輔助安全Web程式開發之系統弱點追蹤與學習平台

Abstract

近年來，因為Web程式弱點的問題，使得各大網站頻遭攻擊，造成的原因主要在一般開發人員：1)安全知識不足，而開發出有弱點的程式；2)安全意識不足，而未做確實防範；3)安全技術不足，而無法有效防範。為此，希望藉助於程式安全的掃描工具及安全學習平台的運用，利用掃瞄工具有系統地找尋程式的安全缺陷，而藉由學習平台訓練人員瞭解問題，並找出解決方法，協助開發人員發展更安全的Web應用程式。 目前掃描工具仍缺乏有參考價值的評估報告，所以在本論文中，我們針對目前具代表性的掃描工具，分別對JAVA、.NET及PHP開發的Web程式做測試，並產出效能評估報告，以作為挑選工具時的重要參考資料，提高安全成本效益。配合掃瞄工具的運用，其結果仍難以協助開發人員快速找出解決方法。於是在本論文中，我們實作一個安全學習平台，稱為Platform for Learning Secure Web Application programming (PL-SWAP)，改善學習流程（新的關卡破解）的設計方式，融入駭客攻擊的手法，在測試者通關後，以確實達到學習的目的；另外我們也設計了一個符合Web2.0特色的弱點追蹤系統，可將.NET C# 程式中有Web弱點的功能單元(Function Unit, FU)，簡單的部署到此平台，取代傳統以文字或圖片的記錄方式，達到此FU的分享及解決方案的共同創作，並在此Bug Tracking的機制下，更能快速與廣泛累積關卡。

In recent years, because of vulnerabilities in the Web Applications, many major sites suffer from Internet attacks. It is caused by the defects of the web applications, due to the following reasons: 1) lack of security knowledge; 2) lack of security awareness; and 3) lack of security technology. Programmers therefore develop applications with vulnerabilities, without measurement of precautions. We try to remedy these situations, by assessing a few security scanning tools and developing a learning platform to help develop secure Web applications. In this thesis, we present an assessment report with representative security scanning tools, to aide web application developers in the source code review process to improve their web system security in cost-effective ways. However, the reports from the scanning tools are still hard to be comprehensive and need training for developers to fix the problems. We develop a platform to help programmers rapidly understand the security issues in the source code (called Platform for Learning Secure Web Application programming, in short PL-SWAP). We have improved the learning process, with attack scenarios, so that the users really achieve the objective of learning after completing the lesson; In addition, we also designed a Bug Tracking system with the characteristics of Web2.0. The Function Unit (FU) with vulnerabilities could be deployed on this platform, and we would achieve the sharing purposes of the bugs and solutions. In this Bug Tracking system, we can rapidly accumulate web security lessons.