blocks|key|1498249|text|每个人都有自己的安全哲学。发展你自己的哲学是至关重要的。这就是为什么Bruce+Schneier如此流行的原因，我阅读了每一篇博客文章。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1498250|在当前的安全状态下，到处都是失败的安全系统。我相信这是因为下面这句话。|1498251|1498252|“我不能创造的东西，我不明白。”|blockquote|1498253|1498254|--理查德·费曼|1498255|1498256|学习如何破坏软件是学习如何保护软件免受攻击的最重要的一步。您必须找到软件中的漏洞并编写利用漏洞的代码。|1498257|entityMap|0|LINK|mutability|MUTABLE|url|http://www.schneier.com/^0|Y|E|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|X|8|@]|9|@$A|Y|B|Z|1|10]]|C|$]]|$1|D|3|E|5|6|7|11|8|@]|9|@]|C|$]]|$1|F|3|-4|5|6|7|12|8|@]|9|@]|C|$]]|$1|G|3|H|5|I|7|13|8|@]|9|@]|C|$]]|$1|J|3|-4|5|6|7|14|8|@]|9|@]|C|$]]|$1|K|3|L|5|6|7|15|8|@]|9|@]|C|$]]|$1|M|3|-4|5|6|7|16|8|@]|9|@]|C|$]]|$1|N|3|O|5|6|7|17|8|@]|9|@]|C|$]]|$1|P|3|-4|5|6|7|18|8|@]|9|@]|C|$]]]|Q|$R|$5|S|T|U|C|$V|W]]]]

Everyone has their own philosophy of security. Developing your own philosophy is vital. This is the reason why <a href="http://www.schneier.com/" rel="nofollow noreferrer">Bruce Schneier</a> is so popular, and I read every blog post.
In the current state of security the landscape is littered with security systems that fail. I believe this is because of the following quote.
<blockquote>
&quot;What I cannot create, I do not
understand.&quot;
--Richard Feynman
</blockquote>
Learning how to break software is the most important step in learning in how to protect it from attack. You must find vulnerabilities in software and write exploit code.

blocks|key|1498178|text|这是一个很大的领域。人们用它创造了终生职业生涯。作为一个初学者，你会想要学习：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1498179|了解|1498180|HTML、XML和XHTML|unordered-list-item|1498181|Javascript，，一旦了解，请阅读有关跨站点脚本攻击的文章；了解基础知识后，请阅读注入攻击|1498182|关于散列、盐、公钥加密的基础知识，以及HTTPS如何使用|1498183|+how+|1498184|How|1498185|1498186|1498187|1498188|这应该是一个很好的开始。|1498189|entityMap^0|0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|V|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|W|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|X|8|@]|9|@]|A|$]]|$1|G|3|H|5|F|7|Y|8|@]|9|@]|A|$]]|$1|I|3|J|5|F|7|Z|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|10|8|@]|9|@]|A|$]]|$1|M|3|N|5|F|7|11|8|@]|9|@]|A|$]]|$1|O|3|N|5|F|7|12|8|@]|9|@]|A|$]]|$1|P|3|-4|5|F|7|13|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|14|8|@]|9|@]|A|$]]|$1|R|3|S|5|6|7|15|8|@]|9|@]|A|$]]|$1|T|3|-4|5|6|7|16|8|@]|9|@]|A|$]]]|U|$]]

This is kind of an enormous field. People make lifetime careers from it. As a beginner, you'll want to learn:

<ul>
<li>HTML, XML and XHTML</li>
<li>Javascript, and once you know it, read about cross-site scripting attacks</li>
<li>SQL, and once you know the basics, injection attacks</li>
<li>Basics about hashes, salts, public key encryption, and how HTTPS works</li>
<li>How certificates work</li>
</ul>

That should be a good start.

blocks|key|3874790|text|经典文章'Smashing+the+Stack+for+Fun+and+Profit‘是必读的。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3874791|它处理缓冲区溢出--这是一个非常常见的漏洞。虽然它是相对低级的，但理解缓冲区溢出绝对是学习安全性的第一步。|3874792|entityMap|0|LINK|mutability|MUTABLE|url|http://insecure.org/stf/smashstack.html^0|5|11|0|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@$A|O|B|P|1|Q]]|C|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@]|C|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|C|$]]]|G|$H|$5|I|J|K|C|$L|M]]]]

The classic article '<a href="http://insecure.org/stf/smashstack.html" rel="nofollow noreferrer">Smashing the Stack for Fun and Profit</a>' is a must read.

It deals with buffer overflows - a very common exploit. Although it's relatively low-level, understanding buffer overflows is definitely a first step in learning about security.

blocks|key|1498219|text|语言并不重要，实际上并不重要，安全性是一种方法而不是一种实现。您可以使用多种语言和框架来编写internet应用程序，并且应用程序的安全性应该是内置的，而不是层叠的。如果你想保护现有的网站，那么它涉及到重写易受攻击的代码，或者在应用程序和互联网之间设置web应用程序防火墙。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1498220|你最好先把重点放在概念上，然后学习如何在你选择的语言中应用它们。Microsoft安全开发生命周期和他们围绕威胁建模所做的工作是其他应该检查的内容-因为它涵盖了从一开始就构建它，并在每次开发迭代中创建反馈循环。|1498221|(哦，我确实写了一本关于ASP.NET+security+grin的书)|offset|length|1498222|entityMap|0|LINK|mutability|MUTABLE|url|https://rads.stackoverflow.com/amzn/click/com/0470743654^0|0|0|C|G|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|R|8|@]|9|@$F|S|G|T|1|U]]|A|$]]|$1|H|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|I|$J|$5|K|L|M|A|$N|O]]]]

Languages don't matter, not really, security is an approach more than an implementation. You can use numerous languages and frameworks to write internet applications, and the securing of the applications should be built in, not layered on top. If you want to protect existing web sites then it involves rewriting the vulnerable code, or putting a web application firewall between the application and the internet.

