let's talk about your understanding of safety

Posted by santillano at 2020-03-04

Author of this paper: a member of Xin'an Road knowledge planet

In different learning stages and different safety posts, the understanding of safety is different. Knowledge planet has launched a new operation function, and I put forward an operation, which is also a problem, as follows:

What is your understanding of safety? What do you think of safety?

Let's take a look at your answers.

Myh0st said

Security is relative. It is impossible for an enterprise to achieve 100% security when it is doing security. Some celebrities have said that there are two kinds of domestic enterprises: one is to know that they are attacked, the other is not to know that they are attacked, that is to say, no system is 100% safe. So why do we do security?

Because security is relative. If you don't do any security, the attack cost will be reduced, and the possibility of being attacked will be increased. If we do relative security and increase the attack cost, we will resist a large part of the attack and let the attacker give up the attack on us. So we need to make clear who our opponents are and who we want to defend against.

I think one of the most effective means of enterprise security is to do a good job in border security, then improve the ability of intrusion detection, detect attacks in time and stop them in time, and finally improve the security awareness of employees, so that they can detect threats in time when they do not create threats, which is serious. Of course, due to my own experience, my understanding of security is limited, and I hope to make my understanding of security more in-depth and accurate in my future work.

M said

The essence of safety is trust

Kong said

Sometimes I think security is to maintain the rules, but sometimes I think it's to break the rules, because you don't know if the rules are safe Sometimes I think security is defense, but sometimes I think it's also appropriate to "attack", because it's not a long-term strategy to be beaten blindly Safety ah, this relative thing will have different understanding from different angles, or quietly become a melon eater to see how it will evolve in the end.

Block K says

Attack and defense are not absolute! There is no absolute security, in the future security attacks, the success of the attack would have been greater and greater! Like some SQL injection! Storage XSS! Will be less and less in some portal sites is almost impossible to meet. On the contrary, some loopholes in logic can be dug up. For example, the lack of strict verification results in users being arbitrarily modified, ultra vires, SMS bombardment and sensitive information leakage.... Wait!

Safety also needs to be maintained by a safety conscious person. You can't just look at Party B! White hat for you! First of all, know what ports are open on your server, which ports should be closed, which can be used for login restrictions (for your remote login, such as port 22), whether the server patches are printed on time, what intermediates you use, what scripting language your website is written in, and what CMS you use. Add WAF in the first layer to restrict IP access to the background address! Delete robots.txt website files like this! So as to increase the cost of attackers. Intranet host middleware, even if patching! User password is greater than 8 inclusive case special characters! Do not give read permission to those who have write permission, and do not give write permission to those who have read permission. Minimize permissions. Everyone, if you say something wrong! Trouble advice

Empty_xl said

The essence of security, I know, is to divide the trusted area into the trusted area to deal with the untrusted data

S9mf said

My understanding of security is a process of constant confrontation. The technology is updated quickly and I don't study hard as shown in the figure..

Forever said

Safety is to attack and defend properly. We must constantly learn new technologies and study future trends

Alummox BBM says

Security is like armor. Without security, it's equivalent to running naked. Privacy and weakness are exposed. It's not easy to do this armor well, and it's even harder without security awareness. My first contact with security is a security framework project. At first, I was very ignorant. Now I understand the attack principle, and I understand the defense. During the operation and maintenance period, most of them don't understand security. Some of them even connect with themselves The product situation is not very well understood. I feel like this is a set of framework, and I didn't analyze my own products at all. I have little experience in penetration. In the later stage, I thought that defense still needs to understand attack. Only understanding attack can better defense. Now I am learning all kinds of things, although it is still very delicious.

Mr. week said

Safety is the people who have nothing to do!

Cherishao said

The Internet is originally secure. Since there are people who study security, the Internet has become insecure. [

Security is relative, not absolute, attack and defense should be one] the essence of security is trust.

The foundation of all security scheme design is based on trust relationship.

We have to believe in something, we have to have some basic assumptions, so that the security plan can be established; if we deny everything, the security plan will be like water without source, wood without root, unable to design or complete.

Safety is an ongoing process. [the unknown is the most terrible. Now many apt attacks are like this. How to defend: discover and warn in time] the core issue of Internet security is data security.

Data leakage of Facebook, Uber, Yahoo and other companies]


How to protect data security?

