輸入驗(yàn)證:
　　Conduct all data validation on a trusted system (e.g., The server)
　　在受信任系統(tǒng)上進(jìn)行全部數(shù)據(jù)驗(yàn)證。(例如服務(wù)器)
　　Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.)
　　確認(rèn)所有數(shù)據(jù)源并將其分為受信任和不信任的。驗(yàn)證所有來(lái)自不信任源的數(shù)據(jù)。(例如數(shù)據(jù)庫(kù)，文件流等等)
　　There should be a centralized input validation routine for the application
　　各類(lèi)應(yīng)用應(yīng)當(dāng)具有統(tǒng)一的輸入驗(yàn)證規(guī)則。
　　Specify proper character sets, such as UTF-8, for all sources of input
　　為所有輸入源指定適當(dāng)?shù)慕y(tǒng)一字符集，例如UTF-8字符集。
　　Encode data to a common character set before validating (Canonicalize)
　　在驗(yàn)證前將數(shù)據(jù)用統(tǒng)一字符集進(jìn)行編碼。(規(guī)范化) All validation failures should result in input rejection
　　所有驗(yàn)證失敗的情形應(yīng)當(dāng)導(dǎo)致拒絕輸入。
　　Determine if the system supports UTF-8 extended character sets and if so, validate after UTF-8 decoding is completed
　　確認(rèn)系統(tǒng)是否支持UTF-8擴(kuò)展字符集，如果支持，則在UTF-8解碼完成后進(jìn)行驗(yàn)證。
　　在處理前驗(yàn)證所有客戶(hù)端提供的數(shù)據(jù)，包括所有參數(shù)，URL以及HTTP頭文件(例如Cookie名及數(shù)值)。確定其中包含JavaScript, Flash或其他嵌入代碼產(chǎn)生的自動(dòng)回傳數(shù)據(jù)。
　　Verify that header values in both requests and responses contain only ASCII characters
　　確認(rèn)請(qǐng)求和響應(yīng)的標(biāo)頭值只包含ASCII字符
　　Validate data from redirects (An attacker may submit malicious content directly to the target of the redirect, thus circumventing application logic and any validation performed before the redirect)
　　驗(yàn)證重定向數(shù)據(jù)(攻擊者可能上傳只對(duì)重定向目標(biāo)起作用的惡意代碼，從而繞過(guò)重定向前的應(yīng)用程序邏輯及任何驗(yàn)證手段)
　　Validate for expected data types 、
　　驗(yàn)證數(shù)據(jù)類(lèi)型是否符合期望
　　Validate data range
　　驗(yàn)證數(shù)據(jù)值域
　　Validate data length
　　驗(yàn)證數(shù)據(jù)長(zhǎng)度
　　Validate all input against a "white" list of allowed characters, whenever possible
　　可能的話(huà)，將所有輸入與被允許字符的”白名單”進(jìn)行對(duì)比驗(yàn)證
　　If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs and accounting for the utilization of that data throughout the application . Examples of common hazardous characters include:
　　< > " ’ % ( ) & + \ \’ \"
　　在不得不允許輸入可能危險(xiǎn)的字符的情況下，需要實(shí)現(xiàn)額外的控制功能如輸出編碼，安全任務(wù)專(zhuān)用的應(yīng)用程序接口，并將使用含危險(xiǎn)字符數(shù)據(jù)的可能性納入全盤(pán)考量。常見(jiàn)的危險(xiǎn)字符包括< > " ’ % ( ) & + \ \’ \"
　　If your standard validation routine cannot address the following inputs, then they should be checked discretely
　　o Check for null bytes ()
　　o Check for new line characters ( , , \r, \n)
　　o Check for “dot-dot-slash" (../ or ..\) path alterations characters. In cases where UTF-8 extended character set encoding is supported, address alternate representation like: ??/
　　(Utilize canonicalization to address double encoding or other forms of obfuscation attacks)
　　如果標(biāo)準(zhǔn)常規(guī)驗(yàn)證無(wú)法處理以下輸入，那么他們需要被單獨(dú)檢查。
　　o 檢查空字節(jié) ()
　　o 檢查換行符 ( , , \r, \n)
