Back to Details

security-checklist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

安全检查清单技能包

Security Checklist Skill Package

基于 OWASP Top 10,全面保障应用安全。
Based on OWASP Top 10, comprehensively ensure application security.

OWASP Top 10 (2021)

OWASP Top 10 (2021)

A01:2021 – 访问控制失效

A01:2021 – Broken Access Control

风险:未经授权的用户可以访问敏感功能或数据
防护措施
  • ✓ 默认拒绝访问,明确授权
  • ✓ 实现基于角色的访问控制(RBAC)
  • ✓ 禁用目录列表
  • ✓ 记录访问控制失败并告警
  • ✓ 限制 API 访问速率
代码示例
java
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
    return userService.findAll();
}
Risk: Unauthorized users can access sensitive functions or data
Mitigation Measures:
  • ✓ Deny access by default, implement explicit authorization
  • ✓ Implement Role-Based Access Control (RBAC)
  • ✓ Disable directory listing
  • ✓ Log access control failures and trigger alerts
  • ✓ Limit API access rate
Code Example:
java
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
    return userService.findAll();
}

A02:2021 – 加密机制失效

A02:2021 – Cryptographic Failures

风险:敏感数据未加密或使用弱加密
防护措施
  • ✓ 使用 HTTPS 传输所有敏感数据
  • ✓ 静态数据加密(数据库、文件)
  • ✓ 禁用弱加密算法(MD5、SHA1)
  • ✓ 使用强密码哈希(bcrypt、Argon2)
  • ✓ 密钥管理(定期轮换、安全存储)
代码示例
java
// 使用 BCrypt 加密密码
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);
Risk: Sensitive data is unencrypted or uses weak encryption
Mitigation Measures:
  • ✓ Use HTTPS for all sensitive data transmission
  • ✓ Encrypt static data (databases, files)
  • ✓ Disable weak encryption algorithms (MD5, SHA1)
  • ✓ Use strong password hashing (bcrypt, Argon2)
  • ✓ Key management (regular rotation, secure storage)
Code Example:
java
// Use BCrypt to encrypt password
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);

A03:2021 – 注入

A03:2021 – Injection

风险:SQL 注入、命令注入、LDAP 注入等
防护措施
Risk: SQL injection, command injection, LDAP injection, etc.
Mitigation Measures:

SQL 注入防护

SQL Injection Protection

java
// ❌ 不安全
String query = "SELECT * FROM users WHERE username = '" + username + "'";

// ✓ 安全:使用参数化查询
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);
java
// ❌ Unsafe
String query = "SELECT * FROM users WHERE username = '" + username + "'";

// ✓ Safe: Use parameterized queries
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);

NoSQL 注入防护

NoSQL Injection Protection

java
// ✓ 使用参数绑定
Query query = new Query(Criteria.where("username").is(username));
java
// ✓ Use parameter binding
Query query = new Query(Criteria.where("username").is(username));

命令注入防护

Command Injection Protection

java
// ❌ 不安全
Runtime.getRuntime().exec("ls " + userInput);

// ✓ 安全:验证和转义
if (userInput.matches("[a-zA-Z0-9]+")) {
    ProcessBuilder pb = new ProcessBuilder("ls", userInput);
    pb.start();
}
java
// ❌ Unsafe
Runtime.getRuntime().exec("ls " + userInput);

// ✓ Safe: Validate and escape
if (userInput.matches("[a-zA-Z0-9]+")) {
    ProcessBuilder pb = new ProcessBuilder("ls", userInput);
    pb.start();
}

A04:2021 – 不安全设计

A04:2021 – Insecure Design

风险:架构和设计层面的安全缺陷
防护措施
  • ✓ 威胁建模
  • ✓ 安全设计模式
  • ✓ 最小权限原则
  • ✓ 纵深防御
  • ✓ 安全开发生命周期(SDLC)
Risk: Security flaws at the architecture and design level
Mitigation Measures:
  • ✓ Threat modeling
  • ✓ Secure design patterns
  • ✓ Principle of least privilege
  • ✓ Defense in depth
  • ✓ Secure Development Lifecycle (SDLC)

A05:2021 – 安全配置错误

A05:2021 – Security Misconfiguration

风险:默认配置、未更新软件、不必要的功能
防护措施
  • ✓ 最小化安装(移除不必要的功能)
  • ✓ 禁用默认账户和密码
  • ✓ 错误信息不暴露敏感信息
  • ✓ 定期更新和打补丁
  • ✓ 安全配置审查
检查清单
yaml
undefined
Risk: Default configurations, unupdated software, unnecessary features
Mitigation Measures:
  • ✓ Minimal installation (remove unnecessary features)
  • ✓ Disable default accounts and passwords
  • ✓ Error messages do not expose sensitive information
  • ✓ Regular updates and patching
  • ✓ Security configuration reviews
Checklist:
yaml
undefined

application.yml

application.yml

server: error: include-stacktrace: never # 生产环境不暴露堆栈 spring: devtools: restart: enabled: false # 生产环境禁用 devtools
undefined
server: error: include-stacktrace: never # Do not expose stack trace in production spring: devtools: restart: enabled: false # Disable devtools in production
undefined

