Erik-Castro/DevSecurity

## layout: default title: "DevSecurity" # DevSecurity — 安全开发书籍 ## 关于本仓库 这是 **DevSecurity** 系列的核心仓库：安全软件开发技术书籍，以葡萄牙语撰写，侧重于**现代 C++（C++17/20）**和系统架构的实践。 目标是填补安全理论与开发实践之间的空白——将真实的漏洞（已记录的 CVE）转化为安全的、可验证的且可用于生产环境的代码模式。 ### 系列数据 | 指标 | 数值 | |---------|-------| | 已出版书籍 | 7 | | 待出版书籍 | 1 | | 总章节数 | 126 | | 总行数 | ~350.000+ | | 已记录 CVE | 350+ | | 语言 | C++17/20, Python, Bash, YAML, Go, Assembly, JS/TS, CMake | | 语种 | 正文为葡萄牙语 (PT-BR)，代码为英语 | ## 已出版书籍 ### 1. 使用 C++17 进行 Security-Driven Development **内容：** - **基础**：SDD, Secure SDLC, Threat Modeling (STRIDE/PASTA/DREAD), 映射到 C++ 的 OWASP Top 10 + CWE Top 25 - **安全编码**：原则 (Saltzer & Schroeder), Memory Safety, Error Handling, Input Validation - **关键领域**：AuthN/AuthZ, 加密 (AES-GCM, ChaCha20-Poly1305, X25519, TLS 1.3, PQC), 网络, Database, API, 并发 - **验证**：SAST/DAST, Fuzzing (libFuzzer/AFL++), 渗透测试, Mutation Testing - **运营**：合规 (ASVS, SAMM, CERT, MISRA, ISO 27001, LGPD), Incident Response, Hardening, Supply Chain (SBOM, Sigstore, Reproducive Builds) **记录的真实案例**：Heartbleed, Shellshock, EternalBlue, Log4Shell, Spectre/Meltdown, SolarWinds, xz-utils backdoor, Qualcomm GPU UAF, Android Kernel, Samsung RKP, Equifax, Target, Stuxnet, Colonial Pipeline, LastPass 等。 [在线阅读](docs/book/INDICE.md) — 包含所有章节链接的完整目录。 ### 2. DevSecOps 实战 **内容：** - **安全流水线**：GitHub Actions, GitLab CI, Jenkins hardening, OIDC, secret management, artifact signing - **左移 (Shift-Left)**：IDE 集成, pre-commit hooks, CodeQL, Semgrep, 集成的 SAST/DAST/SCA - **容器与云**：Docker hardening, Kubernetes (Pod Security, RBAC, Network Policies, OPA/Gatekeeper, Falco), AWS/Azure/GCP security - **Supply Chain**：GitOps (ArgoCD/Flux), SLSA, Sigstore/Cosign, SBOM (SPDX/CycloneDX), xz-utils 事后分析 - **可观测性**：ELK/Wazuh, Prometheus/Grafana, Falco, threat hunting, MTTD/MTTR - **运营**：Incident response runbooks, rollback, chaos engineering, compliance as code (SOC 2, PCI DSS, LGPD/GDPR, CIS Benchmarks) **真实案例**：SolarWinds, Codecov, 3CX, xz-utils, Travis CI, Log4Shell, Capital One, Equifax, Target, Colonial Pipeline, Uber, Tesla K8s, Docker Hub crypto-miners。 [在线阅读](docs/devsecops/INDICE.md) — 包含所有章节链接的完整目录。 ### 3. C++ 恶意软件工程与分析 **内容：** - **基础**：PE/ELF/Mach-O parsing, x86/x64 assembly, calling conventions, syscalls, compiler artifacts - **工具**：IDA Pro (IDAPython), Ghidra (scripts), Radare2/Cutter, GDB/GEF/PEDA, x64dbg, WinDbg - **静态分析**：Strings (XOR/RC4), imports/exports, packer detection (UPX/Themida/VMProtect), entropy, YARA rules, IOC extraction - **动态分析**：API monitoring, C2 traffic analysis, sandbox automation (Cuckoo/CAPE), anti-sandbox evasion - **调试**：Breakpoints, memory dumping, anti-debug bypass, scripting (GDB Python, x64dbg) - **分类恶意软件**：Ransomware (WannaCry, NotPetya, Conti, LockBit, BlackCat), Rootkits/Bootkits (UEFI MoonBounce, BlackLotus), Exploits/Shellcode (EternalBlue, ROP chains), Network (C2, DGA) - **自动化**：Custom sandbox framework, batch analysis, MISP/STIX integration - **C++ 工具**：LIEF, entropy, compiler/packer detection, CFG, signature matching **记录的案例**：Stuxnet, WannaCry, NotPetya, Emotet, TrickBot, Cobalt Strike, Mirai, SolarWinds SUNBURST, BlackCat/ALPHV, LockBit, Conti, REvil, Ryuk, Cl0p, MoonBounce, BlackLotus, EternalBlue, Log4Shell, ProxyLogon, PrintNightmare, BlueKeep, Conficker, GameOver Zeus。 [在线阅读](docs/malware/INDICE.md) — 包含所有章节链接的完整目录。 ### 4. C++ 安全并发与并行 **内容：** - **基础**：C++ 内存模型 (memory_order, happens-before, data races), Threads 与同步 - **进阶**：Lock-Free 编程 (CAS, ABA, hazard pointers, RCU), Deadlocks/Livelocks/Starvation - **并行**：Thread pools, std::async, executors, std::execution (par_unseq), OpenMP - **优化**：False sharing, cache coherence (MESI), NUMA, concurrent containers - **异步**：Futures, promises, continuations, when_all, C++20 coroutines - **测试与调试**：ThreadSanitizer, model checking, stress testing, GDB, replay debugging - **异构计算**：SIMD (AVX), CUDA, SYCL, OpenCL **记录的 CVE**：CVE-2016-0728, CVE-2019-11135, CVE-2021-4034, CVE-2014-0160 (Heartbleed)。 [在线阅读](docs/concurrency/INDICE.md) — 包含所有章节链接的完整目录。 ### 5. C++ 密码工程 **内容：** - **基础**：加密原语，库 (OpenSSL 3.x, libsodium, Botan) - **常数时间 (Constant-Time)**：Timing attacks, cache-timing, C++17 技术汇编，汇编内部函数 - **侧信道攻击 (Side-Channel Attacks)**：Power analysis, EM emanation, cache attacks, Spectre/Meltdown, Hertzbleed, Downfall - **HSM 与硬件安全**：PKCS#11, cloud HSMs, TPM 2.0, Intel SGX, ARM TrustZone - **TLS 1.3**：Handshake protocol, key schedule, 0-RTT, OpenSSL 3.x implementation - **后量子 (Pós-Quântico)**：ML-KEM, ML-DSA, SLH-DSA, hybrid schemes, migration strategy - **密钥管理**：Key lifecycle, wrapping, threshold crypto, Vault/KMS 集成 - **高级密码学**：FHE, Zero-Knowledge Proofs, Formal Verification - **合规**：FIPS 140-3, Common Criteria, LGPD, GDPR, ICP-Brasil, PCI DSS **记录的 CVE**：Heartbleed, CVE-2008-0166, CVE-2019-1547, Lucky13, Minerva, ROCA, CVE-2019-11091, Spectre-BHB, Raccoon Attack, ROBOT Attack, CVE-2022-36760, CVE-2022-4304。 [在线阅读](docs/cryptography/INDICE.md) — 包含所有章节链接的完整目录。 ### 6. Web 安全开发 **内容：** - **基础**：HTTP security, CORS, CSP, Same-Origin Policy, TLS/HTTPS - **OWASP Top 10**：包含 CVE 和修复后代码的全部 10 个类别 - **注入 (Injection)**：SQL Injection, NoSQL, Command Injection, LDAP Injection - **客户端 (Client-Side)**：XSS (Reflected, Stored, DOM-based), CSRF, Clickjacking - **身份验证 (Authentication)**：Password storage (bcrypt, Argon2id), MFA, OAuth 2.0, JWT, WebAuthn - **API 安全**：REST, GraphQL, gRPC, rate limiting, OWASP API Security Top 10 - **JavaScript 安全**：CSP, Trusted Types, SRI, prototype pollution, Node.js security - **服务端 (Server-Side)**：Django, Flask, Express.js, Go 安全模式 - **容器与 DevSecOps**：Docker security, Kubernetes, CI/CD pipelines, SAST/DAST - **测试**：渗透测试方法论, Burp Suite, OWASP ZAP - **合规**：OWASP ASVS, PCI DSS, LGPD/GDPR, SOC 2 **记录的 CVE**：Log4Shell, MOVEit, Equifax (Apache Struts), Zerologon, Heartbleed, Spring4Shell, XZ Utils backdoor。 [在线阅读](docs/web/INDICE.md) — 包含所有章节链接的完整目录。 ### 7. 