[[Application Architecture for .NET:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/distapp.asp]]の「Security, Operational Management, and Communications Policies」にセキュリティの一般原則がまとめられています。それによると、
 [[Application Architecture for .NET:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/distapp.asp]]の「Security, Operational Management, and Communications Policies」にシステム開発におけるセキュリティの一般原則がまとめられています。それによると、

-Whenever possible, you should rely on tested and proven security systems rather than building your own custom solution. Use industry-proven algorithms, techniques, platform-supplied infrastructure, and vendor-tested and supported technologies. If you decide to do custom development of security infrastructure, validate your approach and techniques with expert auditing and security review organizations before and after implementing it. ~
-Never trust external input. You should validate all data that is entered by users or submitted by other services. ~
-Assume that external systems are insecure. If your application receives unencrypted sensitive data from an external system, assume that the information is compromised. ~
-Apply the principle of least privilege. Don't enable more attributes on service accounts than those minimally needed by the application. Access resources with accounts that have the minimal permissions required.~ 
-Reduce surface area. Risk will increase with the number of components and data you have exposed through the application, so you should expose only the functionality that you expect others to use. ~
-Default to a secure mode. Don't enable services, account rights, and technologies that you don't explicitly need. When you deploy the application on client and/or server computers, its default configuration should be secure. ~
-Follow STRIDE principles—STRIDE stands for Spoofing, Tampering, Repudiability, Information disclosure, Denial of service, and Elevation of privileges. These are classes of security vulnerabilities a system has to protect itself against.~
※STRIDE : なりすまし(Spoofing Identity)、データの改ざん(Tampering with Data)、否認(Repudiability)、情報の暴露(Information Disclosure)、サービス拒否(Denial of Service)、特権の昇格(Elevation of Privilege)の頭文字を取ったもの。


トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 単語検索 最終更新   ヘルプ   最終更新のRSS