A06:2021 – 易受攻击和过时的组件

A06:2021 – Vulnerable and Outdated Components

风险:使用有已知漏洞的库和框架
防护措施
  • ✓ 移除未使用的依赖
  • ✓ 持续监控依赖漏洞
  • ✓ 从官方源获取组件
  • ✓ 使用签名验证组件完整性
工具
bash
undefined
Risk: Using libraries and frameworks with known vulnerabilities
Mitigation Measures:
  • ✓ Remove unused dependencies
  • ✓ Continuously monitor dependency vulnerabilities
  • ✓ Obtain components from official sources
  • ✓ Use signature verification for component integrity
Tools:
bash
undefined

Maven 依赖检查

Maven dependency check

mvn dependency:tree mvn versions:display-dependency-updates
mvn dependency:tree mvn versions:display-dependency-updates

OWASP Dependency Check

OWASP Dependency Check

mvn org.owasp:dependency-check-maven:check
undefined
mvn org.owasp:dependency-check-maven:check
undefined

A07:2021 – 身份识别和身份验证失败

A07:2021 – Identification and Authentication Failures

风险:弱密码、会话管理不当、凭据暴露
防护措施
Risk: Weak passwords, improper session management, credential exposure
Mitigation Measures:

密码策略

Password Policy

  • ✓ 最小长度 8 位
  • ✓ 复杂度要求(大小写、数字、特殊字符)
  • ✓ 检查弱密码和常用密码
  • ✓ 限制登录失败次数
  • ✓ 多因素认证(MFA)
  • ✓ Minimum length of 8 characters
  • ✓ Complexity requirements (uppercase, lowercase, numbers, special characters)
  • ✓ Check for weak and commonly used passwords
  • ✓ Limit login failure attempts
  • ✓ Multi-Factor Authentication (MFA)

会话管理

Session Management

java
// Session 配置
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true);
    return http.build();
}
java
// Session configuration
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
    http.sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .maximumSessions(1)
        .maxSessionsPreventsLogin(true);
    return http.build();
}

A08:2021 – 软件和数据完整性失败

A08:2021 – Software and Data Integrity Failures

风险:不安全的 CI/CD、自动更新、反序列化
防护措施
  • ✓ 代码签名
  • ✓ CI/CD 安全加固
  • ✓ 依赖完整性验证
  • ✓ 避免不安全的反序列化
java
// ❌ 不安全的反序列化
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();

// ✓ 使用 JSON 等安全格式
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);
Risk: Insecure CI/CD, automatic updates, deserialization
Mitigation Measures:
  • ✓ Code signing
  • ✓ CI/CD security hardening
  • ✓ Dependency integrity verification
  • ✓ Avoid insecure deserialization
java
// ❌ Insecure deserialization
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();

// ✓ Use secure formats like JSON
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);

A09:2021 – 安全日志和监控失败

A09:2021 – Security Logging and Monitoring Failures

风险:攻击无法被检测和响应
防护措施
  • ✓ 记录所有登录、访问控制失败
  • ✓ 高价值交易审计日志
  • ✓ 日志格式规范化
  • ✓ 集中式日志管理
  • ✓ 实时告警
日志示例
java
log.warn("Failed login attempt: user={}, ip={}", 
         username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}", 
         username, System.currentTimeMillis());
Risk: Attacks cannot be detected and responded to
Mitigation Measures:
  • ✓ Log all login attempts and access control failures
  • ✓ Audit logs for high-value transactions
  • ✓ Standardized log formats
  • ✓ Centralized log management
  • ✓ Real-time alerts
Log Example:
java
log.warn("Failed login attempt: user={}, ip={}", 
         username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}", 
         username, System.currentTimeMillis());

A10:2021 – 服务器端请求伪造(SSRF)

A10:2021 – Server-Side Request Forgery (SSRF)

风险:攻击者控制服务器发起的请求
防护措施
  • ✓ 禁止用户控制 URL
  • ✓ URL 白名单
  • ✓ 禁用 HTTP 重定向
  • ✓ 网络层隔离
java
// ✓ URL 验证
private boolean isAllowedUrl(String url) {
    try {
        URL u = new URL(url);
        String host = u.getHost();
        return ALLOWED_HOSTS.contains(host);
    } catch (MalformedURLException e) {
        return false;
    }
}
Risk: Attackers control requests initiated by the server
Mitigation Measures:
  • ✓ Prohibit user-controlled URLs
  • ✓ URL whitelisting
  • ✓ Disable HTTP redirects
  • ✓ Network layer isolation
java
// ✓ URL validation
private boolean isAllowedUrl(String url) {
    try {
        URL u = new URL(url);
        String host = u.getHost();
        return ALLOWED_HOSTS.contains(host);
    } catch (MalformedURLException e) {
        return false;
    }
}

额外安全措施

Additional Security Measures

XSS 防护

XSS Protection

java
// 输出转义
String safe = HtmlUtils.htmlEscape(userInput);

// Content Security Policy
response.setHeader("Content-Security-Policy", 
    "default-src 'self'; script-src 'self' 'unsafe-inline'");
java
// Output escaping
String safe = HtmlUtils.htmlEscape(userInput);

