在 Azure 上设计安全的应用程序Design secure applications on Azure

本文介绍了在为云设计应用程序时需要考虑的安全活动和控制措施。In this article we present security activities and controls to consider when you design applications for the cloud. 介绍了在 Microsoft 安全开发生命周期 (SDL) 的要求和设计阶段需要考虑的培训资源以及安全问题和概念。Training resources along with security questions and concepts to consider during the requirements and design phases of the Microsoft Security Development Lifecycle (SDL) are covered. 目标是帮助你定义可用于设计更安全应用程序的活动和 Azure 服务。The goal is to help you define activities and Azure services that you can use to design a more secure application.

本文介绍了以下 SDL 阶段:The following SDL phases are covered in this article:

  • 培训Training
  • 要求Requirements
  • 设计Design

培训Training

在开始开发云应用程序之前,请花些时间了解 Azure 上的安全和隐私。Before you begin developing your cloud application, take time to understand security and privacy on Azure. 通过执行此步骤,可以降低应用程序中可被利用的漏洞的数量和严重性。By taking this step, you can reduce the number and severity of exploitable vulnerabilities in your application. 你将能够更好地正确应对不断变化的威胁态势。You'll be more prepared to react appropriately to the ever-changing threat landscape.

在培训阶段使用以下资源自行熟悉可供开发人员使用的 Azure 服务以及 Azure 上的安全最佳做法:Use the following resources during the training stage to familiarize yourself with the Azure services that are available to developers and with security best practices on Azure:

要求Requirements

要求定义阶段是一个关键步骤,它定义你的应用程序是什么,以及它发布后可用来做什么。The requirements definition phase is a crucial step in defining what your application is and what it will do when it's released. 在需求阶段,还要考虑将在你的应用程序中构建的安全控制措施。The requirements phase is also a time to think about the security controls that you will build into your application. 在此阶段,你还将开始执行在整个 SDL 中都将采取的步骤,以确保发布并部署安全的应用程序。During this phase, you also begin the steps that you will take throughout the SDL to ensure that you release and deploy a secure application.

考虑安全和隐私问题Consider security and privacy issues

此阶段是考虑基础的安全和隐私问题的最佳时间。This phase is the best time to consider foundational security and privacy issues. 在项目开始时定义可接受的安全和隐私级别有助于团队:Defining acceptable levels of security and privacy at the start of a project helps a team:

  • 了解与安全问题相关的风险。Understand risks associated with security issues.
  • 在开发过程中确定和修复安全 bug。Identify and fix security bugs during development.
  • 在整个项目中应用确定的安全和隐私级别。Apply established levels of security and privacy throughout the entire project.

在编写对应用程序的要求时,请确保考虑有助于保护应用程序和数据安全的安全控制措施。When you write the requirements for your application, be sure to consider security controls that can help keep your application and data safe.

询问安全问题Ask security questions

询问安全问题,例如:Ask security questions like:

  • 我的应用程序是否包含敏感数据?Does my application contain sensitive data?

  • 我的应用程序是否收集或包含敏感的个人或客户数据,这些数据是否可以用来(单独使用或与其他信息一起使用)识别、联系或定位个人?Does my application collect or contain sensitive personal or customer data that can be used, either on its own or with other information, to identify, contact, or locate a single person?

  • 我的应用程序是否收集或包含可用于访问个人医疗、教育、财务或就业信息的数据?Does my application collect or contain data that can be used to access an individual’s medical, educational, financial, or employment information? 在要求阶段确定数据的敏感性有助于对数据进行分类,并确定将用于应用程序的数据保护方法。Identifying the sensitivity of your data during the requirements phase helps you classify your data and identify the data protection method you will use for your application.

  • 我的数据存储在哪里?如何存储?Where and how is my data stored? 考虑如何监视应用程序使用的存储服务是否存在任何意外变化(例如响应时间变长)。Consider how you will monitor the storage services that your application uses for any unexpected changes (such as slower response times). 你是否能够影响日志记录来收集更详细的数据并深入地分析问题?Will you be able to influence logging to collect more detailed data and analyze a problem in depth?

  • 我的应用程序是可供公众使用(在 Internet 上)还是仅供内部使用?Will my application be available to the public (on the internet) or internally only? 如果你的应用程序可供公众使用,你如何保护可能会被收集的数据,避免其被不当使用?If your application is available to the public, how do you protect the data that might be collected from being used in the wrong way? 如果你的应用程序仅供内部使用,请考虑组织中谁应该有权访问该应用程序以及他们应该有权访问多长时间。If your application is available internally only, consider who in your organization should have access to the application and how long they should have access.

  • 在开始设计应用程序之前,你是否了解你的标识模型?Do you understand your identity model before you begin designing your application? 你将如何确定用户的身份如其所言以及用户被授权执行什么操作?How will you determine that users are who they say they are and what a user is authorized to do?