　　o 檢查類(lèi)似”點(diǎn)-點(diǎn)-斜杠" (../ or ..\)的路徑轉(zhuǎn)換符 在支持UTF-8擴(kuò)展字符集編碼的情況下檢查路徑轉(zhuǎn)換符的變體(如??/)
　　(應(yīng)用規(guī)范化手段解決雙重編碼或者其他類(lèi)型的混淆攻擊)
　　Output Encoding:
　　輸出編碼
　　Conduct all encoding on a trusted system (e.g., The server)
　　在受信任系統(tǒng)上進(jìn)行全部編碼程序。(例如服務(wù)器)
　　Utilize a standard, tested routine for each type of outbound encoding
　　為每一種出站編碼建立一個(gè)經(jīng)過(guò)測(cè)試的標(biāo)準(zhǔn)規(guī)范
　　Contextually output encode all data returned to the client that originated outside the application’s trust boundary. HTML entity encoding is one example, but does not work in all cases
　　所有源頭在應(yīng)用程序信任邊界外的數(shù)據(jù)在返回客戶(hù)端前要進(jìn)行上下文編碼。HTML實(shí)體編碼是一個(gè)例子，但并不一定適用于所有情況。
　　Encode all characters unless they are known to be safe for the intended interpreter
　　對(duì)所有字符進(jìn)行編碼，除非在已知對(duì)目標(biāo)解釋程序安全的情況下。
　　Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
　　在向SQL,XML,LDAP查詢(xún)功能輸出的情況下，對(duì)不受信任數(shù)據(jù)的輸出進(jìn)行上下文清潔。
　　Sanitize all output of un-trusted data to operating system commands
　　清潔所有不受信任數(shù)據(jù)對(duì)操作系統(tǒng)命令的輸出。
　　Authentication and Password Management:
　　身份驗(yàn)證以及密碼管理
　　Require authentication for all pages and resources, except those specifically intended to be public
　　除特定的公開(kāi)頁(yè)面和資源外，訪(fǎng)問(wèn)所有頁(yè)面及資源都需要身份驗(yàn)證。
　　All authentication controls must be enforced on a trusted system (e.g., The server)
　　所有身份驗(yàn)證控制必要在受信任系統(tǒng)上執(zhí)行(例如服務(wù)器)
　　Establish and utilize standard, tested, authentication services whenever possible
　　只要可能，就應(yīng)當(dāng)建立并應(yīng)用標(biāo)準(zhǔn)化并經(jīng)過(guò)測(cè)試的的身份驗(yàn)證服務(wù)
　　Use a centralized implementation for all authentication controls, including libraries that call external authentication services
　　為所有身份驗(yàn)證控制建立集中的身份驗(yàn)證控制系統(tǒng)，包括需要外部身份驗(yàn)證服務(wù)的程序庫(kù)
　　Segregate authentication logic from the resource being requested and use redirection to and from the centralized authentication control
　　對(duì)身份驗(yàn)證邏輯與被訪(fǎng)問(wèn)資源進(jìn)行隔離，使用重定向來(lái)訪(fǎng)問(wèn)集中身份驗(yàn)證控制系統(tǒng)。
　　All authentication controls should fail securely
　　所有身份驗(yàn)證控制應(yīng)當(dāng)保證失效時(shí)仍然安全
　　All administrative and account management functions must be at least as secure as the primary authentication mechanism
　　所有的行政及賬戶(hù)管理功能的安全性必要和主身份驗(yàn)證機(jī)制相當(dāng)或更高。
　　If your application manages a credential store, it should ensure that only cryptographically strong one-way salted hashes of passwords are stored and that the table/file that stores the passwords and keys is write-able only by the application. (Do not use the MD5 algorithm if it can be avoided)
　　如果應(yīng)用程序應(yīng)用了存儲(chǔ)憑據(jù)機(jī)制，那么必要確定只存儲(chǔ)了強(qiáng)加密單向附有隨機(jī)值的哈希密碼，并且保存密碼/密鑰的表/文件只對(duì)該程序可讀。(如果可能，盡量避免使用MD5算法)
　　Password hashing must be implemented on a trusted system (e.g., The server).
