Security for developers/ja



'''MediaWiki 開発者として、あなたにはレビューと監査が簡単なスタイルで安全なコードを書く責任があります. ''' この記事では、セキュリティに関連する問題点と、MediaWiki 開発者がこれらのセキュリティ問題に対処するために使用する成功事例に焦点を当てています. コーディング スタイルの問題点については、MediaWiki コーディング規約をお読みください.

あらゆる MediaWiki 開発者は、Web アプリケーション開発および PHP の経験のレベルに関係なく、この記事を注意深く読み、定期的にこの資料に精通する必要があります. さらに、すべての開発者は、クロスサイト スクリプティング (XSS)、クロスサイト リクエスト フォージェリ (CSRF)、 に関する記事を注意深く読む必要があります. 記事には、これらの一般的な脆弱性のそれぞれの詳細な説明が記載されています. は一般的な開発タスクの便利なリファレンスを提供します.

Why security matters
Web application security is a critical issue in the wired world. Websites with security vulnerabilities are a key part of the illicit global infrastructure of malware, spam and phishing. Bot herders crawl the web looking for websites with security vulnerabilities, and then use the vulnerabilities to hijack them. The hijacked website will distribute malware (viruses) to visitors, either via browser vulnerabilities or overtly by social engineering. The downloaded malware turns the client's computer into a "zombie" that is part of a global network of organized crime aimed at stealing bank account details, sending spam, and extorting money from websites with denial-of-service threats.

Demonstrable security
It's not enough to assure yourself that you are perfect and that your code has no security vulnerabilities. Everyone makes mistakes. All core code, and a good deal of extension code, is reviewed by experienced developers to verify its security. This is a good practice and should be encouraged.

Write code in such a way that it is demonstrably secure, such that a reviewer can more easily tell that it's secure. Don't write code that looks suspicious but is, on careful examination, secure. Such code causes unnecessary reviewer anxiety.

セキュリティ脆弱性と攻撃の概要
This document has a strong focus on the following attacks and security risks. Each MediaWiki developer should be familiar with these issues and have at least a passing understanding of them.

関連項目

 *  - a checklist of common development tasks, and the security measures necessary for those tasks
 *  – brief info on reporting security issues
 *  – information on hardening your MediaWiki install
 * Open Web Application Security Project (OWASP)
 *  – a static analysis tool specifically for MediaWiki that checks your extension for common security flaws. Run as part of.
 * Open Web Application Security Project (OWASP)
 *  – a static analysis tool specifically for MediaWiki that checks your extension for common security flaws. Run as part of.
 * Open Web Application Security Project (OWASP)
 *  – a static analysis tool specifically for MediaWiki that checks your extension for common security flaws. Run as part of.

書籍

 * Tobias Wassermann: "Sichere Webanwendungen mit PHP". ISBN 9783826617546