Companies are rapidly using the cloud to revolutionize their digital transformations. According to Gartner, the global market for cloud computing is estimated to grow $266.4 billion by 2020, rising from $227.4 billion in 2019.

公司正在Swift使用云来彻底改变其数字化转型。 根据Gartner的数据 ，全球云计算市场估计到2020年将增长2664亿美元，高于2019年的2274亿美元。

There are several benefits of cloud computing including potential lower cost (with more capabilities in the public cloud that could aid productivity versus more limited capabilities in private clouds) and faster time to market.

云计算有许多好处，包括潜在的较低成本(公共云中的更多功能可以帮助提高生产力，而私有云中的功能则有限)和更快的上市时间。

However, with the array of benefits that the cloud offers, data security is amongst the key concerns holding back enterprises from adopting cloud solutions. To back this up, a survey found that 93% of companies are moderately to extremely concerned about cloud computing security risks.

但是，由于云提供了一系列好处，因此数据安全性成为阻止企业采用云解决方案的关键问题之一。 为了证明这一点，一项调查发现93％的公司对云计算安全风险的关注程度中等至中等。

Cloud infrastructure can be complex, and we all know that complexity is the enemy of security. While most cloud security experts agree that companies can benefit from the security solutions built into the cloud, organizations can also make grave errors and expose critical data and systems.

云基础架构可能很复杂，我们都知道复杂性是安全的大敌。 尽管大多数云安全专家都认为公司可以从内置在云中的安全解决方案中受益，但组织还可以犯严重错误并暴露关键数据和系统。

Some of the most common cloud security risks include unauthorized access through improper access controls and the misuse of employee credentials. Unauthorized access and insecure APIs are tied for the number one spot as the single biggest perceived security vulnerability in the cloud (according to 42% of respondents). These security risks are followed by misconfigurations in the cloud at 40%.

一些最常见的云安全风险包括通过不正确的访问控制进行未经授权的访问以及滥用员工凭证。 未经授权的访问和不安全的API并列云计算中最大的感知最大安全漏洞 (根据42％的受访者)。 这些安全风险之后，云中的错误配置达到40％。

How can companies gain the benefits of cloud computing technology while still maintaining data security?

公司如何在保持数据安全性的同时获得云计算技术的好处？

There are several preventive measures that companies can adopt to prevent cloud security vulnerabilities in their early stages. This ranges from simple cloud security solutions such as implementing multi-factor authentication to more complex security controls for compliance with regulatory mandates.

公司可以在早期阶段采取几种预防措施来防止云安全漏洞。 范围从简单的云安全解决方案(例如实施多因素身份验证)到更复杂的安全控制以符合法规要求。

排名前7位的云计算安全漏洞和缓解方法 (Top 7 Cloud Computing Security Vulnerabilities and Ways to Mitigate Them)

In this article, we will take a comprehensive look at the top 7 cloud computing security vulnerabilities and how to mitigate them.

在本文中，我们将全面研究排名前7位的云计算安全漏洞以及如何缓解这些漏洞。

1.错误配置的云存储 (1. Misconfigured Cloud Storage)

Cloud storage is a rich source of stolen data for cybercriminals. Despite the high stakes, organizations continue to make the mistake of misconfiguration of cloud storage which has cost many companies greatly.

云存储是网络犯罪分子窃取数据的丰富资源。 尽管风险很高，但组织仍在犯错误的云存储配置错误，这使许多公司付出了巨大的代价。

According to a report by Symantec, nearly 70 million records were stolen or leaked in 2018 due to misconfigured cloud storage buckets. The report also highlighted the emergence of various tools that allow attackers to detect misconfigured cloud storage to target.

根据赛门铁克的报告 ，由于云存储桶配置错误，2018年有近7000万条记录被盗或泄露。 该报告还强调了各种工具的出现，这些工具使攻击者能够检测到错误配置的云存储以作为目标。

Cloud storage misconfiguration can quickly escalate into a major cloud security breach for an organization and its customers. There are several types of cloud misconfigurations that enterprises encounter. Some types of misconfigurations include:

云存储配置错误会Swift升级为组织及其客户的主要云安全漏洞。 企业会遇到几种类型的云配置错误。 某些类型的错误配置包括：

• AWS security group misconfiguration: AWS security groups are responsible for providing security at the source, destination, port and protocol access levels. These can be associated with EC2 server instances and many other resources. A misconfiguration in the AWS security groups can allow an attacker to access your cloud-based servers and exfiltrate data.

