Many friends have asked me on engaged in security development. What is the development and what programming language is used?
Today I will talk about this topic in detail. I plan to start from the perspective of products developed by security companies and see which products are available and which languages are used.
The product research and development of security companies mainly focus on the following things, which will be discussed separately below.
WAF (Web Site Application Firewall)
Database gateway
Firewall, IDS, IPS
NTA (Network Traffic Analysis)
SIEM (Security Incident Analysis Center, Situation Awareness, Big Data Security Analysis)
EDR (security software on terminal equipment)
DLP (Data Leakage Prevention)
UBA (User Behavior Analysis)
antivirus software
Security detection sandbox
WAF
WAF, the full name of Web site application firewall, is a special firewall designed to protect the security of Web applications. It mainly defends against network attacks such as SQL injection, XSS injection, CSRF, and CC attacks.
There are generally two genres of this type of product. One is based on the underlying network traffic, and the other is based on the upper-layer WebServer such as nginx/openresty.
Based on the underlying traffic analysis engine, mainly C/C++.
Based on nginx/openresty engine, mainly C/C++ and Lua.
Database gateway
It is similar to WAF, but the goal of protection is not web applications, but databases.
After all, for most Internet companies, WebServer and database are the two most important roles in supporting their business, so guarding these two things is a must!
The database gateway is mainly responsible for defending against attacks on the database, detecting high-risk operations, and data security backup.
The programming languages used are mainly C/C++ and Java.
In the era of cloud computing, many companies have their business in the cloud. These cloud computing vendors have also launched their own security protection services. The three major components of WAF, database gateway, and DDOS cloud shield are standard configurations.
The database gateway is mainly responsible for defending against attacks on the database, detecting high-risk operations, and data security backup.
The programming languages used are mainly C/C++ and Java .
In the era of cloud computing, many companies have their business in the cloud. These cloud computing vendors have also launched their own security protection services. The three major components of WAF, database gateway, and DDOS cloud shield are standard configurations.
antivirus software
The most common, the most direct contact with ordinary people should be security software.
The main technologies involved are virus Trojan analysis and driver development. The programming languages used are mainly C and C++.
NTA, firewall, IDS, IPS
NTA is short for network traffic analysis, IDS is intrusion detection system, and IPS is intrusion prevention system.
Such things are mainly security detection and defense products based on network traffic. It involves network packet capture, packet capture analysis and other things.
Generally speaking, this type of product has particularly high performance requirements, because it usually needs to process very large flow data. 10Gbps 10 Gigabit network flow analysis is a routine operation.
Therefore, this part of the bottom-level engine for packet capture, analysis and comparison is basically developed in C/C++.
SIEM
The full name of SIEM is Security Information Event Management (Security Information Event Management Center), which is almost like big data security analysis systems and situational awareness systems in many companies.
Those interfaces that seem to be all kinds of high-end, mad and cool interfaces are basically this kind of products:
This is a security analysis platform that collects data generated by multiple parties (network traffic, logs, threat intelligence, sandbox detection, etc.), and performs correlation analysis on these data, and then determines whether there are security risks and generates security alarms.
Basically, many companies have SIEM, but they are not doing well. In order to do well, in addition to the high value of data sources, they also have very high requirements on analysis algorithms and algorithm models. It is difficult to find talents in this area. .
This piece of analysis work that focuses on the business layer involves various processing. Among the major company products I have seen, Java development is the main one. After all, the big data ecology behind Java is a big advantage. For data mining and correlation analysis, Are closely related.
EDR
The full name is Terminal Security Response System, which is a set of software running on terminal equipment.
In fact, it is very similar to our common anti-virus software. In addition to having basic security defense functions to protect the host from attacks, it will also report some things that happen on the host to SIEM for security analysis.
EDR is similar to anti-virus software and is also developed in C/C++.
UBA
The full name of user behavior analysis is a system for analyzing user behavior based on the data generated by products such as EDR and NTA.
To put it simply, this thing can be analyzed based on the collected behaviors of the employees (computer operations, Internet data, etc.) whether the user is abnormal and whether there is anything wrong with it.
For example, if a user’s WeChat-related IP generates a lot of traffic during working hours, it is very likely to judge that this guy often chats and fishes at work~
This system is a pure back-end system, which is generally developed Java
DLP
The full name is data leakage prevention, and it is also a set of software running on terminal equipment. Of course, some of them are not in the terminal but in the form of a gateway.
Different from anti-virus software and EDR, the main function of DLP is to prevent data leakage on the host. Generally used in some more important units, the data on the employee's computer is very important to prevent the theft of secrets.
The main technology involved is drive development technology, traffic analysis technology, and the programming language used is also C/C++ .
Security detection sandbox
In addition to the traditional static analysis engine based on features and rules, dynamic analysis technology is another important supplement to the analysis of virus Trojan horses and exploits. In dynamic analysis, sandbox analysis is the main representative.
The so-called sandbox is a virtual execution environment in which the target to be analyzed is thrown into it, and its behavior is observed and recorded to determine its threat level.
The technologies used in the sandbox mainly include kernel driver development, virtualization technology, and back-end service system.
The analysis engine at the bottom layer is mainly developed by C/C++, and the security analysis at the upper layer is mainly Python .
Summarize
The above are some common products in the security industry.
As for programming languages, C/C++ is the mainstream, especially on the terminal side products, without exception, C/C++.
In terms of back-end security systems, scenarios involving high performance requirements such as traffic analysis are generally C/C++. If data association analysis is involved, Java is more common.
In addition, some small back-end services will also be developed using Python.
Basically, C/C++, Java, and Python are the three mainstream technology stacks in the field of security development.
In the end, it is limited to limited knowledge, and the list may not be comprehensive. Welcome to add.
Friends who like it can like and follow a wave. Here I have prepared a copy of security development information
Friends in need can click on the portal below to pick them up
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。