濫用....................................................................................................................................84.1.5API濫用...............................

16、.......................................................................................................84.2應(yīng)用代碼關(guān)注要素.........................................................................................................

17、..................94.2.1跨站腳本漏洞............................................................................................................................94.2.2跨站請(qǐng)求偽裝漏洞....................................................

18、................................................................94.2.3SQL注入漏洞..............................................................................................................................94.2.4命令執(zhí)行漏洞.....

19、.......................................................................................................................94.2.5日志偽造漏洞.........................................................................................

20、...................................94.2.6參數(shù)篡改..................................................................................................................................104.2.7密碼明文存儲(chǔ)................................

21、..........................................................................................104.2.8配置文件缺陷.....................................................................................................................

22、.....104.2.9路徑操作錯(cuò)誤..........................................................................................................................104.2.10資源管理....................................................................

23、............................................................104.2.11不安全的Ajax調(diào)用...............................................................................................................104.2.12系統(tǒng)信息泄露.................