  • 我的应用程序是否执行敏感或重要的任务(例如转账、打开门锁或送药)?Does my application perform sensitive or important tasks (such as transferring money, unlocking doors, or delivering medicine)? 考虑如何验证执行敏感任务的用户是否被授权执行该任务,以及如何验证用户的身份如其所言。Consider how you will validate that the user performing a sensitive task is authorized to perform the task and how you will authenticate that the person is who they say they are. 授权 (AuthZ) 是指准许经过身份验证的安全主体执行某项操作的措施。Authorization (AuthZ) is the act of granting an authenticated security principal permission to do something. 身份验证 (AuthN) 是要求参与方提供合法凭据的措施。Authentication (AuthN) is the act of challenging a party for legitimate credentials.

  • 我的应用程序是否执行任何有风险的软件活动,例如允许用户上传或下载文件或其他数据?Does my application perform any risky software activities, like allowing users to upload or download files or other data? 如果你的应用程序确实执行有风险的活动,请考虑如何让应用程序保护用户,防止用户处理恶意文件或数据。If your application does perform risky activities, consider how your application will protect users from handling malicious files or data.

查看 OWASP 前 10 大安全风险Review OWASP top 10

考虑查看 OWASP 前 10 大应用程序安全风险Consider reviewing the OWASP Top 10 Application Security Risks. “OWASP 前 10 大安全风险”介绍了 Web 应用程序的重大安全风险。The OWASP Top 10 addresses critical security risks to web applications. 了解这些安全风险可以帮助你制定要求和设计决策,从而将应用程序中的这些风险降到最低。Awareness of these security risks can help you make requirement and design decisions that minimize these risks in your application.

考虑采取安全控制措施来防止违规,这很重要。Thinking about security controls to prevent breaches is important. 假设会存在违规,这有助于你提前应对一些重要的安全问题,不致于仓促上阵:Assuming a breach helps answer some important questions about security in advance, so they don't have to be answered in an emergency:

  • 我将如何检测攻击?How will I detect an attack?

  • 如果存在攻击或违规,我该怎么办?What will I do if there is an attack or breach?

  • 在遭受攻击(例如数据泄露或篡改)后我将如何进行恢复?How am I going to recover from the attack like data leaking or tampering?

设计Design

设计阶段对于制定设计和功能规范的最佳做法至关重要。The design phase is critical for establishing best practices for design and functional specifications. 它对于执行风险分析也至关重要,风险分析有助于减少整个项目中的安全和隐私问题。It also is critical for performing risk analysis that helps mitigate security and privacy issues throughout a project.

如果你有安全要求并使用安全设计概念,则可以避免安全缺陷或尽量减少其出现。When you have security requirements in place and use secure design concepts, you can avoid or minimize opportunities for a security flaw. 安全缺陷是应用程序设计中的疏漏。在应用程序发布后,用户可能会利用它来执行恶意的或意外的操作。A security flaw is an oversight in the design of the application that might allow a user to perform malicious or unexpected actions after your application is released.

在设计阶段,还要考虑如何在多个层次中应用安全措施;一层防御不一定够用。During the design phase, also think about how you can apply security in layers; one level of defense isn't necessarily enough. 如果攻击者穿过了你的 Web 应用程序防火墙 (WAF),将会发生什么情况?What happens if an attacker gets past your web application firewall (WAF)? 你需要另一种安全控制措施来防御该攻击。You want another security control in place to defend against that attack.

考虑到这一点,我们将讨论以下安全设计概念,以及在设计安全的应用程序时应解决的安全控制问题:With this in mind, we discuss the following secure design concepts and the security controls you should address when you design secure applications:

  • 使用安全的编码库和软件框架。Use a secure coding library and a software framework.
  • 扫描易受攻击的组件。Scan for vulnerable components.
  • 在应用程序设计期间使用威胁建模。Use threat modeling during application design.
  • 减少受攻击面。Reduce your attack surface.
  • 采用以标识作为主要安全外围的策略。Adopt a policy of identity as the primary security perimeter.
  • 要求对重要事务反复进行身份验证。Require re-authentication for important transactions.
  • 使用密钥管理解决方案来保护密钥、凭据和其他机密。Use a key management solution to secure keys, credentials, and other secrets.
  • 保护敏感数据。Protect sensitive data.
  • 实施故障保护措施。Implement fail-safe measures.
  • 利用错误和异常处理。Take advantage of error and exception handling.
  • 使用日志记录和警报。Use logging and alerting.

