安全編碼實(shí)踐清單翻譯模板

　　安全編碼實(shí)踐清單

　　輸入驗(yàn)證:

　　Conduct all data validation on a trusted system (e.g., The server)

　　在受信任系統(tǒng)上進(jìn)行全部數(shù)據(jù)驗(yàn)證。(例如服務(wù)器)

　　Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.)

　　確認(rèn)所有數(shù)據(jù)源并將其分為受信任和不信任的。驗(yàn)證所有來自不信任源的數(shù)據(jù)。(例如數(shù)據(jù)庫，文件流等等)

　　There should be a centralized input validation routine for the application

　　各類應(yīng)用應(yīng)當(dāng)具有統(tǒng)一的輸入驗(yàn)證規(guī)則。

　　Specify proper character sets, such as UTF-8, for all sources of input

　　為所有輸入源指定適當(dāng)?shù)慕y(tǒng)一字符集，例如UTF-8字符集。

　　Encode data to a common character set before validating (Canonicalize)

　　在驗(yàn)證前將數(shù)據(jù)用統(tǒng)一字符集進(jìn)行編碼。(規(guī)范化) All validation failures should result in input rejection

　　所有驗(yàn)證失敗的情形應(yīng)當(dāng)導(dǎo)致拒絕輸入。

　　Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8 decoding is completed

　　確認(rèn)系統(tǒng)是否支持UTF-8擴(kuò)展字符集，如果支持，則在UTF-8解碼完成后進(jìn)行驗(yàn)證。

　　在處理前驗(yàn)證所有客戶端提供的數(shù)據(jù)，包括所有參數(shù)，URL以及HTTP頭文件(例如Cookie名及數(shù)值)。確定其中包含JavaScript, Flash或其他嵌入代碼產(chǎn)生的自動(dòng)回傳數(shù)據(jù)。

　　Verify that header values in both requests and responses contain only ASCII characters

　　確認(rèn)請(qǐng)求和響應(yīng)的標(biāo)頭值只包含ASCII字符

　　Validate data from redirects (An attacker may submit malicious content directly to the target of the redirect, thus circumventing application logic and any validation performed before the redirect)

　　驗(yàn)證重定向數(shù)據(jù)(攻擊者可能上傳只對(duì)重定向目標(biāo)起作用的惡意代碼，從而繞過重定向前的應(yīng)用程序邏輯及任何驗(yàn)證手段)

　　Validate for expected data types 、

　　驗(yàn)證數(shù)據(jù)類型是否符合期望

　　Validate data range

　　驗(yàn)證數(shù)據(jù)值域

　　Validate data length

　　驗(yàn)證數(shù)據(jù)長(zhǎng)度

　　Validate all input against a "white" list of allowed characters, whenever possible

　　可能的話，將所有輸入與被允許字符的”白名單”進(jìn)行對(duì)比驗(yàn)證

　　If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs and accounting for the utilization of that data throughout the application . Examples of common hazardous characters include:

　　< > " ’ % ( ) & + \ \’ \"

　　在不得不允許輸入可能危險(xiǎn)的字符的情況下，需要實(shí)現(xiàn)額外的控制功能如輸出編碼，安全任務(wù)專用的應(yīng)用程序接口，并將使用含危險(xiǎn)字符數(shù)據(jù)的可能性納入全盤考量。常見的危險(xiǎn)字符包括< > " ’ % ( ) & + \ \’ \"

　　If your standard validation routine cannot address the following inputs, then they should be checked discretely

　　o Check for null bytes ()

　　o Check for new line characters ( , , \r, \n)

　　o Check for “dot-dot-slash" (../ or ..\) path alterations characters. In cases where UTF-8 extended character set encoding is supported, address alternate representation like: ??/

　　(Utilize canonicalization to address double encoding or other forms of obfuscation attacks)

　　如果標(biāo)準(zhǔn)常規(guī)驗(yàn)證無法處理以下輸入，那么他們需要被單獨(dú)檢查。

　　o 檢查空字節(jié) ()

　　o 檢查換行符 ( , , \r, \n)

　　o 檢查類似”點(diǎn)-點(diǎn)-斜杠" (../ or ..\)的路徑轉(zhuǎn)換符 在支持UTF-8擴(kuò)展字符集編碼的情況下檢查路徑轉(zhuǎn)換符的變體(如??/)