　　密碼哈希只能在被信任的系統(tǒng)上實(shí)現(xiàn)(例如服務(wù)器)
　　Validate the authentication data only on completion of all data input, especially for sequential authentication implementations
　　只有在數(shù)據(jù)輸入完成后才能進(jìn)行身份驗(yàn)證數(shù)據(jù)的驗(yàn)證，尤其是在實(shí)現(xiàn)連續(xù)身份驗(yàn)證的情況下。
　　Authentication failure responses should not indicate which part of the authentication data was incorrect. For example, instead of "Invalid username" or "Invalid password", just use "Invalid username and/or password" for both. Error responses must be truly identical in both display and source code
　　對(duì)身份驗(yàn)證失敗的響應(yīng)不應(yīng)該標(biāo)明驗(yàn)證數(shù)據(jù)的哪一部分出錯(cuò)。例如，不應(yīng)當(dāng)顯示”無(wú)效的用戶(hù)名”或”無(wú)效的密碼”，而應(yīng)當(dāng)顯示”無(wú)效的用戶(hù)名或密碼”。源代碼和顯示輸出的錯(cuò)誤響應(yīng)必要完全相同。
　　Utilize authentication for connections to external systems that involve sensitive information or functions
　　對(duì)外部系統(tǒng)的連接，如果涉及到敏感信息或功能的，需要進(jìn)行身份驗(yàn)證。
　　Authentication credentials for accessing services external to the application should be encrypted and stored in a protected location on a trusted system (e.g., The server). The source code is NOT a secure location
　　訪(fǎng)問(wèn)應(yīng)用程序外部服務(wù)的身份驗(yàn)證證書(shū)需要加密保存在一個(gè)受信任系統(tǒng)(例如服務(wù)器)中的受保護(hù)區(qū)域內(nèi)。保存在源代碼內(nèi)不安全
　　Use only HTTP POST requests to transmit authentication credentials
　　只使用HTTP POST請(qǐng)求傳輸身份驗(yàn)證證書(shū)。
　　Only send non-temporary passwords over an encrypted connection or as encrypted data, such as in an encrypted email. Temporary passwords associated with email resets may be an exception
　　只通過(guò)加密連接或作為加密數(shù)據(jù)傳輸非臨時(shí)密碼，例如通過(guò)加密的電子郵件。通過(guò)電子郵件重置密碼產(chǎn)生的臨時(shí)密碼可能是個(gè)例外
　　Enforce password complexity requirements established by policy or regulation. Authentication credentials should be sufficient to withstand attacks that are typical of the threats in the deployed environment. (e.g., requiring the use of alphabetic as well as numeric and/or special characters)
　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼復(fù)雜度規(guī)定。身份驗(yàn)證證書(shū)應(yīng)當(dāng)足以抵御部署環(huán)境中常見(jiàn)的攻擊模式。(例如，要求密碼中包括字母和數(shù)字及/或特殊字符)
　　Enforce password length requirements established by policy or regulation. Eight characters is commonly used, but 16 is better or consider the use of multi-word pass phrases
　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼長(zhǎng)度規(guī)定。通常使用的是8個(gè)字符的密碼，但16個(gè)字符的安全性更好，或者可以考慮使用多字密碼短語(yǔ)。
　　Password entry should be obscured on the user’s screen. (e.g., on web forms use the input type "password")
　　在用戶(hù)屏幕上應(yīng)當(dāng)對(duì)密碼輸入進(jìn)行遮擋顯示(例如在web表格中使用輸入類(lèi)型”password”)
　　Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account must be disabled for a period of time sufficient to discourage brute force guessing of credentials, but not so long as to allow for a denial-of-service attack to be performed
　　在多次無(wú)效的登錄嘗試后對(duì)賬戶(hù)強(qiáng)制停用(通常是5次嘗試)。賬戶(hù)停用的時(shí)間要足夠長(zhǎng)以阻礙對(duì)密碼的暴力破解，但不能太長(zhǎng)以至于暴露在停止服務(wù)攻擊下。
　　Password reset and changing operations require the same level of controls as account creation and authentication.