使用安全的编码库和软件框架Use a secure coding library and a software framework

对于开发,请使用安全的编码库和具有内嵌安全性的软件框架。For development, use a secure coding library and a software framework that has embedded security. 开发人员可以使用现有的、经过证明的功能(加密、输入清理、输出编码、密钥或连接字符串以及任何其他会被视为安全控制措施的项目),不需从头开发安全控制措施。Developers can use existing, proven features (encryption, input sanitation, output encoding, keys or connection strings, and anything else that would be considered a security control) instead of developing security controls from scratch. 这有助于避免与安全相关的设计和实现缺陷。This helps guard against security-related design and implementation flaws.

请确保使用框架及其提供的所有安全功能的最新版本。Be sure that you're using the latest version of your framework and all the security features that are available in the framework. Microsoft 为使用任何平台或语言的所有开发人员提供了一套全面的、用于交付云应用程序的开发工具。Microsoft offers a comprehensive set of development tools for all developers, working on any platform or language, to deliver cloud applications. 你可以从各种 SDK 中进行选择,以便使用所选语言进行编码。You can code with the language of your choice by choosing from various SDKs. 你可以利用功能齐全的集成开发环境 (IDE) 和具有高级调试功能和内置 Azure 支持的编辑器。You can take advantage of full-featured integrated development environments (IDEs) and editors that have advanced debugging capabilities and built-in Azure support.

Microsoft 提供了各种语言、框架和工具,你可以使用它们在 Azure 上开发应用程序。Microsoft offers a variety of languages, frameworks, and tools that you can use to develop applications on Azure. 一个示例是面向 .NET 和 .NET Core 开发人员的 AzureAn example is Azure for .NET and .NET Core developers. 对于我们提供的每种语言和框架,你可以通过快速入门、教程和 API 参考来快速入门。For each language and framework that we offer, you’ll find quickstarts, tutorials, and API references to help you get started fast.

Azure 提供了各种可用来托管网站和 Web 应用程序的服务。Azure offers a variety of services you can use to host websites and web applications. 这些服务允许你使用自己喜欢的语言进行开发,无论该语言是 .NET、NET Core、Java、Ruby、Node.js、PHP 还是 Python。These services let you develop in your favorite language, whether that's .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Azure 应用服务 Web 应用(Web 应用)是其中的服务之一。Azure App Service Web Apps (Web Apps) is one of these services.

Web 应用将 Microsoft Azure 的功能添加到了应用程序中。Web Apps adds the power of Microsoft Azure to your application. 它包括安全性、负载均衡、自动缩放和自动化管理。It includes security, load balancing, autoscaling, and automated management.

Azure 提供了可用来托管网站和 Web 应用程序的其他服务。Azure offers other services that you can use to host websites and web applications. 大多数情况下,Web 应用是最佳选择。For most scenarios, Web Apps is the best choice. 对于微服务体系结构,请考虑使用 Azure Service FabricFor a micro service architecture, consider Azure Service Fabric. 如果需要更好地控制运行代码的 VM,请考虑使用 Azure 虚拟机If you need more control over the VMs that your code runs on, consider Azure Virtual Machines.

为组件应用更新Apply updates to components

为了防止出现漏洞,应持续清点你的客户端和服务器端组件(例如,框架和库)及其依赖项,看是否存在更新。To prevent vulnerabilities, you should continuously inventory both your client-side and server-side components (for example, frameworks and libraries) and their dependencies for updates. 随着新漏洞的出现,我们会不断发布更新的软件版本。New vulnerabilities and updated software versions are released continuously. 请务必制定一个日常计划,以便监视、会审和应用针对你所使用的库和组件进行的更新或配置更改。Ensure that you have an ongoing plan to monitor, triage, and apply updates or configuration changes to the libraries and components you use.

请参阅开放 Web 应用程序安全项目 (OWASP) 页面上的使用具有已知漏洞的组件,以便获取工具建议。See the Open Web Application Security Project (OWASP) page on using components with known vulnerabilities for tool suggestions. 你还可以订阅电子邮件警报,以便了解与所用组件有关的安全漏洞。You can also subscribe to email alerts for security vulnerabilities that are related to components you use.

在应用程序设计期间使用威胁建模Use threat modeling during application design

威胁建模是一个过程,它需要先识别对业务和应用程序的潜在安全威胁,然后确保实施适当的缓解措施。Threat modeling is the process of identifying potential security threats to your business and application, and then ensuring that proper mitigations are in place. SDL 规定,团队应在设计阶段进行威胁建模,在此阶段解决潜在问题相对简单且经济高效。The SDL specifies that teams should engage in threat modeling during the design phase, when resolving potential issues is relatively easy and cost-effective. 在设计阶段使用威胁建模可以极大地降低总体开发成本。Using threat modeling in the design phase can greatly reduce your total cost of development.

考虑到非安全专家的情况,我们设计了 SDL 威胁建模工具来简化威胁建模过程。To help facilitate the threat modeling process, we designed the SDL Threat Modeling Tool with non-security experts in mind. 此工具提供有关如何创建和分析威胁模型的明确指导,使所有开发人员更容易进行威胁建模。This tool makes threat modeling easier for all developers by providing clear guidance about how to create and analyze threat models.