　　(應(yīng)用規(guī)范化手段解決雙重編碼或者其他類型的混淆攻擊)

　　Output Encoding:

　　輸出編碼

　　Conduct all encoding on a trusted system (e.g., The server)

　　在受信任系統(tǒng)上進(jìn)行全部編碼程序。(例如服務(wù)器)

　　Utilize a standard, tested routine for each type of outbound encoding

　　為每一種出站編碼建立一個(gè)經(jīng)過測(cè)試的標(biāo)準(zhǔn)規(guī)范

　　Contextually output encode all data returned to the client that originated outside the application’s trust boundary. HTML entity encoding is one example, but does not work in all cases

　　所有源頭在應(yīng)用程序信任邊界外的數(shù)據(jù)在返回客戶端前要進(jìn)行上下文編碼。HTML實(shí)體編碼是一個(gè)例子，但并不一定適用于所有情況。

　　Encode all characters unless they are known to be safe for the intended interpreter

　　對(duì)所有字符進(jìn)行編碼，除非在已知對(duì)目標(biāo)解釋程序安全的情況下。

　　Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP

　　在向SQL,XML,LDAP查詢功能輸出的情況下，對(duì)不受信任數(shù)據(jù)的輸出進(jìn)行上下文清潔。

　　Sanitize all output of un-trusted data to operating system commands

　　清潔所有不受信任數(shù)據(jù)對(duì)操作系統(tǒng)命令的輸出。

　　Authentication and Password Management:

　　身份驗(yàn)證以及密碼管理

　　Require authentication for all pages and resources, except those specifically intended to be public

　　除特定的公開頁面和資源外，訪問所有頁面及資源都需要身份驗(yàn)證。

　　All authentication controls must be enforced on a trusted system (e.g., The server)

　　所有身份驗(yàn)證控制必要在受信任系統(tǒng)上執(zhí)行(例如服務(wù)器)

　　Establish and utilize standard, tested, authentication services whenever possible

　　只要可能，就應(yīng)當(dāng)建立并應(yīng)用標(biāo)準(zhǔn)化并經(jīng)過測(cè)試的的身份驗(yàn)證服務(wù)

　　Use a centralized implementation for all authentication controls, including libraries that call external authentication services

　　為所有身份驗(yàn)證控制建立集中的身份驗(yàn)證控制系統(tǒng)，包括需要外部身份驗(yàn)證服務(wù)的程序庫

　　Segregate authentication logic from the resource being requested and use redirection to and from the centralized authentication control

　　對(duì)身份驗(yàn)證邏輯與被訪問資源進(jìn)行隔離，使用重定向來訪問集中身份驗(yàn)證控制系統(tǒng)。

　　All authentication controls should fail securely

　　所有身份驗(yàn)證控制應(yīng)當(dāng)保證失效時(shí)仍然安全

　　All administrative and account management functions must be at least as secure as the primary authentication mechanism

　　所有的行政及賬戶管理功能的安全性必要和主身份驗(yàn)證機(jī)制相當(dāng)或更高。

　　If your application manages a credential store, it should ensure that only cryptographically strong one-way salted hashes of passwords are stored and that the table/file that stores the passwords and keys is write-able only by the application. (Do not use the MD5 algorithm if it can be avoided)

　　如果應(yīng)用程序應(yīng)用了存儲(chǔ)憑據(jù)機(jī)制，那么必要確定只存儲(chǔ)了強(qiáng)加密單向附有隨機(jī)值的哈希密碼，并且保存密碼/密鑰的表/文件只對(duì)該程序可讀。(如果可能，盡量避免使用MD5算法)

　　Password hashing must be implemented on a trusted system (e.g., The server).