  AWS安全组配置错误： AWS安全组负责在源，目标，端口和协议访问级别提供安全性。 这些可以与EC2服务器实例和许多其他资源相关联。 AWS安全组中的配置错误可以使攻击者访问您的基于云的服务器并窃取数据。

• Lack of access restrictions: Inadequate restrictions or safeguards in place to prevent unauthorized access to your cloud infrastructure can put your enterprise at risk. Insecure cloud storage buckets can result in attackers gaining access to data stored in the cloud and downloading confidential data, which can have devastating consequences for your organization. AWS initially had S3 buckets open by default and this led to a plethora of data breaches.

  缺少访问限制：防止未授权访问您的云基础架构的限制或保障措施不足，可能使您的企业面临风险。 不安全的云存储桶可能导致攻击者获得对存储在云中的数据的访问权并下载机密数据，这可能对您的组织造成灾难性的后果。 AWS最初默认情况下会打开S3存储桶，这导致大量数据泄露。

• How to Prevent Misconfigured Cloud Storage如何防止配置错误的云存储
• When it comes to cloud computing, it’s always a good idea to double-check cloud storage security configurations upon setting up a cloud server. While this may seem obvious, it can easily get overlooked by other activities such as moving data into the cloud without paying attention to its safety.对于云计算，在设置云服务器时仔细检查云存储安全配置始终是一个好主意。 尽管这似乎很明显，但是它很容易被其他活动所忽略，例如将数据移至云中而无需注意其安全性。

You can also use specialized tools to check cloud storage security configurations. These cloud security tools can help you check the state of security configurations on a schedule and identify vulnerabilities before it’s too late.

您还可以使用专用工具来检查云存储安全性配置。 这些云安全工具可以帮助您按计划检查安全配置的状态，并在漏洞为时过早之前确定漏洞。

Control who can create and configure cloud resources. Many cloud computing issues have come from people who want to move into the cloud without understanding how to secure their data.

控制谁可以创建和配置云资源。 许多云计算问题来自想要在不了解如何保护其数据安全的情况下迁移到云中的人们。

2.不安全的API (2. Insecure APIs)

Application user interfaces (APIs) are intended to streamline cloud computing processes. However, if left insecure, APIs can open lines of communications for attackers to exploit cloud resources.

应用程序用户界面(API)旨在简化云计算流程。 但是，如果不安全，API可能会打开通信线路，使攻击者能够利用云资源。

Gartner estimates that by 2022, APIs will be the threat vector used more frequently by attackers to target enterprise application data.

Gartner估计，到2022年，API将成为攻击者更频繁地用于攻击企业应用程序数据的威胁向量。

A recent study also revealed that two-thirds of enterprises expose their APIs to the public so that external developers and business partners can access software platforms.

最近的一项研究还显示，三分之二的企业向公众公开其API，以便外部开发人员和业务合作伙伴可以访问软件平台。

The study also indicated that an organization typically handles an average of 363 APIs, and nearly 61% of companies reported their business strategies rely on API integration.

该研究还表明，一个组织通常平均处理363个API，近61％的公司表示其业务策略依赖于API集成。

With increasing dependence on APIs, attackers have found common ways to exploit insecure APIs for malicious activities, two examples follow:

随着对API的依赖性越来越高，攻击者已经找到了利用不安全的API进行恶意活动的常用方法，以下是两个示例：

• Inadequate authentication: Often developers create APIs without proper authentication controls. As a result, these APIs are completely open to the internet and anyone can use them to access enterprise data and systems.

  身份验证不足：开发人员经常会在没有适当的身份验证控制的情况下创建API。 结果，这些API完全向Internet开放，任何人都可以使用它们来访问企业数据和系统。

• Insufficient authorization: Too many developers do not think attackers will see backend API calls and don’t put appropriate authorization controls in place. If this is not done, compromise of backend data is trivial.

  授权不足：太多的开发人员认为攻击者不会看到后端API调用，也没有放置适当的授权控件。 如果不这样做，后端数据的泄漏将变得微不足道。

如何防止不安全的API (How to Prevent Insecure APIs)

Encourage developers to design APIs with strong authentication, encryption, activity monitoring, and access control. APIs must be secured.

鼓励开发人员设计具有强身份验证，加密，活动监视和访问控制的API。 API必须是安全的。

Conduct penetration tests that replicate an external attack targeting your API endpoints and get a secure code review as well. It is best to ensure you have a secure software development lifecycle (SDLC) to ensure you continually develop secure applications and APIs.