对应用程序设计进行建模并枚举所有信任边界中的 STRIDE 威胁(欺骗、篡改、否认、信息泄漏、拒绝服务和权限提升),已被证明是一种在早期捕获设计错误的有效方法。Modeling the application design and enumerating STRIDE threats—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege—across all trust boundaries has proven an effective way to catch design errors early on. 下表列出了 STRIDE 威胁,并给出了一些使用 Azure 提供的功能的示例缓解措施。The following table lists the STRIDE threats and gives some example mitigations that use features provided by Azure. 这些缓解措施并非在每种情况下都起作用。These mitigations won't work in every situation.

威胁Threat 安全属性Security property 潜在的 Azure 平台缓解措施Potential Azure platform mitigation
欺骗Spoofing 身份验证Authentication 要求使用 HTTPS 连接Require HTTPS connections.
篡改Tampering 完整性Integrity 验证 SSL/TLS 证书。Validate SSL/TLS certificates. 使用 SSL/TLS 的应用程序必须全面验证它们连接到的实体的 X.509 证书。Applications that use SSL/TLS must fully verify the X.509 certificates of the entities they connect to. 使用 Azure Key Vault 证书来管理 x509 证书Use Azure Key Vault certificates to manage your x509 certificates.
否认性Repudiation 不可否认性Non-repudiation 启用 Azure 监视和诊断Enable Azure monitoring and diagnostics
信息泄露Information Disclosure 机密性Confidentiality 加密静态传输中的敏感数据。Encrypt sensitive data at rest and in transit.

| 权限提升 | 授权 | 使用 Azure Active Directory Privileged Identity Management。|| Elevation of Privilege | Authorization | Use Azure Active Directory Privileged Identity Management.|

减少受攻击面Reduce your attack surface

受攻击面是指可能出现潜在漏洞的位置的总数。An attack surface is the total sum of where potential vulnerabilities might occur. 在本文中,我们重点介绍应用程序的受攻击面。In this paper, we focus on an application’s attack surface. 重点是保护应用程序,使其免受攻击。The focus is on protecting an application from attack. 从应用程序中删除未使用的资源和代码是最小化受攻击面的一种简单而快速的方法。A simple and quick way to minimize your attack surface is to remove unused resources and code from your application. 应用程序越小,受攻击面就越小。The smaller your application, the smaller your attack surface. 例如,删除以下项:For example, remove:

  • 尚未发布的功能的代码。Code for features you haven't released yet.
  • 调试支持代码。Debugging support code.
  • 未使用的或已弃用的网络接口和协议。Network interfaces and protocols that aren't used or which have been deprecated.
  • 未使用的虚拟机和其他资源。Virtual machines and other resources that you aren’t using.

定期清理资源并确保删除未使用的代码是很好的方法,可以确保减少恶意行动者发起攻击的机会。Doing regular cleanup of your resources and ensuring that you remove unused code are great ways to ensure that there are fewer opportunities for malicious actors to attack.

减少受攻击面的更详细和深入的方法来是完成受攻击面分析。A more detailed and in-depth way to reduce your attack surface is to complete an attack surface analysis. 受攻击面分析可帮助你映射需要检查和测试安全漏洞的系统部件。An attack surface analysis helps you map the parts of a system that need to be reviewed and tested for security vulnerabilities.

受攻击面分析的目的是了解应用程序中的风险区域,以便开发人员和安全专家了解应用程序的哪些部分可能会受到攻击。The purpose of an attack surface analysis is to understand the risk areas in an application so developers and security specialists are aware of what parts of the application are open to attack. 然后,你可以找到方法来尽可能降低这种可能性,跟踪受攻击面何时变化以及如何变化,并从风险角度来解读这意味着什么。Then, you can find ways to minimize this potential, track when and how the attack surface changes, and what this means from a risk perspective.

受攻击面分析可帮助你确定:An attack surface analysis helps you identify:

  • 需要检查和测试安全漏洞的系统功能和部件。Functions and parts of the system you need to review and test for security vulnerabilities.
  • 需要纵深防御保护的高风险代码区域(需要防御的系统部件)。High-risk areas of code that require defense-in-depth protection (parts of the system that you need to defend).
  • 你何时改变了受攻击面并需要刷新威胁评估。When you alter the attack surface and need to refresh a threat assessment.

若要减少攻击者利用潜在弱点或漏洞的机会,需要彻底分析应用程序的整体受攻击面。Reducing opportunities for attackers to exploit a potential weak spot or vulnerability requires you to thoroughly analyze your application's overall attack surface. 它还包括禁止或限制对系统服务的访问、应用最小特权原则以及尽可能采用分层防御。It also includes disabling or restricting access to system services, applying the principle of least privilege, and employing layered defenses wherever possible.