　　密碼哈希只能在被信任的系統(tǒng)上實(shí)現(xiàn)(例如服務(wù)器)

　　Validate the authentication data only on completion of all data input, especially for sequential authentication implementations

　　只有在數(shù)據(jù)輸入完成后才能進(jìn)行身份驗(yàn)證數(shù)據(jù)的驗(yàn)證，尤其是在實(shí)現(xiàn)連續(xù)身份驗(yàn)證的情況下。

　　Authentication failure responses should not indicate which part of the authentication data was incorrect. For example, instead of "Invalid username" or "Invalid password", just use "Invalid username and/or password" for both. Error responses must be truly identical in both display and source code

　　對(duì)身份驗(yàn)證失敗的響應(yīng)不應(yīng)該標(biāo)明驗(yàn)證數(shù)據(jù)的哪一部分出錯(cuò)。例如，不應(yīng)當(dāng)顯示”無效的用戶名”或”無效的密碼”，而應(yīng)當(dāng)顯示”無效的用戶名或密碼”。源代碼和顯示輸出的錯(cuò)誤響應(yīng)必要完全相同。

　　Utilize authentication for connections to external systems that involve sensitive information or functions

　　對(duì)外部系統(tǒng)的連接，如果涉及到敏感信息或功能的，需要進(jìn)行身份驗(yàn)證。

　　Authentication credentials for accessing services external to the application should be encrypted and stored in a protected location on a trusted system (e.g., The server). The source code is NOT a secure location

　　訪問應(yīng)用程序外部服務(wù)的身份驗(yàn)證證書需要加密保存在一個(gè)受信任系統(tǒng)(例如服務(wù)器)中的受保護(hù)區(qū)域內(nèi)。保存在源代碼內(nèi)不安全

　　Use only HTTP POST requests to transmit authentication credentials

　　只使用HTTP POST請(qǐng)求傳輸身份驗(yàn)證證書。

　　Only send non-temporary passwords over an encrypted connection or as encrypted data, such as in an encrypted email. Temporary passwords associated with email resets may be an exception

　　只通過加密連接或作為加密數(shù)據(jù)傳輸非臨時(shí)密碼，例如通過加密的電子郵件。通過電子郵件重置密碼產(chǎn)生的臨時(shí)密碼可能是個(gè)例外

　　Enforce password complexity requirements established by policy or regulation. Authentication credentials should be sufficient to withstand attacks that are typical of the threats in the deployed environment. (e.g., requiring the use of alphabetic as well as numeric and/or special characters)

　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼復(fù)雜度規(guī)定。身份驗(yàn)證證書應(yīng)當(dāng)足以抵御部署環(huán)境中常見的攻擊模式。(例如，要求密碼中包括字母和數(shù)字及/或特殊字符)

　　Enforce password length requirements established by policy or regulation. Eight characters is commonly used, but 16 is better or consider the use of multi-word pass phrases

　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼長(zhǎng)度規(guī)定。通常使用的是8個(gè)字符的密碼，但16個(gè)字符的安全性更好，或者可以考慮使用多字密碼短語。

　　Password entry should be obscured on the user’s screen. (e.g., on web forms use the input type "password")

　　在用戶屏幕上應(yīng)當(dāng)對(duì)密碼輸入進(jìn)行遮擋顯示(例如在web表格中使用輸入類型”password”)

　　Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account must be disabled for a period of time sufficient to discourage brute force guessing of credentials, but not so long as to allow for a denial-of-service attack to be performed

　　在多次無效的登錄嘗試后對(duì)賬戶強(qiáng)制停用(通常是5次嘗試)。賬戶停用的時(shí)間要足夠長(zhǎng)以阻礙對(duì)密碼的暴力破解，但不能太長(zhǎng)以至于暴露在停止服務(wù)攻擊下。

　　Password reset and changing operations require the same level of controls as account creation and authentication.