进行渗透测试，复制针对您的API端点的外部攻击，并获得安全的代码审查。 最好确保您具有安全的软件开发生命周期(SDLC)，以确保您不断开发安全的应用程序和API。

Also, consider using SSL/TLS encryption for data-in-transit. Implement multi-factor authentication with schemas such as one-time passwords, digital identities, etc. to ensure strong authentication controls.

另外，请考虑对传输中的数据使用SSL / TLS加密。 使用一次性密码，数字身份等模式实施多因素身份验证，以确保强大的身份验证控制。

3.知识产权的丢失或盗窃 (3. Loss or Theft of Intellectual Property)

Intellectual property (IP) is undeniably one of the most valuable assets of an organization, and it is also vulnerable to security threats, especially if the data is stored online.

不可否认，知识产权(IP)是组织中最有价值的资产之一，并且也容易受到安全威胁的影响，尤其是如果数据是在线存储的。

An analysis found that almost 21% of files uploaded to cloud-based file-sharing services contain sensitive information including IP. When these cloud services are breached, attackers can gain access to sensitive information stored in them.

分析发现，上传到基于云的文件共享服务的文件中，几乎21％包含敏感信息，包括IP。 当这些云服务遭到破坏时，攻击者可以访问存储在其中的敏感信息。

For many organizations, the IP is the data they own and data loss means they lose their IP. Let’s take a look at the most common causes of data loss:

对于许多组织来说，IP是他们拥有的数据，数据丢失意味着他们丢失了IP。 让我们看一下最常见的数据丢失原因：

• Data alteration: When data is altered in a way and it cannot be restored to its previous state, it can result in loss of complete data integrity and might render it useless.

  数据更改：如果以某种方式更改了数据并且无法将其还原到以前的状态，则可能会导致丢失完整的数据完整性，并可能使数据无用。

• Data deletion: An attacker could delete sensitive data from a cloud service which obviously poses a severe data security threat to an organization’s operations.

  数据删除：攻击者可以从云服务中删除敏感数据，这显然对组织的运营构成了严重的数据安全威胁。

• Loss of access: Attackers can hold information for ransom (ransomware attack) or encrypt data with strong encryption keys until they execute their malicious activities.

  失去访问权限：攻击者可以持有勒索信息(勒索软件攻击)或使用强大的加密密钥加密数据，直到他们执行恶意活动为止。

Therefore, it’s essential to take preventive measures to safeguard your intellectual property and data in a cloud environment.

因此，必须采取预防措施来保护您在云环境中的知识产权和数据。

如何防止知识产权损失或盗窃 (How to Prevent Loss or Theft of Intellectual Property)

Frequent backups are one of the most effective ways to prevent loss or theft of intellectual property. Set a schedule for regular backups and clear delineation of what data is eligible for backups and what is not. Consider using data loss prevention (DLP) software to detect and prevent unauthorized movement of sensitive data.

频繁备份是防止知识产权丢失或盗窃的最有效方法之一。 设置定期备份的时间表，并明确说明哪些数据适合备份，哪些不适合。 考虑使用数据丢失防护(DLP)软件来检测和防止敏感数据的未经授权的移动。

Another solution to prevent loss or theft of data is to encrypt your data and geo-diversify your backups. Having offline backups is also very important, especially with ransomware.

防止数据丢失或被盗的另一种解决方案是对数据进行加密，并对备份进行地理多样化。 离线备份也非常重要，尤其是对于勒索软件而言。

4.违反合规性和监管措施 (4. Compliance Violations and Regulatory Actions)

Enterprises must have steadfast rules to determine who can access which data and what they can do with it.

企业必须具有坚定的规则，以确定谁可以访问哪些数据以及可以使用哪些数据。

While the cloud offers the benefit of ease of access, it also poses a security risk as it can be difficult to keep track of who can access the information in the cloud. Under compliance or industry regulations, it is important for organizations to know the details about their data storage and access control.

尽管云提供了易于访问的优势，但由于难以跟踪谁可以访问云中的信息，因此也带来了安全风险。 根据合规性或行业法规，组织必须了解有关其数据存储和访问控制的详细信息，这一点很重要。

Moving your applications to the public cloud certainly doesn’t guarantee regulatory compliance and usually makes compliance more difficult. The “shared responsibility model” offered by service providers means they own the cloud security, you must maintain your data security in the cloud.