我们将讨论在 SDL 的验证阶段执行受攻击面审查We discuss conducting an attack surface review during the verification phase of the SDL.

备注

威胁建模与受攻击面分析有何区别?What's the difference between threat modeling and attack surface analysis? 威胁建模是一个过程,它需要识别应用程序的潜在安全威胁,并确保实施适当的威胁缓解措施。Threat modeling is the process of identifying potential security threats to your application and ensuring that proper mitigations against the threats are in place. 受攻击面分析识别代码中易受攻击的高风险区域。Attack surface analysis identifies high-risk areas of code that are open to attack. 它包括找到保护应用程序高风险区域的方法,以及在部署应用程序之前检查和测试这些代码区域。It involves finding ways to defend high-risk areas of your application and reviewing and testing those areas of code before you deploy the application.

采用标识用作主要安全边界的策略Adopt a policy of identity as the primary security perimeter

在设计云应用程序时,请将你的安全外围重心从以网络为中心的方法扩展到以标识为中心的方法,这很重要。When you design cloud applications, it's important to expand your security perimeter focus from a network-centric approach to an identity-centric approach. 过去,主要的本地安全外围是组织的网络。Historically, the primary on-premises security perimeter was an organization's network. 大多数本地安全设计使用网络作为主要的安全枢纽。Most on-premises security designs use the network as the primary security pivot. 对于云应用程序,可将标识视为主要安全外围,从而改善安全性。For cloud applications, you are better served by considering identity as the primary security perimeter.

若要制定以标识为中心的方法来开发 Web 应用程序,你可以执行的事项如下:Things you can do to develop an identity-centric approach to developing web applications:

  • 对用户实施多重身份验证。Enforce multi-factor authentication for users.
  • 使用强身份验证和授权平台。Use strong authentication and authorization platforms.
  • 应用最低权限原则。Apply the principle of least privilege.
  • 实施实时访问。Implement just-in-time access.

对用户实施多重身份验证Enforce multi-factor authentication for users

使用双重身份验证。Use two-factor authentication. 双重身份验证是最新的身份验证和授权标准,因为它避免了用户名与密码类型的身份验证所固有的安全漏洞。Two-factor authentication is the current standard for authentication and authorization because it avoids the security weaknesses that are inherent in username and password types of authentication. 需要访问 Azure 管理界面(Azure 门户/远程 PowerShell)和面向客户的服务的应用程序应设计并配置为使用 Azure 多重身份验证Access to the Azure management interfaces (Azure portal/remote PowerShell) and to customer-facing services should be designed and configured to use Azure Multi-Factor Authentication.

使用强身份验证和授权平台Use strong authentication and authorization platforms

使用平台提供的身份验证和授权机制,而不要使用自定义代码。Use platform-supplied authentication and authorization mechanisms instead of custom code. 这是因为开发自定义身份验证代码可能容易出错。This is because developing custom authentication code can be prone to error. 商业代码(例如 Microsoft 编写的代码)通常会接受广泛的安全性评审。Commercial code (for example, from Microsoft) often is extensively reviewed for security. Azure Active Directory (Azure AD) 是用于标识和访问管理的 Azure 解决方案。Azure Active Directory (Azure AD) is the Azure solution for identity and access management. 这些 Azure AD 工具和服务可帮助进行安全的开发:These Azure AD tools and services help with secure development:

  • Azure AD 标识平台(面向开发人员的 Azure AD)是一项云标识服务,开发人员使用它来构建将用户安全登录的应用。Azure AD identity platform (Azure AD for developers) is a cloud identity service that developers use to build apps that securely sign in users. Azure AD 可以为需要构建单租户业务线 (LOB) 应用的开发人员和寻求开发多租户应用的开发人员提供帮助。Azure AD assists developers who are building single-tenant, line-of-business (LOB) apps and developers who are looking to develop multi-tenant apps. 除了基本登录以外,使用 Azure AD 构建的应用还可以调用 Microsoft API,以及基于 Azure AD 平台构建的自定义 API。In addition to basic sign-in, apps that are built by using Azure AD can call Microsoft APIs and custom APIs that are built on the Azure AD platform. Azure AD 标识平台支持 OAuth 2.0 和 OpenID Connect 之类的行业标准协议。The Azure AD identity platform supports industry-standard protocols like OAuth 2.0 and OpenID Connect.

  • Azure Active Directory B2C (Azure AD B2C) 是一项标识管理服务,可用来自定义和控制客户在使用应用程序时的注册、登录和管理配置文件的方式。Azure Active Directory B2C (Azure AD B2C) is an identity management service you can use to customize and control how customers sign up, sign in, and manage their profiles when they use your applications. 这包括面向 iOS、Android 和 .NET 等系统开发的应用程序。This includes applications that are developed for iOS, Android, and .NET, among others. 使用 Azure AD B2C,可以在执行这些操作的同时保护客户标识。Azure AD B2C enables these actions while protecting customer identities.