　　修改和重置密碼的操作需要與創(chuàng)建賬戶及身份驗(yàn)證同等級(jí)別的控制。

　　Password reset questions should support sufficiently random answers. (e.g., "favorite book" is a bad question because “The Bible” is a very common answer)

　　重置密碼的問題應(yīng)當(dāng)能是答案具有多樣性。(例如，”最喜愛的書”不是一個(gè)好問題，因?yàn)椤笔ソ?jīng)”是一個(gè)非常常見的答案)

　　If using email based resets, only send email to a pre-registered address with a temporary link/password

　　使用基于電子郵件的密碼重置功能時(shí)，只發(fā)送包含臨時(shí)鏈接/密碼的郵件到預(yù)先注冊(cè)的地址。

　　Temporary passwords and links should have a short expiration time

　　臨時(shí)密碼和鏈接的有效期應(yīng)當(dāng)較短

　　Enforce the changing of temporary passwords on the next use

　　在下次使用時(shí)強(qiáng)制更改臨時(shí)密碼

　　Notify users when a password reset occurs

　　當(dāng)密碼重置時(shí)通知用戶

　　Prevent password re-use

　　防止密碼復(fù)用

　　Passwords should be at least one day old before they can be changed, to prevent attacks on password re-use

　　密碼使用超過一天后才可進(jìn)行更改，以防止基于密碼復(fù)用的攻擊。

　　Enforce password changes based on requirements established in policy or regulation. Critical systems may require more frequent changes. The time between resets must be administratively controlled

　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼更改。關(guān)鍵系統(tǒng)可能需要更頻繁的更改。密碼更改的時(shí)間間隔需要由管理員人工控制。

　　Disable "remember me" functionality for password fields

　　禁用”記住密碼”的功能

　　The last use (successful or unsuccessful) of a user account should be reported to the user at their next successful login

　　用戶成功登錄時(shí)，應(yīng)當(dāng)向其報(bào)告上一次登錄賬戶的情形，無論上次成功與否。

　　Implement monitoring to identify attacks against multiple user accounts, utilizing the same password. This attack pattern is used to bypass standard lockouts, when user IDs can be harvested or guessed

　　實(shí)現(xiàn)監(jiān)視識(shí)別對(duì)多個(gè)用戶賬戶使用相同密碼進(jìn)行攻擊的功能。這種攻擊模式可以規(guī)避賬戶因多次登錄失敗而停用的時(shí)間，前提是用戶名被大量竊取或猜測(cè)，。

　　Change all vendor-supplied default passwords and user IDs or disable the associated accounts

　　修改所有銷售商提供的默認(rèn)用戶名和密碼，或者禁用相關(guān)賬戶。

　　Re-authenticate users prior to performing critical operations

　　在進(jìn)行關(guān)鍵操作時(shí)再次對(duì)用戶進(jìn)行身份驗(yàn)證

　　Use Multi-Factor Authentication for highly sensitive or high value transactional accounts

　　對(duì)高敏感度或高價(jià)值交易賬戶使用多要素身份驗(yàn)證

　　If using third party code for authentication, inspect the code carefully to ensure it is not affected by any malicious code

　　如果使用第三方代碼進(jìn)行身份驗(yàn)證，仔細(xì)檢查代碼以確認(rèn)其中不包含任何惡意代碼。

　　Session Management:

　　會(huì)話管理

　　Use the server or framework’s session management controls. The application should only recognize these session identifiers as valid

　　使用服務(wù)器或主機(jī)的會(huì)話管理控制。應(yīng)用程序應(yīng)當(dāng)只將服務(wù)器或主機(jī)的會(huì)話標(biāo)識(shí)符視為有效。

　　Session identifier creation must always be done on a trusted system (e.g., The server)

　　會(huì)話標(biāo)識(shí)符必要在被信任的系統(tǒng)上創(chuàng)建(例如服務(wù)器)

　　Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers

　　會(huì)話管理控制應(yīng)當(dāng)使用經(jīng)過有效審核的算法以保證算法標(biāo)識(shí)符的隨機(jī)性

　　Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site

　　為包含經(jīng)身份驗(yàn)證的會(huì)話標(biāo)識(shí)符的cookie的域和路徑設(shè)置一個(gè)適合站點(diǎn)，合理受限的值。

　　Logout functionality should fully terminate the associated session or connection

　　登出功能應(yīng)當(dāng)完全終止相關(guān)的會(huì)話或連接

　　Logout functionality should be available from all pages protected by authorization

　　所有授權(quán)保護(hù)的頁面都應(yīng)當(dāng)包含登出功能

　　Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. In most cases it should be no more than several hours

　　在平衡風(fēng)險(xiǎn)和商業(yè)功能需求的基礎(chǔ)上，會(huì)話閑置超時(shí)的時(shí)間越短越好。大多數(shù)情況下不應(yīng)多于幾個(gè)小時(shí)