1. After the trust domain division completes the asset level division, we have a general understanding of the objectives to be protected. The next step is to divide the trust domain and the trust boundary.

2. Threat analysis threat analysis is to find out all threats (stride model).

3. Risk analysis risk consists of the following factors: risk = probability * damage potential. In addition to the size of the loss, the possibility of occurrence (dream model) should also be considered.

4. The output of safety evaluation of design safety scheme is safety solution. The solution must be targeted, which is given by the results of asset level division, threat analysis, risk analysis and other stages. It is not difficult to design a solution, but how to design a good solution. Designing a good solution is the time to really test the level of safety engineers. A good security scheme should be transparent to users and try not to change users' usage habits.


Security, business and products: from the perspective of products, security should also be an attribute of products. A product that has never been considered safe is at least incomplete.

For the Internet, security is to protect the development and growth of products.

We can't use "rough" security solutions to hinder the normal development of products, so we should form a view that there is no insecure business, only insecure implementation.

Product requirements, especially business requirements, are what users really want, and what business means. When designing security solutions, we should try not to change the original intention of business requirements. Good security products or modules should not only take account of user experience, but also be easy to improve continuously. A good security module, at the same time, should also be an excellent program, from the design also need to achieve high aggregation, low coupling, easy to expand.

Security personnel should bind themselves to the business, and their role is to optimize and expand the business

Above: the author of white hat talks about web security is mostly quoted for his cognition of security. The content is relatively macro, and my understanding of security is relatively simple. I hope to think more about work and life in the future and share more with colleagues.

Zmo said

Security is relative. The so-called security is not absolute. There is no airtight wall in the world. If you want to be safe, you must pay attention to the changes of the wall all the time. Especially at the border, the wall is undoubtedly a strong barrier to ensure security. Security is divided into internal and external. Now many units only focus on external security, but ignore internal security, which leads to many security incidents that can be avoided in the first place.

My first understanding of security is network security, and the most intuitive and direct is various security equipment, protective wall, WAF, and security equipment of various domestic manufacturers. Later, I learned about information security, which involves a wider range of information security, among which the most well-known is data, data security, and data security, including data integrity and confidentiality, This is probably the most valuable part at present, which can be reflected from the data leakage of major famous factories. Maybe at present, the understanding of safety is relatively narrow. In the future, we need to do more, learn more and read more books, and enrich our theoretical knowledge.

D4m1ts said

There is no absolute security, only relative security

From my point of view, security is to prevent websites from being maliciously attacked and stealing sensitive data and other sensitive operations

Love brings sorrow

First of all, this is a big area

Understanding of safety

Network security is to protect the Internet, the product of the Internet of things without the construction of network security, we may be subject to network intrusion.

Views on network security

This is an emerging industry, which is in the growing period and has a certain foundation at present.

In addition, the position of network security is significantly higher than other positions, and the talent gap is also greater than other industries.

I think it's very interesting to learn the advanced network security technology, but also to know the attack and defense.

I am also engaged in this work. If I have a strong interest, I have a driving force.

The goal is to master very advanced technology, just like the legendary hacker

Smooth sailing

Security, we need to have enough interest in this, so that we can be the driving force for persistence in the future. Otherwise, it's only three days to catch fish and two days to dry the net. The progress is very slow.

I think the spirit should be interest, exploration, continuous learning and persistence.

The wolf said

national security

Apt's purpose against business intelligence

Enterprise security: obtain business information and enterprise data for the purpose

Personal security extorts software to steal the card number for the purpose

The essence of security is trust.

Therefore, in the world Internet Conference, Shuji referred to the network security community of common destiny, emphasizing that the Internet is the common home of mankind, and that only when countries and the UK jointly build a network security community of common destiny can we truly solve the security problem

So far and so near

I think security is about privacy


I can't finish my understanding of security. When I first learned about web penetration, I found that the big guy can also learn python. When I was learning python, I found that the big guys could also infiltrate app. When I learn about app penetration, the big guy will respond in an emergency. When I learn emergency response, big guys will infiltrate with smart devices. There are many more. But there are endless big guys


After seeing so many small partners' understanding of security, do you have your own understanding? Please don't be stingy with your talents, share them, grow up together, and welcome to join the knowledge planet. We will work together to make contributions to the security circle as much as we can while improving ourselves.