Study Notes for "White Hats on Web Security
I. Why it is important to understand web security
Recently, after joining a new company, the company's official website was suddenly flagged by Google as an unsafe and fraudulent website, and our IT department became a target for a while, although we didn't develop the old website (because the seniors who developed the old website all ran away). We spent a lot of time doing web security scans as well as fixes, and in the process of checking and fixing them, we discovered the unmaintainability of the old system's code (again, the importance of Clean Code the neat way) and security (and also the importance of web security).
After the fix, a complaint was filed with Google, a long wait (1~2 days is Money for the company's official website! ) After Google let go of it. Just when we're glad we finally got the security issues on the damn old website sorted out, a few days later it's blacklisted by Google again, WTF! So, another security scan, rule out all possible causes, make a backup plan, and enter the security fix iteration again...
For us, this experience made me realize that a system that does not follow the ways of clean code and secure systems is like a time bomb, you don't know when it will explode or if it is a false alarm, reminding me again of the cover of the book "The Way of Clean Code".
The image above is of M104: The Straw Hat Galaxy, whose core is a supermassive black hole as heavy as a million suns, and the halo surrounding M104 resembles a Mexican straw hat, as if it were the product of a big explosion followed by a splattering of debris. Linked to the software projects we've experienced that didn't consist of neat code of varying unmaintainable styles, the fact is that when you take over the previous code is a black hole with the risk that one day it will explode at regular intervals, and when it does, the Anyone who took over the project, or anyone who didn't, will suffer for it.。
Therefore, as a web system developer, it is important to not only pursue neat code but also to understand web security. The book "White Hat on Web Security" by Alibaba's senior technical expert Wu Hanqing is one of the higher rated books (7.4 on Douban), although it seems a bit outdated now (many of the vulnerability cases have long been fixed), but the basics are covered and it's a good book to establish security thinking! In addition, its introduction to the secure development process and operations is equally insightful as an industry guide. So, I went through it quickly and made some notes to share with you.
II. Notes on the Essential Content Guide
The complete note guide is available online at.https://www.processon.com/view/5c11e98ae4b0ed122da3f749 , below is shown in 3 sections for the sake of reading experience.