《E会场-邹溪源-DotNET企业应用安全开发动向.pdf》由会员分享,可在线阅读,更多相关《E会场-邹溪源-DotNET企业应用安全开发动向.pdf(25页珍藏版)》请在三个皮匠报告上搜索。
1、.NET?=?or?or?可信软件架构安全性设备安全数据安全内容安全行为安全高性能可用性韧性容错性弹性恢复质量可靠CIA?机密性Confidentiality完整性Integrity可用性Availability?Twitter?Log4shell?Sqlite?Fastjson?以系统为中心以攻击者为中心以资产为中心1?TVRA?Threat,Vulnerability And Risk Assessment?/TARA?Threat Analysis and Risk Assessment?2?/?3?STRIDE?TARATARA?=?STRIDESTRIDE?制定数据流图分析威胁评估风
2、险制定消减措施落实消减措施STRIDE=Spooling+Tampering+Repudiation+InformationDisclosure+Dos+Evelation Of Privilege (?)?外部实体处理过程数据存储数据流?STRIDE?.NET.NET?-?CVE-2023-36038-.NET Denial of Service Vulnerability?IIS?CVE-2023-36049-.NET Elevation of Privilege Vulnerability?FTP?CVE-2023-36558-.NET Security Feature Bypass V
3、ulnerability?Blazor Server?.NET.NET?1?Systemd?Windows Service?IHost host=Host.CreateDefaultBuilder(args).UseSystemd()/?Linux Systemd?.UseWindowsService()/?Windows?.ConfigureServices(services=services.AddHostedService();).Build();host.Run();2?Docker?FROM AS build WORKDIR/source.NET?root?Chiseled Ubun
4、tu?5?Bug?OpenEuler?OpenEuler?.NET?1?AspNetCore Ratelimiting,?Microsoft.AspNetCore.RateLimiting?using Microsoft.AspNetCore.RateLimiting;using System.Threading.RateLimiting;var builder=WebApplication.CreateBuilder(args);builder.Services.AddRateLimiter(_=_.AddFixedWindowLimiter(policyName:fixed,options
5、=options.PermitLimit=4;options.Window=TimeSpan.FromSeconds(12);options.QueueProcessingOrder=QueueProcessingOrder.OldestFirst;options.QueueLimit=2;);var app=builder.Build();app.UseRateLimiter();static string GetTicks()=(DateTime.Now.Ticks&0 x11111).ToString(00000);app.MapGet(/,()=Results.Ok($Hello Ge
6、tTicks().RequireRateLimiting(fixed);app.Run();https:/ Core Identity?Cookie?Windows?.NET8?SPA?Blazor?1?class MyUser:IdentityUser 2?Identity?builder.Services.AddAuthentication(IdentityConstants.ApplicationScheme).AddIdentityCookies();builder.Services.AddAuthorizationBuilder();3?builder.Services.AddDbC
7、ontext(options=options.UseInMemoryDatabase(AppDb);4?Identity?EF Core?Identity?builder.Services.AddIdentityCore().AddEntityFrameworkStores().AddApiEndpoints();app.MapIdentityApi();5?Authorize controller?action?Authorize?2?.NET8?Blazor?https:/ Core DataProtection Api?Microsoft.AspNetCore.DataProtectio
8、n.Abstractions?IDataProtectionProvider?IDataProtector?Microsoft.AspNetCore.DataProtection?Microsoft.AspNetCore.DataProtection.Extensions?API?Microsoft.AspNetCore.DataProtection.SystemWeb?ASP.NET 4.x?ASP.NET Core?Microsoft.AspNetCore.Cryptography.KeyDerivation?PBKDF2?.NET 8?SHA-3?SHAKE-128?SHAKE-256?
9、WebWeb?1?ASP.NET Core?API?(GDPR)?2?(XSRF/CSRF)?1?input name=_RequestVerificationToken type=hidden value=CfDJ8NrAkS 2?Asp.NET Core WebForm?AntiforgeryOptions?3?URL?querystring?URL?(Url.IsLocalUrl(returnUrl)4?,?5?.NET Core?SameSite?2019?固?HttpCookie.SameSite?sameSite?SameSite?Strict?Lax?None?cookie?SameSiteMode.Unspecified?cookie?sameSite?6?IP?JenkinsJenkins?Jenkins?SonarSonar NexusNexus?XXE?xml?DockerDocker?1?Host?2?3?OpenEuler?ChatGPTChatGPT?IoT?OpenSSL?SM2?CVE-2021-3711?ChatGPTChatGPT?20?1500?-?