　　修改和重置密碼的操作需要與創(chuàng)建賬戶(hù)及身份驗(yàn)證同等級(jí)別的控制。
　　Password reset questions should support sufficiently random answers. (e.g., "favorite book" is a bad question because “The Bible” is a very common answer)
　　重置密碼的問(wèn)題應(yīng)當(dāng)能是答案具有多樣性。(例如，”最喜愛(ài)的書(shū)”不是一個(gè)好問(wèn)題，因?yàn)椤笔ソ?jīng)”是一個(gè)非常常見(jiàn)的答案)
　　If using email based resets, only send email to a pre-registered address with a temporary link/password
　　使用基于電子郵件的密碼重置功能時(shí)，只發(fā)送包含臨時(shí)鏈接/密碼的郵件到預(yù)先注冊(cè)的地址。
　　Temporary passwords and links should have a short expiration time
　　臨時(shí)密碼和鏈接的有效期應(yīng)當(dāng)較短
　　Enforce the changing of temporary passwords on the next use
　　在下次使用時(shí)強(qiáng)制更改臨時(shí)密碼
　　Notify users when a password reset occurs
　　當(dāng)密碼重置時(shí)通知用戶(hù)
　　Prevent password re-use
　　防止密碼復(fù)用
　　Passwords should be at least one day old before they can be changed, to prevent attacks on password re-use
　　密碼使用超過(guò)一天后才可進(jìn)行更改，以防止基于密碼復(fù)用的攻擊。
　　Enforce password changes based on requirements established in policy or regulation. Critical systems may require more frequent changes. The time between resets must be administratively controlled
　　強(qiáng)制執(zhí)行策略或監(jiān)管要求的密碼更改。關(guān)鍵系統(tǒng)可能需要更頻繁的更改。密碼更改的時(shí)間間隔需要由管理員人工控制。
　　Disable "remember me" functionality for password fields
　　禁用”記住密碼”的功能
　　The last use (successful or unsuccessful) of a user account should be reported to the user at their next successful login
　　用戶(hù)成功登錄時(shí)，應(yīng)當(dāng)向其報(bào)告上一次登錄賬戶(hù)的情形，無(wú)論上次成功與否。
　　Implement monitoring to identify attacks against multiple user accounts, utilizing the same password. This attack pattern is used to bypass standard lockouts, when user IDs can be harvested or guessed
　　實(shí)現(xiàn)監(jiān)視識(shí)別對(duì)多個(gè)用戶(hù)賬戶(hù)使用相同密碼進(jìn)行攻擊的功能。這種攻擊模式可以規(guī)避賬戶(hù)因多次登錄失敗而停用的時(shí)間，前提是用戶(hù)名被大量竊取或猜測(cè)，。
　　Change all vendor-supplied default passwords and user IDs or disable the associated accounts
　　修改所有銷(xiāo)售商提供的默認(rèn)用戶(hù)名和密碼，或者禁用相關(guān)賬戶(hù)。
　　Re-authenticate users prior to performing critical operations
　　在進(jìn)行關(guān)鍵操作時(shí)再次對(duì)用戶(hù)進(jìn)行身份驗(yàn)證
　　Use Multi-Factor Authentication for highly sensitive or high value transactional accounts
　　對(duì)高敏感度或高價(jià)值交易賬戶(hù)使用多要素身份驗(yàn)證
　　If using third party code for authentication, inspect the code carefully to ensure it is not affected by any malicious code
　　如果使用第三方代碼進(jìn)行身份驗(yàn)證，仔細(xì)檢查代碼以確認(rèn)其中不包含任何惡意代碼。
　　Session Management:
　　會(huì)話(huà)管理
　　Use the server or framework’s session management controls. The application should only recognize these session identifiers as valid
　　使用服務(wù)器或主機(jī)的會(huì)話(huà)管理控制。應(yīng)用程序應(yīng)當(dāng)只將服務(wù)器或主機(jī)的會(huì)話(huà)標(biāo)識(shí)符視為有效。
　　Session identifier creation must always be done on a trusted system (e.g., The server)
　　會(huì)話(huà)標(biāo)識(shí)符必要在被信任的系統(tǒng)上創(chuàng)建(例如服務(wù)器)
　　Session management controls should use well vetted algorithms that ensure sufficiently random session identifiers
　　會(huì)話(huà)管理控制應(yīng)當(dāng)使用經(jīng)過(guò)有效審核的算法以保證算法標(biāo)識(shí)符的隨機(jī)性
　　Set the domain and path for cookies containing authenticated session identifiers to an appropriately restricted value for the site
　　為包含經(jīng)身份驗(yàn)證的會(huì)話(huà)標(biāo)識(shí)符的cookie的域和路徑設(shè)置一個(gè)適合站點(diǎn)，合理受限的值。
　　Logout functionality should fully terminate the associated session or connection
　　登出功能應(yīng)當(dāng)完全終止相關(guān)的會(huì)話(huà)或連接
　　Logout functionality should be available from all pages protected by authorization
　　所有授權(quán)保護(hù)的頁(yè)面都應(yīng)當(dāng)包含登出功能