// Content Security Policy
response.setHeader("Content-Security-Policy", 
    "default-src 'self'; script-src 'self' 'unsafe-inline'");

CSRF 防护

CSRF Protection

java
// Spring Security 自动启用 CSRF
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
java
// Spring Security enables CSRF automatically
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

点击劫持防护

Clickjacking Protection

java
// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");
java
// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");

安全响应头

Security Response Headers

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'

敏感信息检测

Sensitive Information Detection

不应硬编码的信息
  • ❌ 数据库密码
  • ❌ API 密钥
  • ❌ 加密密钥
  • ❌ 私钥证书
  • ❌ OAuth 密钥
正确做法
yaml
undefined
Information that should not be hard-coded:
  • ❌ Database passwords
  • ❌ API keys
  • ❌ Encryption keys
  • ❌ Private key certificates
  • ❌ OAuth keys
Correct Approach:
yaml
undefined

application.yml

application.yml

spring: datasource: password: ${DB_PASSWORD} # 从环境变量读取
undefined
spring: datasource: password: ${DB_PASSWORD} # Read from environment variables
undefined

安全开发流程

Secure Development Process

1. 需求阶段

1. Requirements Phase

  • 识别安全需求
  • 威胁建模
  • Identify security requirements
  • Threat modeling

2. 设计阶段

2. Design Phase

  • 安全架构设计
  • 安全设计评审
  • Secure architecture design
  • Secure design review

3. 编码阶段

3. Coding Phase

  • 安全编码规范
  • 代码审查
  • Secure coding standards
  • Code review

4. 测试阶段

4. Testing Phase

  • 安全测试
  • 渗透测试
  • 漏洞扫描
  • Security testing
  • Penetration testing
  • Vulnerability scanning

5. 部署阶段

5. Deployment Phase

  • 安全配置检查
  • 最小权限部署
  • Security configuration check
  • Deploy with least privilege

6. 运维阶段

6. Operations Phase

  • 安全监控
  • 补丁管理
  • 应急响应
  • Security monitoring
  • Patch management
  • Incident response

工具推荐

Recommended Tools

静态分析

Static Analysis

  • SpotBugs:Java 代码缺陷检测
  • SonarQube:代码质量和安全
  • Checkmarx:商业静态分析工具
  • SpotBugs: Java code defect detection
  • SonarQube: Code quality and security
  • Checkmarx: Commercial static analysis tool

依赖检查

Dependency Check

  • OWASP Dependency-Check:依赖漏洞扫描
  • Snyk:开源依赖漏洞检测
  • OWASP Dependency-Check: Dependency vulnerability scanning
  • Snyk: Open source dependency vulnerability detection

动态测试

Dynamic Testing

  • OWASP ZAP:Web 应用安全测试
  • Burp Suite:渗透测试工具
  • OWASP ZAP: Web application security testing
  • Burp Suite: Penetration testing tool

密钥扫描

Key Scanning

  • git-secrets:防止密钥提交
  • TruffleHog:Git 历史密钥扫描
  • git-secrets: Prevent key commits
  • TruffleHog: Git history key scanning

安全检查清单

Security Checklist

认证与授权

Authentication & Authorization

  • 实现强密码策略
  • 使用多因素认证
  • 会话超时设置
  • 安全的密码重置流程
  • 基于角色的访问控制
  • Implement strong password policy
  • Use multi-factor authentication
  • Set session timeout
  • Secure password reset process
  • Role-based access control

数据保护

Data Protection

  • HTTPS 加密传输
  • 敏感数据加密存储
  • 安全的密钥管理
  • 数据脱敏
  • HTTPS encrypted transmission
  • Encrypted storage of sensitive data
  • Secure key management
  • Data desensitization

输入验证

Input Validation

  • 所有输入验证
  • 参数化查询防 SQL 注入
  • 输出编码防 XSS
  • 文件上传验证
  • Validate all inputs
  • Parameterized queries to prevent SQL injection
  • Output encoding to prevent XSS
  • File upload validation

安全配置

Security Configuration

  • 禁用不必要的功能
  • 安全的默认配置
  • 错误消息不暴露敏感信息
  • 定期更新依赖
  • Disable unnecessary features
  • Secure default configurations
  • Error messages do not expose sensitive information
  • Regularly update dependencies

日志监控

Logging & Monitoring

  • 记录安全事件
  • 审计关键操作
  • 异常告警
  • 日志保护
  • Log security events
  • Audit critical operations
  • Exception alerts
  • Log protection

应急响应

Incident Response

发现漏洞后

After discovering a vulnerability

  1. 评估影响:范围、严重程度
  2. 隔离系统:防止进一步损害
  3. 修复漏洞:紧急补丁
  4. 验证修复:安全测试
  5. 总结复盘:防止再次发生
  1. Assess Impact: Scope, severity
  2. Isolate System: Prevent further damage
  3. Fix Vulnerability: Emergency patch
  4. Verify Fix: Security testing
  5. Summary & Review: Prevent recurrence

参考资源

Reference Resources