Construction of enterprise application software development security system
-
摘要: 针对企业应用软件设计与开发过程中所需考虑的安全性问题,构建一套企业内部适用的应用软件开发安全体系。通过剖析企业应用软件常见漏洞防护技术,依照应用软件开发生命周期流程,从设计安全、编码安全、过程管理安全等方面重新梳理、补充企业应用软件开发安全体系的框架。考虑体系框架下对应安全要求,为了方便指导应用软件设计人员、代码开发人员提高应用软件安全能力,补充提出了包含技术要求的企业应用软件开发安全体系。企业应用软件开发安全体系的构建能够帮助减少软件自身缺陷,防止企业应用软件安全漏洞被黑客利用,从而避免可能导致的严重甚至是灾难性后果。Abstract: Aiming at the security problems that need to be considered in the process of enterprise application software design and development, this paper constructed a set of application software development security system suitable for enterprise. This paper analyzed the common vulnerability protection technologies of enterprise application software, according to the application software development life cycle process, reorganized and supplemented the framework of enterprise application software development security system from theaspects of design security, coding security, and process management security. Considering the corresponding security requirements under the framework of the system, in order to facilitate the guidance of application software designers and code developers, and improve the security capability of application software, the paper proposed a security system of enterprise application software development including technical requirements. The construction of enterprise application software development security system can help to reduce the software defects, prevent enterprise application software security vulnerabilities from being exploited by hackers, so as to avoid the possible serious or even catastrophic consequences.
-
[1] Sajjad R, Mamoona H, Zartasha G, et al. Systematic Review of Web Application Security Vulnerabilities Detection Methods [J]. Journal of Computer and Communications, 2015, 3(9): 28-40. doi: 10.4236/jcc.2015.39004 [2] 王伟萌,刘承亮,朱韦桥,等. 企业移动互联网应用安全保障体系构建方案 [J]. 铁路计算机应用,2017,26(12):49-54. doi: 10.3969/j.issn.1005-8451.2017.12.015 [3] Mitropoulos D, Louridas P, Polychronakis M, et al. Defending Against Web Application Attacks: Approaches, IEEE transactions on dependable and secure computing [J]. transactions on dependable and secure computing, 2019, 16(2): 188-203. [4] 全国信息安全标注化委员会. 信息安全技术 网络安全等级保护基本要求: GB/T 22239—2019[S]. 北京: 中国标准出版社, 2019. [5] 全国信息安全标注化委员会. 信息安全技术应用软件系统通用安全技术要求: GB/T 28452—2012[S]. 北京: 中国标准出版社, 2012. [6] 李 尚. Web网站的安全问题及防护策略 [J]. 铁路计算机应用,2016,25(6):45-47. doi: 10.3969/j.issn.1005-8451.2016.06.012 [7] 张 昊,李 颖. 网络应用系统软件安全技术要求 [J]. 电子产品可靠性与环境测试,2020,38(2):76-79. [8] WEB安全漏洞深入分析及其安全编码[EB/OL]. [2017-10-26]. http://blog.nsfocus.net/web-vulnerability-analysis-coding-security/. [9] Ganga R, R. Satya P. Combating Cross-Site Scripting Assaults without Proprietary Software [J]. International Journal of Applied Engineering Research, 2017, 12(17): 6788-6796. [10] 高春霞,陈光伟,张文塔,等. 铁路网络与信息安全风险管理研究 [J]. 铁路计算机应用,2014,23(6):24-28. doi: 10.3969/j.issn.1005-8451.2014.06.006