安全的 CMake 与构建系统 **内容：** - **CMake 基础**：Target model, properties, generator expressions, functions - **安全标志**：Stack protector, FORTIFY_SOURCE, PIE, RELRO, format strings - **Sanitizers**：ASan, TSan, UBSan, MSan — 在 CI/CD 中的配置与使用 - **二进制强化 (Hardening)**：RELRO, ASLR, strip, code signing, RPATH - **静态分析**：clang-tidy, cppcheck, Facebook Infer 集成 - **可重复构建**：Deterministic builds, SOURCE_DATE_EPOCH, Docker - **依赖管理**：安全的 find_package, FetchContent, vcpkg, Conan, lock files - **Supply Chain**：SBOM (SPDX/CycloneDX), Sigstore, Cosign, SLSA - **交叉编译**：Toolchains, sysroots, secure cross-builds - **测试**：CTest, GoogleTest, Catch2, fuzzing, coverage, benchmarking - **CI/CD**：GitHub Actions, GitLab CI, security gates, code signing - **最佳实践**：30 多种反模式, checklists, decision trees, templates **记录的 CVE**：CVE-2024-3094 (XZ Utils backdoor), CVE-2021-44228 (Log4Shell), CVE-2019-11091 (MDS)。 [在线阅读](docs/cmake-book/INDICE.md) — 包含所有章节链接的完整目录。 ## 下一部出版物 | 书籍 | 重点 | 状态 | |-------|------|--------| | **安全的 WebAssembly** | Wasm sandboxing, WASI, component model, memory safety, browser vs server security | 待发布 | ## 写给谁看 - **C++ 开发者**（中高级），希望实现安全设计的代码 - **安全工程师**，负责审计/审查原生代码 - **架构师与技术主管**，负责制定安全标准与流程 - **恶意软件分析师/威胁研究员**，从事逆向工程 - **DevOps / 平台工程师**，构建安全流水线 - **计算机科学/软件工程的高级学生** **前置条件**：C++17 (templates, RAII, smart pointers, atomics), Linux/WSL2, CMake, 现代编译器 (GCC 12+, Clang 16+, MSVC 2022+)。 ## 如何使用这些书籍 每本书都是**独立成卷**的，但针对不同读者的推荐阅读顺序如下： ``` Desenvolvedor: SDD (1-5) -> SDD (6-12) -> DevSecOps (1-4) -> DevSecOps (5-9) Eng. Seguranca: Malware (1-4) -> Malware (5-10) -> SDD (13-17) -> DevSecOps (10-17) DevOps/Platform: DevSecOps (1-9) -> DevSecOps (10-17) -> Malware (14-15) Arquiteto: SDD (1-3) -> DevSecOps (1-3) -> Malware (17) -> Todos os Cap 17 Concorrencia: SDD (1-3) -> Concorrencia (01-03) -> Concorrencia (04-10) -> Concorrencia (11-17) Criptografia: SDD (1-3) -> Criptografia (01-03) -> Criptografia (04-09) -> Criptografia (10-17) CMake: CMake (01-03) -> CMake (04-08) -> CMake (09-12) -> CMake (13-17) Web: SDD (1-3) -> Web (01-03) -> Web (04-10) -> Web (11-17) ``` ## 仓库结构 ``` DevSecurity/ ├── README.md # Este arquivo ├── CONTRIBUTING.md # Guia de contribuicao ├── PROXIMOS-PROJETOS.md # Roadmap e backlog ├── docs/ # GitHub Pages │ ├── index.md # Pagina inicial do site │ ├── book/ # Livro 1: Security-Driven Development (C++17) │ ├── devsecops/ # Livro 2: DevSecOps na Pratica (Multi-lang) │ ├── malware/ # Livro 3: Engenharia e Analise de Malware (C++17 + asm) │ ├── concurrency/ # Livro 4: Concorrencia e Paralelismo Seguro (C++17/20) │ ├── cryptography/ # Livro 5: Criptografia Engenheira em C++ (C++17) │ ├── web/ # Livro 6: Desenvolvimento Seguro na Web (JS/TS/Python/Go) │ ├── cmake-book/ # Livro 7: CMake Seguro e Build Systems (CMake + C/C++) │ ├── javascripts/ # Assets do site │ └── stylesheets/ # Assets do site ├── openspec/ # SDD artifacts ├── scripts/ # Scripts auxiliares └── .mimocode/ # Skills e commands ``` ## 许可证 **CC BY-NC-SA 4.0** — 分享、改编、请注明出处。商业使用需获得授权。 ## 作者 系统开发者，专注于原生软件安全、架构和可靠性工程 (SRE)。 如果这些资料对您有帮助，请在仓库点个 Star —— 这有助于其他开发者找到高质量的葡萄牙语内容。

标签：Bash脚本, C++, DevSecOps, TLS抓取, XML 请求, 上游代理, 子域名突变, 安全开发, 安全测试工具, 密码学, 应用安全, 开源书籍, 恶意代码分析, 手动系统调用, 数据擦除, 日志审计, 自动回退, 请求拦截, 软件安全, 逆向工具, 配置文件