将您的应用程序移至公共云当然不能保证合规性，并且通常会使合规性更加困难。 服务提供商提供的“分担责任模型”意味着他们拥有云安全性，您必须在云中维护数据安全性。

Privacy mandates such as CCPA, PCI-DSS, and GDPR all apply to cloud computing and if your company manages a lot of sensitive data such as PII (personally identifiable information), moving to cloud computing could make compliance more of an issue.

诸如CCPA ， PCI-DSS和GDPR之类的隐私权法规都适用于云计算，如果您的公司管理大量敏感数据(例如PII(个人身份信息))，那么迁移到云计算可能会使合规性成为更多问题。

如何防止违反合规性和监管措施 (How to Prevent Compliance Violations and Regulatory Actions)

The first and foremost step for compliance in the cloud is to thoroughly analyze the cloud service agreement and ask for cloud and data security policies from your service provider.

在云中实现合规性的首要步骤是彻底分析云服务协议，并向服务提供商索取云和数据安全策略。

It’s worth noting that the responsibilities for maintaining cloud security will depend on the cloud service level, whether it is infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS). This will influence the security and ownership responsibility for both your cloud provider and organization.

值得注意的是，维护云安全性的职责将取决于云服务级别，无论是基础架构即服务(IaaS)，平台即服务(PaaS)还是软件即服务(SaaS)。 这将影响您的云提供商和组织的安全性和所有权责任。

Make sure you implement a model for access management where you can see the record of what systems are deployed and their cloud security levels. Here are some quick tips:

确保为访问管理实现一个模型，在该模型中，您可以查看有关部署了哪些系统及其云安全级别的记录。 以下是一些快速提示：

• Know all of your users, roles, and access permissions.了解您的所有用户，角色和访问权限。
• Have a clear identity and be able to track all assets across all geographic locations and control what data can be where.具有清晰的身份，并且能够跟踪所有地理位置的所有资产并控制可以在何处存储哪些数据。
• Maintain strong configuration management with frequent and automated scanning of templates.通过频繁自动扫描模板来保持强大的配置管理。

Implement an incident response plan for violations related to cloud computing. This way, you can quickly identify and mitigate security vulnerabilities in case a cloud data breach occurs, or a vulnerability is exposed to attackers. The response strategy should be well documented and approved within your organization’s overall incident response plan.

实施针对与云计算相关的违规事件的响应计划。 这样，您可以快速识别和缓解安全漏洞，以防发生云数据泄露或攻击者容易受到攻击的情况。 应对策略应有充分的文档记录，并在组织的整体事件响应计划中得到批准。

5.失去对最终用户操作的控制 (5. Loss of Control Over End-User Actions)

When companies are not aware of how their employees are using cloud computing services, they could lose control of their data assets and ultimately become vulnerable to breaches and insider security threats.

当公司不知道员工如何使用云计算服务时，他们可能会失去对数据资产的控制权，并最终容易受到破坏和内部安全威胁的攻击。

Insiders don’t have to break through virtual private networks (VPNs), firewalls, or other security defenses to gain access to the internal data in the cloud of an enterprise. They can directly access sensitive data in the cloud infrastructure without much hassle.

内部人员不必突破虚拟专用网络(VPN)，防火墙或其他安全防护措施即可访问企业云中的内部数据。 他们可以直接访问云基础架构中的敏感数据，而无需太多麻烦。

This can lead to the loss of intellectual property and proprietary information which has clear implications for the organization.

这可能会导致知识产权和专有信息的丢失，这对组织有着明显的影响。

Dealing with loss of control over end-user actions requires surveillance, monitoring, escalation, post-incidence analysis, remediation, investigation, and incident response, all of which should be integrated into the company’s data security plan.

要处理对最终用户操作失去控制的过程，需要进行监视，监视，升级，事后分析，补救，调查和事件响应，所有这些都应集成到公司的数据安全计划中。

如何防止对最终用户操作失去控制 (How to Prevent Loss of Control Over End-User Actions)

Provide training to your employees to teach them how to handle security vulnerabilities, such as phishing and malware. Educate them about cloud computing and how to protect confidential information they carry outside the organization on their mobile devices or laptops. Inform them of the repercussions related to malicious activities.

