1. Validate input
2. Does not allow dynamic construction of queries using user-supplied data
- 可能很難做到。
3. Audit and logs business-critical functions
4. Is signed to verify the authenticity of its origin
5. Does not use predictable session identifiers
6. Does not hard-code secret inline
7. Doe not cache credentials
8. Is properly instrumented
9. Handles exceptions explicitly
10. Does not disclose too much information in its errors
11. Does not reinvent existing functionality, and uses proven cartographic algorithms
12. Does not use weak cartographic algorithms
13. Use randomness in derivation of cartographic keys
14. Stores cartographic key securely
15. Does not use banned APIs and unsafe functions
16. Is obfuscated or shrouded
17. Is built to run with least pivilege
沒有留言:
張貼留言