应用最低权限原则Apply the principle of least privilege

最低权限概念的意思是给用户提供完成工作所需的精确的访问和控制权限,不提供任何额外的权限。The concept of least privilege means giving users the precise level of access and control they need to do their jobs and nothing more.

软件开发人员是否需要域管理员权限?Would a software developer need domain admin rights? 管理助理是否需要访问其个人电脑上的管理控制措施?Would an administrative assistant need access to administrative controls on their personal computer? 评估对软件的访问没有什么不同。Evaluating access to software is no different. 如果在应用程序中使用基于角色的访问控制 (RBAC) 为用户提供不同的能力和授权,则不会让每个人都可以访问所有内容。If you use role-based access control (RBAC) to give users different abilities and authority in your application, you wouldn’t give everyone access to everything. 通过将访问权限限定为每个角色必需的权限,可以限制出现安全问题的风险。By limiting access to what is required for each role, you limit the risk of a security issue occurring.

确保你的应用程序在其整个访问模式中强制实施最低权限Ensure that your application enforces least privilege throughout its access patterns.

备注

最低权限规则需要应用于软件和创建软件的人员。The rules of least privilege need to apply to the software and to the people creating the software. 如果为软件开发人员提供过多的访问权限,他们可能会给 IT 安全带来巨大的风险。Software developers can be a huge risk to IT security if they are given too much access. 如果开发人员有恶意或被授予了过多的访问权限,后果可能很严重。The consequences can be severe if a developer has malicious intent or is given too much access. 建议在整个开发生命周期中对开发人员应用最低权限规则。We recommend that the rules of least privilege be applied to developers throughout the development lifecycle.

要求对重要事务反复进行身份验证Require re-authentication for important transactions

跨站点伪造请求(也称为 XSRF 或 CSRF )是一种针对 Web 托管型应用的攻击。在此类攻击中,恶意 Web 应用会影响客户端浏览器与信任该浏览器的 Web 应用之间的交互。Cross-site request forgery (also known as XSRF or CSRF) is an attack against web-hosted apps in which a malicious web app influences the interaction between a client browser and a web app that trusts that browser. 可能出现跨站点伪造请求攻击是因为 Web 浏览器会随每个请求自动向网站发送某些类型的身份验证令牌。Cross-site request forgery attacks are possible because web browsers send some types of authentication tokens automatically with every request to a website. 这种形式的攻击也称为一键攻击或会话叠置,因为攻击利用了用户先前经过身份验证的会话。This form of exploitation is also known as a one-click attack or session riding because the attack takes advantage of the user's previously authenticated session.

防御此类攻击的最佳方法是在每次执行重要事务(例如购买、帐户停用或密码更改)之前都向用户请求只有该用户才能提供的内容。The best way to defend against this kind of attack is to ask the user for something that only the user can provide before every important transaction, such as a purchase, account deactivation, or a password change. 你可以要求用户重新输入密码、完成验证码,或者提交只有该用户才会有的机密令牌。You might ask the user to reenter their password, complete a captcha, or submit a secret token that only the user would have. 最常用的方法是机密令牌。The most common approach is the secret token.

使用密钥管理解决方案来保护密钥、凭据和其他机密Use a key management solution to secure keys, credentials, and other secrets

丢失密钥和凭据是一个常见问题。Losing keys and credentials is a common problem. 唯一比丢失密钥和凭据更遭糕的事情是让未经授权的一方获取这些密钥和凭据的访问权限。The only thing worse than losing your keys and credentials is having an unauthorized party gain access to them. 攻击者可以利用自动和手动技术来查找存储在代码存储库(例如 GitHub)中的密钥和机密。Attackers can take advantage of automated and manual techniques to find keys and secrets that are stored in code repositories like GitHub. 请勿在这些公用代码存储库中或任何其他服务器上放置密钥和机密。Don't put keys and secrets in these public code repositories or on any other server.

请始终将密钥、证书、机密和连接字符串放置在密钥管理解决方案中。Always put your keys, certificates, secrets, and connection strings in a key management solution. 可以使用集中式解决方案,将密钥和机密存储在硬件安全模块 (HSM) 中。You can use a centralized solution in which keys and secrets are stored in hardware security modules (HSMs). Azure 在云中提供了包含 Azure Key Vault 的 HSM。Azure provides you with an HSM in the cloud with Azure Key Vault.

Key Vault 是一个机密存储:一个用于存储应用程序机密的集中式云服务。Key Vault is a secret store: it's a centralized cloud service for storing application secrets. Key Vault 可以保护机密数据,其方法是:将应用程序机密保存在单个集中位置,并提供安全的访问、权限控制和访问日志记录。Key Vault keeps your confidential data safe by keeping application secrets in a single, central location and providing secure access, permissions control, and access logging.

