优先思考应用安全

An application programming interface (API) is a set of protocols, routines, and tools meant to be used by another application, as opposed to a user interface, designed for people. APIs are provided by applications for automated access by other applications to stitch together functionality. APIs often have full and complete access to applications for sharing and storing data. For example, a weather application on a smartphone uses an API to collect real-time weather data from a source like the National Weather Service. APIs are subject to many of the same types of attacks as a user interface, but are especially vulnerable to SQL injection, injection, and access attacks. They are sometimes overlooked in application security assessments because they aren't immediately visible to users.

A broad category of attack vectors that enable an attacker to supply (“inject”) untrusted input into a program, which then changes the way the program works. Attackers can also use injection attacks to plant malware on a computer, for example, so an attacker can execute remote commands. There are many types of injection attacks, a common one being SQL injection, which enables an attacker to manipulate SQL statements and gain control of a system's database.

An attack designed to significantly impair the performance of an application or service or prevent an authorized user from accessing it at all. DDoS attacks typically originate from an “army” of hacker-controlled bots.

All layers of an application have a capacity limit or are designed in a way that makes them vulnerable to DDoS attacks. Attackers often launch several attack types in at the same time, targeting multiple app components. So, defense must be comprehensive. The most common types of DDoS attacks include volumetric, which consumes all available bandwidth across the connection between an app and the network; computational attacks that attempt to exhaust infrastructure resources, causing an app to crash or perform poorly; and application attacks that mimic legitimate application requests but attempt to overload web server resources like CPU or memory.

An attack that uses a website's own features and functionality to consume, defraud, or circumvent access control mechanisms. Some website functionality, even security features, can be abused to cause unexpected behavior. When a piece of functionality is vulnerable to abuse, an attacker could annoy other users or perhaps defraud the system entirely. The potential for and level of abuse will vary from website to website and application to application.

Credentials are username and password combinations for applications or websites that require a user to log in. Credential theft can occur in multiple ways; often the first step is a phishing attack that attempts to trick users into giving up credentials or other sensitive data.

Attackers obtain large volumes of user credentials (username/password pairs) stolen from previous data breaches and use automated tools to test them in the login fields of other, targeted websites. When a username/password pair grants the attackers access, they take over that account for fraudulent purposes.

An exhaustive procedure (often involving automated tools) in which an attacker uses every possible combination of letters, numbers, and symbols to determine one valid username and password combination to gain unauthorized access to an application or website. Attackers often use a dictionary of words or commonly used passwords or phrases as an aid in brute force attacks. A common mitigation is to temporarily lock out user accounts after a specific number of failed login attempts. However, this can result in a denial of service for those affected accounts.

Any type of fraudulent communication that's sent to multiple recipients at once via email, social media, or text message, from someone impersonating a party or entity that the victim trusts. The goal is to trick the user into providing private information (such as bank account numbers, social security numbers, credit card numbers)—usually by clicking a link or opening an attachment. There are several variations of phishing, such as spear phishing, in which a specific, often high-level individual within an organization is targeted.

The primary key material used to decrypt confidential data and establish authenticity are the highest value assets in the security infrastructure and should be well guarded. Similar to credential theft, keys provide access to an app or network. They also provide access to encrypted data at rest or in transit. Key material can be exposed in a variety of ways: by attackers gaining access to the systems that host the key material, by accidentally “leaking” the key in a backup or low-security data repository, or via an exploit like Heartbleed. High security environments typically use specialized hardware key storage (see FIPS 140) to protect keys from disclosure.

Digital certificates (also known as SSL certificates) provide secure, encrypted communication between a website and its users, decreasing the risk of sensitive information (like login credentials or credit card numbers) being tampered with or stolen. Certificates are issued to organizations by trusted certificate authorities (CAs) to verify the identity of the organization to website users. Think of it as the equivalent of an individual's passport or driver's license. Certificate spoofing occurs when an attacker presents a fake digital certificate on a malicious website. This can lead to unsuspecting users trusting a malicious website or application, making the user susceptible to malware infection, man-in-the-middle attacks, or stolen credentials.

The attacker uses captured, brute-forced, or reverse-engineered session IDs to take control of a legitimate user's web application session while the session is still in progress.

Protocols have defined purposes and usages, such as port 443 for HTTPS or encrypted web traffic. Attackers can abuse these by using a known protocol, which may be allowed through a traditional firewall, as a covert channel to transfer stolen data or issue commands to malware deep inside a network. When attackers send non-HTTPS traffic across defined ports (or any other port for which the traffic violates the intended purpose or communications protocol), it's protocol abuse.

This attack occurs when an attacker injects a forged DNS entry into the DNS cache (for example, a DNS cache server used by an ISP, which is in turn used by many end users). The fake DNS entry resolves a common domain name to an IP address specified by the attacker. As a result, any user requesting to connect to that site (such as www.example.com) is connected to a fake website.

A broad category of attacks that attempt to spoof Domain Name System (DNS) records. This can involve DNS spoofing, compromising a DNS server, carrying out a DNS cache poisoning attack, guessing a sequence number in a request, or launching a man in the middle attack.

The Domain Name System (DNS) is the “address book” for the Internet, effectively looking up the correct IP address for a user-friendly website name (such as www.example.com) requested by a user. Also known as a DNS flood, this type of attack involves the attacker sending a barrage of requests to the DNS servers of a specific domain in an attempt to overload them with requests, disrupting the address lookup process and preventing the user from connecting to the requested site.

An attack that forcibly redirects traffic intended for a website requested by a user to a website designated by the attacker. In this type of attack, an unsuspecting victim, thinking they're connecting to their banking website, is actually connecting to a fake banking website where the attacker can steal their username and password when they attempt to log in. This attack is often accomplished by an attacker infecting a user's computer with malware that changes its DNS settings, directing the user's computer to connect to a malicious DNS server when they enter a user-friendly domain name.

In networking, eavesdropping takes the form of an attacker using special network monitoring software (also known as a sniffer) to intercept and record communication between two parties (for example, between two hosts or a client and a server) with the goal of capturing valuable, sensitive information. In wireless network environments, mitigation involves using strong encryption methods that operate at the lowest possible layers of the protocol stack.

All denial-of-service attacks are designed to disrupt or make services completely unavailable to the user. DDoS attacks overwhelm the system with too many requests to handle. At the network level, these attacks involve disrupting the function of network/perimeter firewalls, load balancers, or other network devices, making an entire network unreachable as opposed to just a specific server, website, or application.

A form of eavesdropping (that also involves impersonation) in which attackers insert themselves into a network communication, often between a client and a web application. A successful attack lets an attacker have full access to the conversation and secretly alter it. For example, an attacker might hijack communication between a target and their banking website, stealing the target's login credentials or redirecting funds from the target's bank account to the attacker's account.

Network protocols have defined purposes and uses, such as port 443 for HTTPS or encrypted web traffic. Attackers can abuse these by using a known protocol, which may be allowed through a traditional firewall, as a covert channel to transfer stolen data or issue commands to malware inside a network. When attackers send non-HTTPS traffic across defined ports (or any other port for which the traffic violates the intended purpose or communications protocol), it's known as protocol abuse.