安全是一个过程，而不是一个产品。

许多人似乎忘记了这个显而易见的事实。

为什么是重要的。 这都是关于权衡。 密码学在很大程度上分散了人们对安全性的注意力。

我建议查看CWE/SANS前25个最危险的编程错误。它在2010年进行了更新，并承诺在未来定期更新。2009年的修订版也可以使用。

从http://cwe.mitre.org/top25/index.html

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

每个程序员都应该知道如何编写利用代码。

如果不知道系统是如何被利用的，你就会意外地阻止漏洞。除非你知道如何测试你的补丁，否则知道如何打补丁是毫无意义的。安全不仅仅是一堆思想实验，你必须科学地测试你的实验。

对用户的密码加盐和散列。永远不要将它们以明文形式保存在数据库中。

如果你想要你的应用程序是安全的，请记住以下原则:

Never trust any input! Validate input from all untrusted sources - use whitelists not blacklists Plan for security from the start - it's not something you can bolt on at the end Keep it simple - complexity increases the likelihood of security holes Keep your attack surface to a minimum Make sure you fail securely Use defence in depth Adhere to the principle of least privilege Use threat modelling Compartmentalize - so your system is not all or nothing Hiding secrets is hard - and secrets hidden in code won't stay secret for long Don't write your own crypto Using crypto doesn't mean you're secure (attackers will look for a weaker link) Be aware of buffer overflows and how to protect against them

网上有一些关于提高应用程序安全性的优秀书籍和文章:

编写安全代码第二版——我认为每个程序员都应该读这篇文章 构建安全软件:如何以正确的方式避免安全问题 安全编程指南 利用软件 安全工程——一本极好的读物 Linux和Unix安全编程HOWTO

对开发人员进行应用程序安全最佳实践方面的培训

Codebashing(支付)

安全创新(支付)

安全罗盘(付费)

OWASP WebGoat(免费)