Answer the question
In order to leave comments, you need to log in
What does a programmer need to know about information security and who does it in production?
I’m just learning programming, and I don’t know if it’s worth reading something in information security. What does a programmer generally need to know about this area? threats. Some kind of application that works with the network, transmitting and receiving something. Here, in addition to local errors, there may also be network and database errors. Is a programmer obliged to write secure code? but at the same time, with the help of them it will be possible to carry out some kind of attack. And to know this, you need to be a good security guard. Or is everything much simpler?
Answer the question
In order to leave comments, you need to log in
Who is involved in building the architecture of the application in terms of security?
And what about millions of areas of programming?
But what about the ways of organizing work and the types / size of offices in the millions?
Somewhere (large banks) - there are separate services.
Somewhere - you're all on your own.
Somewhere in general hammer on it.
Most threats, such as stack overflows or heap overflows in modern programming languages, throw exceptions. Hosters can take care of DDOS protection or you can use ready-made solutions. Many types of attacks and vulnerabilities that could be implemented/exploited 10 years ago will not work today - use all the most modern ones. You need to know information security at a superficial level, otherwise your applications will be vulnerable to sqli, csrf, xss, ddos attacks and other things, although even a schoolboy can solve such security problems.
In production, all of a sudden, information security specialists do this :) Accordingly, a programmer needs to know exactly as much about information security as it is written in the corporate security policy, if it exists, or as much as a local information security specialist can tell (if there is no separate one, then usually the administrator). If there is neither one nor the other nor the third - well, then it means everyone just ... th.
Read about writing secure code. Each language has its own standards (example for C++ ).
I also recommend reading about common security weaknesses in applications ( Common Weakness Enumeration, CWE ).
And finally, get acquainted with the life cycle of secure software development (Secure Software Development LifeCycle, SSDLC): Recommendations in the field of standardization of the Bank of Russia RS BR IBBS-2.6-2014, MS SDL, OWASP Secure SDLC Cheat Sheet.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question