Security
κ°μ
μ΄ ν ν½μ μΉ λ³΄μ, μνΈν, κ·Έλ¦¬κ³ μμ ν μννΈμ¨μ΄ κ°λ° κ΄νμ λ€λ£Ήλλ€. CIA Triadμ Threat Modeling κ°μ κΈ°λ³Έ κ°λ
λΆν° μμ ν APIμ μ·¨μ½μ μ€μΊλλ₯Ό ꡬμΆνλ μ€μ΅ νλ‘μ νΈκΉμ§, μ΄ λ μ¨λ€μ μ ν리μΌμ΄μ
보μμ λν ν¬κ΄μ μΈ κΈ°μ΄λ₯Ό μ 곡ν©λλ€.
μ μ μ§μ
- Python μ€κΈ μμ€ (ν¨μ, ν΄λμ€, λ°μ½λ μ΄ν°)
- HTTPμ μΉ κ°λ°μ λν κΈ°λ³Έ μ΄ν΄
- 컀맨λλΌμΈ λꡬ μ¬μ© κ²½ν
- κΈ°λ³Έ λ€νΈμνΉ κ°λ
(TCP/IP, DNS)
νμ΅ κ³ν
κΈ°μ΄
| νμΌλͺ
|
λμ΄λ |
μ£Όμ μ£Όμ |
λΉκ³ |
| 01_Security_Fundamentals.md |
β |
CIA Triad, Threat Modeling, STRIDE, Defense in Depth |
κ°λ
μ κΈ°μ΄ |
| 02_Cryptography_Basics.md |
ββ |
AES, RSA, ECDSA, Key Exchange, Digital Signatures |
Python cryptography λΌμ΄λΈλ¬λ¦¬ |
| 03_Hashing_and_Integrity.md |
ββ |
SHA-256, bcrypt, Argon2, HMAC, Merkle Trees |
ν¨μ€μλ ν΄μ± λͺ¨λ² μ¬λ‘ |
| 04_TLS_and_PKI.md |
ββ |
TLS 1.3, X.509, Certificate Chains, mTLS, Let's Encrypt |
OpenSSL μ€μ΅ μμ |
μΈμ¦κ³Ό μΈκ°
| νμΌλͺ
|
λμ΄λ |
μ£Όμ μ£Όμ |
λΉκ³ |
| 05_Authentication.md |
βββ |
OAuth 2.0, JWT, TOTP/MFA, Session Management |
PyJWT, pyotp μμ |
| 06_Authorization.md |
βββ |
RBAC, ABAC, ACL, Policy Engines, IDOR Prevention |
Flask λ―Έλ€μ¨μ΄ μμ |
μΉ λ³΄μ
| νμΌλͺ
|
λμ΄λ |
μ£Όμ μ£Όμ |
λΉκ³ |
| 07_OWASP_Top10.md |
βββ |
OWASP Top 10 (2021), Vulnerable vs Fixed Code |
ν¬κ΄μ μΈ μ°Έκ³ μλ£ |
| 08_Injection_Attacks.md |
βββ |
SQL Injection, XSS, CSRF, Command Injection, SSTI |
곡격/λ°©μ΄ μ |
| 09_Web_Security_Headers.md |
βββ |
CSP, HSTS, CORS, SRI, Permissions-Policy |
ν€λ μ€μ |
| 10_API_Security.md |
βββ |
Rate Limiting, CORS, Input Validation, API Gateway |
Flask μμ |
μ΄μκ³Ό μΈνλΌ
ν
μ€νΈμ λμ
| νμΌλͺ
|
λμ΄λ |
μ£Όμ μ£Όμ |
λΉκ³ |
| 13_Security_Testing.md |
ββββ |
SAST, DAST, SCA, Fuzzing, Penetration Testing |
Bandit, Semgrep, ZAP |
| 14_Incident_Response.md |
ββββ |
NIST IR Framework, Forensics, Log Analysis, SIEM |
Playbook ν
νλ¦Ώ |
νλ‘μ νΈ
κΆμ₯ νμ΅ κ²½λ‘
κΈ°μ΄ (L01-L04) μΈμ¦ (L05-L06) μΉ λ³΄μ (L07-L10)
β β β
βΌ βΌ βΌ
CIA Triad OAuth 2.0 / JWT OWASP Top 10, XSS, SQLi
μνΈν κΈ°μ΄ RBAC / ABAC CSP, CORS, Rate Limiting
TLS / PKI Session Mgmt API Security
β β β
ββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββ
β
βΌ
μ΄μ (L11-L12)
Secrets, Containers
β
βΌ
ν
μ€νΈ & λμ (L13-L14)
SAST/DAST, Incident Response
β
βΌ
νλ‘μ νΈ (L15-L16)
Secure API, Vuln Scanner
μμ μ½λ
μ΄ ν ν½μ μμ μ½λλ examples/Security/μμ νμΈν μ μμ΅λλ€.
μ΄κ³
- 16κ° λ μ¨ (κΈ°μ΄ 4κ° + μΈμ¦ 2κ° + μΉ 4κ° + μ΄μ 2κ° + ν
μ€νΈ 2κ° + νλ‘μ νΈ 2κ°)
- λμ΄λ λ²μ: β ~ ββββ
- μΈμ΄: Python (μ£Ό), Bash (보쑰)
- μ£Όμ λΌμ΄λΈλ¬λ¦¬: cryptography, PyJWT, pyotp, bcrypt, Flask, Bandit, Semgrep