>>>>>信息安全工程师培训视频

      全国计算机技术与软件专业技术资格（水平）考试，这门新开的信息安全工程师分属该考试“信息系统”专业，位处中级资格。教材《信息安全工程师教程》及考试大纲于7月1日出版，希赛小编整理了信息安全工程师教程学习笔记之Application Security，供大家参考学习。

      Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system(vulnerabilities)through flaws in the design,development,deployment,upgrade,or maintenance or database of the application.

      Applications only control the kind of resources granted to them,and not which resources are granted to them.They,in turn,determine the use of these resources by users of the application through application security.

      Security testing for applications

      Security testing techniques scour for vulnerabilities or security holes in applications.These vulnerabilities leave applications open to exploitation.Ideally,security testing is implemented throughout the entire software development life cycle(SDLC)so that vulnerabilities may be addressed in a timely and thorough manner.Unfortunately,testing is often conducted as an afterthought at the end of the development cycle.

      Vulnerability scanners,and more specifically web application scanners,otherwise known as penetration testing tools(i.e.ethical hacking tools)have been historically used by security organizations within corporations and security consultants to automate the security testing of http request/responses;however,this is not a substitute for the need for actual source code review.Physical code reviews of an application's source code can be accomplished manually or in an automated fashion.Given the common size of individual programs(often 500,000 lines of code or more),the human brain can not execute a comprehensive data flow analysis needed in order to completely check all circuitous paths of an application program to find vulnerability points.The human brain is suited more for filtering,interrupting and reporting the outputs of automated source code analysis tools available commercially versus trying to trace every possible path through a compiled code base to find the root cause level vulnerabilities.

      The two types of automated tools associated with application vulnerability detection(application vulnerability scanners)are Penetration Testing Tools(often categorized as Black Box Testing Tools)and static code analysis tools(often categorized as White Box Testing Tools).

      According to Gartner Research,"...next-generation modern Web and mobile applications requires a combination of SAST and DAST techniques,and new interactive application security testing(IAST)approaches have emerged that combine static and dynamic techniques to improve testing...".Because IAST combines SAST and DAST techniques,the results are highly actionable,can be linked to the specific line of code,and can be recorded for replay later for developers.

      Banking and large E-Commerce corporations have been the very early adopter customer profile for these types of tools.It is commonly held within these firms that both Black Box testing and White Box testing tools are needed in the pursuit of application security.Typically sited,Black Box testing(meaning Penetration Testing tools)are ethical hacking tools used to attack the application surface to expose vulnerabilities suspended within the source code hierarchy.Penetration testing tools are executed on the already deployed application.White Box testing(meaning Source Code Analysis tools)are used by either the application security groups or application development groups.Typically introduced into a company through the application security organization,the White Box tools complement the Black Box testing tools in that they give specific visibility into the specific root vulnerabilities within the source code in advance of the source code being deployed.Vulnerabilities identified with White Box testing and Black Box testing are typically in accordance with the OWASP taxonomy for software coding errors.White Box testing vendors have recently introduced dynamic versions of their source code analysis methods;which operates on deployed applications.Given that the White Box testing tools have dynamic versions similar to the Black Box testing tools,both tools can be correlated in the same software error detection paradigm ensuring full application protection to the client company.

      The advances in professional Malware targeted at the Internet customers of online organizations has seen a change in Web application design requirements since 2007.It is generally assumed that a sizable percentage of Internet users will be compromised through malware and that any data coming from their infected host may be tainted.Therefore,application security has begun to manifest more advanced anti-fraud and heuristic detection systems in the back-office,rather than within the client-side or Web server code.

      返回目录：信息安全工程师教程学习笔记之信息安全基础汇总

    希赛软考网，拥有十四年软考培训经验，希赛网一直坚持自主研发，将丰富的软考培训经验有效融入教程研发过程，自成体系的软考在线题库（软考历年真题）、软考培训教材和软考视频教程，多样的培训方式包括在线辅导、面授、和，使考生的学习更具系统性，辅导更具针对性。采用全程督学机制，，软考平均通过率在全国。