　　Disallow persistent logins and enforce periodic session terminations, even when the session is active. Especially for applications supporting rich network connections or connecting to critical systems. Termination times should support business requirements and the user should receive sufficient notification to mitigate negative impacts

　　禁止長(zhǎng)期登錄，即使在會(huì)話激活的情況下，也要強(qiáng)制定期終結(jié)會(huì)話。尤其是支持豐富網(wǎng)絡(luò)連接或者連接到關(guān)鍵系統(tǒng)的應(yīng)用程序。

　　If a session was established before login, close that session and establish a new session after a successful login

　　如果會(huì)話在登錄前已建立，那么在成功登陸后關(guān)閉那個(gè)會(huì)話并重新建立新會(huì)話

　　Generate a new session identifier on any re-authentication

　　在重新身份驗(yàn)證的時(shí)候生成新會(huì)話標(biāo)識(shí)符

　　Do not allow concurrent logins with the same user ID

　　禁止同一用戶名同時(shí)重復(fù)登錄

　　Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters

　　在URL，錯(cuò)誤信息或者日志中不要暴露會(huì)話標(biāo)識(shí)符。會(huì)話標(biāo)識(shí)符應(yīng)當(dāng)只存在于HTTP cookie頭文件中。例如，不要將會(huì)話標(biāo)識(shí)符用于GET參數(shù)。

　　Protect server side session data from unauthorized access, by other users of the server, by implementing appropriate access controls on the server

　　通過在服務(wù)器端實(shí)現(xiàn)適當(dāng)?shù)脑L問控制，保護(hù)服務(wù)器端的會(huì)話數(shù)據(jù)不被其他同服務(wù)器的用戶非法獲取。

　　Generate a new session identifier and deactivate the old one periodically. (This can mitigate certain session hijacking scenarios where the original identifier was compromised)

　　定期生成新會(huì)話標(biāo)識(shí)符并停用舊標(biāo)識(shí)符(這有助于減少某些通過舊標(biāo)識(shí)符劫持會(huì)話的情形)

　　Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication. Within an application, it is recommended to consistently utilize HTTPS rather than switching between HTTP to HTTPS.

　　在連接安全由HTTP轉(zhuǎn)到HTTPS的時(shí)候——在身份驗(yàn)證中可能發(fā)生——生成新的會(huì)話標(biāo)識(shí)符。在應(yīng)用程序內(nèi)部，建議完全應(yīng)用HTTPS而不是在HTTP和HTTPS間轉(zhuǎn)換

　　Supplement standard session management for sensitive server-side operations, like account management, by utilizing per-session strong random tokens or parameters. This method can be used to prevent Cross Site Request Forgery attacks

　　通過為每個(gè)進(jìn)程應(yīng)用強(qiáng)隨機(jī)令牌或參數(shù)，對(duì)敏感的服務(wù)器端操作——如賬戶管理——的標(biāo)準(zhǔn)會(huì)話管理進(jìn)行補(bǔ)充。這種手段可以用于防止跨站偽造請(qǐng)求攻擊

　　Supplement standard session management for highly sensitive or critical operations by utilizing per-request, as opposed to per-session, strong random tokens or parameters

　　對(duì)高敏感度或關(guān)鍵操作，可以對(duì)每個(gè)請(qǐng)求，而不是每個(gè)會(huì)話，應(yīng)用強(qiáng)隨機(jī)令牌或參數(shù)。

　　Set the "secure" attribute for cookies transmitted over an TLS connection

　　為通過傳輸層安全連接傳播的cookie設(shè)置”secure”屬性

　　Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie’s value

　　為cookie設(shè)置”HttpOnly”屬性，除非你的應(yīng)用程序內(nèi)的客戶端腳本需要讀取或設(shè)置cookie的值。

　　Access Control:

　　訪問控制

　　Use only trusted system objects, e.g. server side session objects, for making access authorization decisions

　　只使用受信任系統(tǒng)的對(duì)象，例如服務(wù)器端會(huì)話對(duì)象，來進(jìn)行訪問授權(quán)決定。