　　Establish a session inactivity timeout that is as short as possible, based on balancing risk and business functional requirements. In most cases it should be no more than several hours
　　在平衡風(fēng)險(xiǎn)和商業(yè)功能需求的基礎(chǔ)上，會(huì)話(huà)閑置超時(shí)的時(shí)間越短越好。大多數(shù)情況下不應(yīng)多于幾個(gè)小時(shí)
　　Disallow persistent logins and enforce periodic session terminations, even when the session is active. Especially for applications supporting rich network connections or connecting to critical systems. Termination times should support business requirements and the user should receive sufficient notification to mitigate negative impacts
　　禁止長(zhǎng)期登錄，即使在會(huì)話(huà)激活的情況下，也要強(qiáng)制定期終結(jié)會(huì)話(huà)。尤其是支持豐富網(wǎng)絡(luò)連接或者連接到關(guān)鍵系統(tǒng)的應(yīng)用程序。
　　If a session was established before login, close that session and establish a new session after a successful login
　　如果會(huì)話(huà)在登錄前已建立，那么在成功登陸后關(guān)閉那個(gè)會(huì)話(huà)并重新建立新會(huì)話(huà)
　　Generate a new session identifier on any re-authentication
　　在重新身份驗(yàn)證的時(shí)候生成新會(huì)話(huà)標(biāo)識(shí)符
　　Do not allow concurrent logins with the same user ID
　　禁止同一用戶(hù)名同時(shí)重復(fù)登錄
　　Do not expose session identifiers in URLs, error messages or logs. Session identifiers should only be located in the HTTP cookie header. For example, do not pass session identifiers as GET parameters
　　在URL，錯(cuò)誤信息或者日志中不要暴露會(huì)話(huà)標(biāo)識(shí)符。會(huì)話(huà)標(biāo)識(shí)符應(yīng)當(dāng)只存在于HTTP cookie頭文件中。例如，不要將會(huì)話(huà)標(biāo)識(shí)符用于GET參數(shù)。
　　Protect server side session data from unauthorized access, by other users of the server, by implementing appropriate access controls on the server
　　通過(guò)在服務(wù)器端實(shí)現(xiàn)適當(dāng)?shù)脑L(fǎng)問(wèn)控制，保護(hù)服務(wù)器端的會(huì)話(huà)數(shù)據(jù)不被其他同服務(wù)器的用戶(hù)非法獲取。
　　Generate a new session identifier and deactivate the old one periodically. (This can mitigate certain session hijacking scenarios where the original identifier was compromised)
　　定期生成新會(huì)話(huà)標(biāo)識(shí)符并停用舊標(biāo)識(shí)符(這有助于減少某些通過(guò)舊標(biāo)識(shí)符劫持會(huì)話(huà)的情形)
　　Generate a new session identifier if the connection security changes from HTTP to HTTPS, as can occur during authentication. Within an application, it is recommended to consistently utilize HTTPS rather than switching between HTTP to HTTPS.
　　在連接安全由HTTP轉(zhuǎn)到HTTPS的時(shí)候——在身份驗(yàn)證中可能發(fā)生——生成新的會(huì)話(huà)標(biāo)識(shí)符。在應(yīng)用程序內(nèi)部，建議完全應(yīng)用HTTPS而不是在HTTP和HTTPS間轉(zhuǎn)換
　　Supplement standard session management for sensitive server-side operations, like account management, by utilizing per-session strong random tokens or parameters. This method can be used to prevent Cross Site Request Forgery attacks
　　通過(guò)為每個(gè)進(jìn)程應(yīng)用強(qiáng)隨機(jī)令牌或參數(shù)，對(duì)敏感的服務(wù)器端操作——如賬戶(hù)管理——的標(biāo)準(zhǔn)會(huì)話(huà)管理進(jìn)行補(bǔ)充。這種手段可以用于防止跨站偽造請(qǐng)求攻擊
　　Supplement standard session management for highly sensitive or critical operations by utilizing per-request, as opposed to per-session, strong random tokens or parameters
　　對(duì)高敏感度或關(guān)鍵操作，可以對(duì)每個(gè)請(qǐng)求，而不是每個(gè)會(huì)話(huà)，應(yīng)用強(qiáng)隨機(jī)令牌或參數(shù)。
　　Set the "secure" attribute for cookies transmitted over an TLS connection
　　為通過(guò)傳輸層安全連接傳播的cookie設(shè)置”secure”屬性
　　Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie’s value
　　為cookie設(shè)置”HttpOnly”屬性，除非你的應(yīng)用程序內(nèi)的客戶(hù)端腳本需要讀取或設(shè)置cookie的值。
　　Access Control:
　　訪(fǎng)問(wèn)控制
　　Use only trusted system objects, e.g. server side session objects, for making access authorization decisions
　　只使用受信任系統(tǒng)的對(duì)象，例如服務(wù)器端會(huì)話(huà)對(duì)象，來(lái)進(jìn)行訪(fǎng)問(wèn)授權(quán)決定。