机密存储在各个保管库中。Secrets are stored in individual vaults. 每个保管库都使用其自己的配置和安全策略来控制访问。Each vault has its own configuration and security policies to control access. 你可以通过 REST API 或通过可用于大多数编程语言的客户端 SDK 来访问数据。You get to your data through a REST API or through a client SDK that's available for most programming languages.

重要

Azure Key Vault 设计用来为服务器应用程序存储配置机密。Azure Key Vault is designed to store configuration secrets for server applications. 它不用于存储属于应用用户的数据。It's not intended for storing data that belongs to app users. 这反映在其性能特征、API 和成本模型中。This is reflected in its performance characteristics, API, and cost model.

用户数据应存储在其他位置,例如具有透明数据加密 (TDE) 的 Azure SQL 数据库实例或使用 Azure 存储服务加密的存储帐户。User data should be stored elsewhere, like in an Azure SQL Database instance that has Transparent Data Encryption (TDE) or in a storage account that uses Azure Storage Service Encryption. 应用程序用来访问这些数据存储的机密可以保留在 Azure Key Vault 中。Secrets that are used by your application to access these data stores can be kept in Azure Key Vault.

保护敏感数据Protect sensitive data

保护数据是安全策略的重要组成部分。Protecting data is an essential part of your security strategy. 对数据进行分类并确定数据保护需求有助于你在设计应用时始终考虑数据安全。Classifying your data and identifying your data protection needs helps you design your app with data security in mind. 按敏感度和业务影响对存储的数据进行分类有助于开发人员确定与数据相关的风险。Classifying (categorizing) stored data by sensitivity and business impact helps developers determine the risks that are associated with data.

在设计数据格式时,请将所有适用的数据标记为敏感数据。Label all applicable data as sensitive when you design your data formats. 确保应用程序将适用的数据视为敏感数据。Ensure that the application treats the applicable data as sensitive. 这些做法有助于保护敏感数据:These practices can help you protect your sensitive data:

  • 使用加密。Use encryption.
  • 避免对机密(例如密钥和密码)进行硬编码。Avoid hard-coding secrets like keys and passwords.
  • 确保实施访问控制和审核。Ensure that access controls and auditing are in place.

使用加密Use encryption

保护数据应当是安全策略的重要组成部分。Protecting data should be an essential part of your security strategy. 如果数据存储在数据库中,或者在不同位置之间来回移动,请对静态数据(在数据库中)进行加密,并对传输中的数据(在往返于用户、数据库、API 或服务终结点的路上)进行加密。If your data is stored in a database or if it moves back and forth between locations, use encryption of data at rest (while in the database) and encryption of data in transit (on its way to and from the user, the database, an API, or service endpoint). 建议始终使用 SSL/TLS 协议来交换数据。We recommend that you always use SSL/TLS protocols to exchange data. 确保使用最新版本的 TLS 进行加密(目前为版本 1.2)。Ensure that you use the latest version of TLS for encryption (currently, this is version 1.2).

避免硬编码Avoid hard-coding

某些东西绝不应当硬编码到软件中。Some things should never be hard-coded in your software. 例如,主机名或 IP 地址、URL、电子邮件地址、用户名、密码、存储帐户密钥和其他加密密钥。Some examples are hostnames or IP addresses, URLs, email addresses, usernames, passwords, storage account keys, and other cryptographic keys. 请考虑实施相关要求来规定哪些东西可以硬编码到代码中(包括代码的注释部分),哪些东西不能硬编码。Consider implementing requirements around what can or can't be hard-coded in your code, including in the comment sections of your code.

在代码中放置注释时,请确保不要保存任何敏感信息。When you put comments in your code, ensure that you don't save any sensitive information. 这包括你的电子邮件地址、密码、连接字符串;只有组织中的某个人才能知道的有关你的应用程序的信息;以及攻击者可能会用来攻击你的应用程序或组织的任何其他信息。This includes your email address, passwords, connection strings, information about your application that would only be known by someone in your organization, and anything else that might give an attacker an advantage in attacking your application or organization.

大致假设开发项目中的所有内容在部署时都将是公开知识。Basically, assume that everything in your development project will be public knowledge when it is deployed. 避免在项目中包括任何类型的敏感数据。Avoid including sensitive data of any kind in the project.