You'd be better off focussing on the concepts first, and learning how to apply them in languages of your choice. The Microsoft Secure Development Lifecycle, and the work they've done around Threat Modelling is something else should examine - as it covers building it in from the beginning and creating feedback loops with each iteration of development.

(Oh, and I did write a book on <a href="https://rads.stackoverflow.com/amzn/click/com/0470743654" rel="nofollow noreferrer" rel="nofollow noreferrer">ASP.NET security</a> grin)

blocks|key|1498233|text|在任何应用程序中实现安全性时要学到的最重要的经验教训之一是，使用自制的安全系统时，而不是-您总是会使应用程序变得不那么安全。|type|unstyled|depth|inlineStyleRanges|offset|length|style|BOLD|entityRanges|data|1498234|请勿尝试编写新的散列算法、流加密方法或其他100个代码片段中的任何一个。|1498235|总是使用众所周知的，经过良好测试的模块和算法，如OpenSSL，Blowfish+encryption和salted+password+hashes。|1498236|entityMap|0|LINK|mutability|MUTABLE|url|http://www.openssl.org/|1|http://www.schneier.com/blowfish.html|2|http://en.wikipedia.org/wiki/Salt_(cryptography))^0|15|3|0|0|O|7|0|W|J|1|1G|M|2|0^^$0|@$1|2|3|4|5|6|7|V|8|@$9|W|A|X|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|Y|8|@]|D|@]|E|$]]|$1|H|3|I|5|6|7|Z|8|@]|D|@$9|10|A|11|1|12]|$9|13|A|14|1|15]|$9|16|A|17|1|18]]|E|$]]|$1|J|3|-4|5|6|7|19|8|@]|D|@]|E|$]]]|K|$L|$5|M|N|O|E|$P|Q]]|R|$5|M|N|O|E|$P|S]]|T|$5|M|N|O|E|$P|U]]]]

One of the most important lessons to be learned when implementing security in any application is NOT to use home-brewed security systems - you always end up making the application less secure.

Do not attempt to write a new hash algorithm, or streaming encryption method, or any of 100 other pieces.

Always use well known, well tested modules and algorithms such as <a href="http://www.openssl.org/" rel="nofollow noreferrer">OpenSSL</a>, <a href="http://www.schneier.com/blowfish.html" rel="nofollow noreferrer">Blowfish encryption</a> and <a href="http://en.wikipedia.org/wiki/Salt_(cryptography)" rel="nofollow noreferrer">salted password hashes</a>.

blocks|key|2466884|text|最好的起点是OWASP+(开放Web应用程序安全项目)。他们有很多资源，包括OWASP前十名，包括10个最关键的web应用程序漏洞/风险，以及他们的安全代码开发指南，可以在线阅读(wiki)或以PDF格式下载。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2466885|他们还有Web+Goat，这是一个易受攻击的web应用程序，人们可以下载并使用它来了解漏洞，它们是如何工作的，以及纠正它们的最佳方法。它非常有趣，并且提供了一些技巧和解决方案。|2466886|他们还组织会议(查看网站的视频会议，他们通常会发布会谈的视频和幻灯片)，不同城市的分会组织会议，人们在会上谈论web应用安全的有趣方面。你应该考虑加入你所在地区的一个。|2466887|您可以在OWASP网站上找到所有信息：http://www.owasp.org|offset|length|2466888|entityMap|0|LINK|mutability|MUTABLE|url|http://www.owasp.org/^0|0|0|0|J|K|0|0^^$0|@$1|2|3|4|5|6|7|R|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|S|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|T|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|U|8|@]|9|@$H|V|I|W|1|X]]|A|$]]|$1|J|3|-4|5|6|7|Y|8|@]|9|@]|A|$]]]|K|$L|$5|M|N|O|A|$P|Q]]]]

The best place to start is the OWASP (Open Web Application Security Project). They have lots of resources, including the OWASP Top Ten, including the 10 most critical vulnerabilities/risks for web applications and their Secure Code Development Guide that can be read online (wiki) or downloaded in PDF.

They also have the Web Goat, a vulnerable web application that people can download and play with to learn about vulnerabilities, how they work and the best approach to correct them. It's pretty interesting and it comes with tips and solutions.

They also organize conferences (check the video session of the web site, they usually publish the videos and slides of the talks) and the chapters in different cities organize meetings where people talk about interesting aspects of web app security. You should consider joining one in your area.

You can all the information in the OWASP web site: <a href="http://www.owasp.org" rel="nofollow noreferrer">http://www.owasp.org</a>

I just came back from a hackers conference about internet security and I'm interested in learning web security and protecting companies from hackers. But I don't know where to start and what languages to learn..

Could anybody point me in the right direction for this?

Beginning Web Security?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

我刚从一个关于互联网安全的黑客会议回来，我对学习网络安全和保护公司免受黑客攻击很感兴趣。但是我不知道从哪里开始，也不知道该学习什么语言..有人能为我指出正确的方向吗？

问开始学习网络安全？
EN

回答 6

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问开始学习网络安全？EN

回答 6

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问开始学习网络安全？
EN