A brief discussion on code data security

Enterprise 2023-09-19 10:29:06 views: null

Corporate aspects

Possible threats from open source code

The open source package vulnerability some time ago Apache Log4j2has sounded the alarm for everyone. Enterprises can take some measures to reduce such risks, such as: code review, scanning of open source libraries for sensitive information, building a security team to conduct attack testing, etc.

Self-developed code

Self-developed code is an important private digital asset of an enterprise, and its security must be fully guaranteed. This includes "code leakage risk prevention" and "code writing risk prevention".

Code data leakage risk prevention

  1. Code monitoring can be performed on relevant open source platforms (for example GitHub), and alerts can be sent in a timely manner when sensitive information is discovered.
  2. The permission control of key code data ensures that only limited users can obtain it.
  3. Employee training, there are corresponding systems to make employees more vigilant.
  4. Sensitive behavior monitoring.

Code writing security, vulnerabilities in static code

The cost of defect management is the lowest during the development stage/testing, release stage/delivery and then repairing it. It is found during the development stage that the cost is the lowest.

  1. Code review must be done well, and most of the code loopholes can be removed at this stage.
  2. Automated scanning for vulnerabilities.
  3. Build a security team to conduct attack testing (general small and medium-sized enterprises do not have the energy and financial resources).
  4. Take remedial measures in advance after discovering vulnerabilities to minimize losses.

A specific enterprise prevention scenario

A certain service within the enterprise needs to be connected to the SMS sending platform (here is Alibaba Cloud as an example). There are two options:

  1. If internal services call Alibaba Cloud by themselves OpenAPI, developers must know idinformation secretsuch as (encrypted data can be placed in the code, which is expressly prohibited), which will not lead to iddata secretleakage.
  2. The enterprise encapsulates an SMS sending platform internally, and other services only need to call this SMS service to send SMS messages (a whitelist can be added here to further strengthen security control), thus ensuring that key information is only circulated among personnel with fixed permissions. Reduce the probability of accidents.

personal aspects

  1. Must have awareness of code security
  2. Daily code isolation must be done well. Enterprise code and your own test code must be separated. Do not upload enterprise code to the open platform by mistake.
  3. Individuals must also be risk-averse when writing code. Some vulnerabilities (weak encryption functions, json injection, cross-site request forgery, etc.) or sensitive data plaintext (tokens, passwords, etc.) must be considered in advance.

Code data leakage is equivalent to a negative review from a Taobao seller. If you accidentally cause code data leakage, your reputation may be reduced (bad reputation), or your entire family may be ruined (for example, if you sign a confidentiality clause, you will be responsible for the leakage). financial compensation).
Therefore, for individuals in the enterprise, code and data security must be kept in mind at all times, and they need to be cautious and cautious.

Summarize

Code security protection is similar to law and morality between companies and individuals. Law determines the lower limit and morality determines the upper limit. Individuals need to have enough security awareness to try to avoid such situations. The enterprise is the last firewall, trying to prevent data leakage, and the remedial measures after the leak must be perfect.
This kind of problem generally does not happen. If you do encounter someone with ulterior motives and a leak occurs, it is usually a big problem. As enterprises continue to develop, code data security issues must be paid more attention to.

reference

https://blog.csdn.net/BYvonne/article/details/121902748
https://blog.csdn.net/yunqiinsight/article/details/125308228
https://zhuanlan.zhihu.com/p/517493031

Guess you like

Origin blog.csdn.net/DisMisPres/article/details/125621083
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com