前面,我们讨论了 Azure Key VaultEarlier, we discussed Azure Key Vault. 你可以使用 Key Vault 来存储密钥和密码等机密,而不是对它们进行硬编码。You can use Key Vault to store secrets like keys and passwords instead of hard-coding them. 将 Key Vault 与 Azure 资源的托管标识结合使用时,Azure Web 应用可轻松安全地访问机密配置值,无需在源代码管理或配置中存储任何机密。When you use Key Vault in combination with managed identities for Azure resources, your Azure web app can access secret configuration values easily and securely without storing any secrets in your source control or configuration. 若要了解更多信息,请参阅使用 Azure Key Vault 管理服务器应用中的机密To learn more, see Manage secrets in your server apps with Azure Key Vault.

实施故障保护措施Implement fail-safe measures

应用程序必须能够以一致的方式处理执行过程中出现的错误Your application must be able to handle errors that occur during execution in a consistent manner. 应用程序应该捕获所有错误,实施故障保护或故障关闭措施。The application should catch all errors and either fail safe or closed.

你还应当确保为错误记录足够的用户上下文,以便识别可疑的或恶意的活动。You should also ensure that errors are logged with sufficient user context to identify suspicious or malicious activity. 日志应当保留足够长的时间,以便延后进行法证分析。Logs should be retained for a sufficient time to allow delayed forensic analysis. 日志的格式应该可由日志管理解决方案轻松使用。Logs should be in a format that can be easily consumed by a log management solution. 如果出现与安全相关的错误,请确保触发警报。Ensure that alerts for errors that are related to security are triggered. 如果日志记录和监视措施不足,攻击者就会进一步攻击系统并将其持久化。Insufficient logging and monitoring allows attackers to further attack systems and maintain persistence.

利用错误和异常处理Take advantage of error and exception handling

进行正确的错误和异常处理是防御性编码的重要组成部分。Implementing correct error and exception handling is an important part of defensive coding. 错误和异常处理对于确保系统的可靠性和安全性至关重要。Error and exception handling are critical to making a system reliable and secure. 错误处理中的失误可能会导致各种类型的安全漏洞,例如向攻击者泄漏信息,以及帮助攻击者了解你的平台和设计的详细信息。Mistakes in error handling can lead to different kinds of security vulnerabilities, such as leaking information to attackers and helping attackers understand more about your platform and design.

请确保:Ensure that:

  • 集中处理异常,避免在代码中使用重复的 try/catch 块You handle exceptions in a centralized manner to avoid duplicated try/catch blocks in the code.

  • 所有的意外行为都在应用程序中进行处理。All unexpected behaviors are handled inside the application.

  • 向用户显示的消息不会泄露重要数据,但会提供足够的信息来解释问题。Messages that are displayed to users don't leak critical data but do provide enough information to explain the issue.

  • 记录异常,并为法证或事件响应团队提供足够的信息进行调查。Exceptions are logged and that they provide enough information for forensics or incident response teams to investigate.

Azure 逻辑应用提供了一流的体验来处理由相关系统导致的错误和异常Azure Logic Apps provides a first-class experience for handling errors and exceptions that are caused by dependent systems. 你可以使用逻辑应用来创建工作流,以便自动完成用于跨企业和组织集成应用、数据、系统和服务的任务和流程。You can use Logic Apps to create workflows to automate tasks and processes that integrate apps, data, systems, and services across enterprises and organizations.

使用日志记录和警报Use logging and alerting

记录你的安全问题以便进行安全调查,并触发相关问题的警报,以确保人们及时了解问题。Log your security issues for security investigations and trigger alerts about issues to ensure that people know about problems in a timely manner. 在所有组件中启用审核与日志记录。Enable auditing and logging on all components. 审核日志应该捕获用户上下文并标识所有重要事件。Audit logs should capture user context and identify all important events.

确保不会记录用户提交到站点的任何敏感数据。Check that you don't log any sensitive data that a user submits to your site. 敏感数据的示例包括:Examples of sensitive data include:

  • 用户凭据User credentials
  • 身份证号或其他身份信息Social Security numbers or other identifying information
  • 信用卡号或其他财务信息Credit card numbers or other financial information
  • 运行状况信息Health information
  • 私钥,或者其他可用于解密已加密信息的数据Private keys or other data that can be used to decrypt encrypted information
  • 可以用来增强应用程序攻击效果的系统信息或应用程序信息System or application information that can be used to more effectively attack the application

确保应用程序监视用户管理事件,例如用户登录成功或失败、密码重置、密码更改、帐户锁定和用户注册。Ensure that the application monitors user management events such as successful and failed user logins, password resets, password changes, account lockout, and user registration. 这些事件的日志记录可帮助检测潜在的可疑行为并对其做出反应。Logging for these events helps you detect and react to potentially suspicious behavior. 此外,还可通过它收集操作数据;例如谁正在访问应用程序。It also allows you to gather operations data, like who is accessing the application.

后续步骤Next steps

下面的文章中推荐了一些安全控制措施和活动,可帮助你开发和部署安全的应用程序。In the following articles, we recommend security controls and activities that can help you develop and deploy secure applications.