向您的员工提供培训，教他们如何处理网络钓鱼和恶意软件等安全漏洞。 向他们介绍有关云计算的知识，以及如何保护他们在移动设备或笔记本电脑上的组织外部携带的机密信息。 告知他们与恶意活动有关的影响。

Routinely audit servers in the cloud infrastructure to identify data security vulnerabilities that could be exploited and fix them in a timely manner.

定期审核云基础架构中的服务器，以识别可以利用的数据安全漏洞，并及时进行修复。

Focus on approved hardened images that are scanned routinely for security risks and vulnerabilities. Then deploy new servers from these images and continually scan for proper configuration and to detect vulnerabilities. Focus on “cattle not pets”. If a server is vulnerable or out of compliance, don’t repair it, replace it with an approved hardened image.

重点关注已批准的加固图像，这些图像会定期进行扫描以检查是否存在安全风险和漏洞。 然后从这些映像中部署新服务器，并不断扫描以进行正确的配置并检测漏洞。 专注于“牛而不是宠物”。 如果服务器易受攻击或不合规，请不要对其进行维修，而应使用经过批准的加固映像进行更换。

Ensure that privileged central servers and access security systems are limited to a minimum number of people, and that those employees have adequate training to securely handle their administrative rights in the cloud server.

确保将特权中央服务器和访问安全系统限制为最少人数，并确保这些员工受过适当培训，以安全地处理其在云服务器中的管理权限。

6.不良的访问管理 (6. Poor Access Management)

Improper access management is perhaps the most common cloud computing security risk. In breaches involving web applications, stolen or lost credentials have been the most widely used tool by attackers for several years.

不当的访问管理可能是最常见的云计算安全风险。 在涉及Web应用程序的漏洞中，多年来，攻击者使用最广泛的工具来窃取或丢失凭据。

Access management ensures that individuals can perform only the tasks they need to perform. The process of verifying what an individual has access to is known as authorization.

访问管理确保个人只能执行他们需要执行的任务。 验证个人有权访问的过程称为授权。

In addition to standard access management issues plaguing organizations today, such as managing a distributed workforce and user password fatigue, there are several other cloud-specific challenges that organizations face, including the following:

除了当今困扰组织的标准访问管理问题(例如管理分布式员工队伍和用户密码疲劳)外，组织还面临其他一些特定于云的挑战，包括以下挑战：

• Inactive assigned users无效的分配用户
• Multiple administrator accounts多个管理员帐户
• Improper user and service provisioning and deprovisioning — for instance, companies not revoking access permissions of former employees用户和服务的调配和取消调配不当-例如，公司未撤销前雇员的访问权限
• Users bypassing enterprise access management controls用户绕过企业访问管理控制

Furthermore, the creation of roles and management of access privileges within the cloud infrastructure can also be challenging for enterprises.

此外，对于企业而言，在云基础架构中创建角色和访问权限管理也可能具有挑战性。

如何防止访问管理不佳 (How to Prevent Poor Access Management)

To combat poor access management in cloud services, enterprises need to develop a data governance framework for user accounts. For all human users, accounts should be linked directly to the central directory services, such as Active Directory, which is responsible for provisioning, monitoring, and revoking access privileges from a centralized store.

为了解决云服务中访问管理不善的问题，企业需要为用户帐户开发数据治理框架。 对于所有人类用户，帐户应直接链接到中央目录服务，例如Active Directory，该目录服务负责从中央存储中提供，监视和撤消访问权限。

Additionally, enterprises should use cloud-native or third-party tools to regularly pull lists of roles, privileges, users, and groups from cloud service environments. AWS Command Line Interface and PowerShell for Azure can collect this type of data, and then the security team can sort, store, and analyze it.

此外，企业应使用云原生或第三方工具定期从云服务环境中提取角色，特权，用户和组的列表。 AWS Command Line Interface和PowerShell for Azure可以收集此类数据，然后安全团队可以对其进行排序，存储和分析。

Organizations should also ensure logging and event monitoring mechanisms are in place in cloud environments to detect unusual activity or unauthorized changes. Access keys should be tightly controlled and managed to avoid poor data handling or leakage.

组织还应确保在云环境中建立日志记录和事件监视机制，以检测异常活动或未经授权的更改。 访问密钥应受到严格控制和管理，以避免不良的数据处理或泄漏。

7.与客户或业务合作伙伴的违约行为 (7. Contractual Breaches with Customers or Business Partners)

Contracts in cloud computing are somewhat tricky. It often restricts who is authorized to access the data, how it can be used, and where and how it can be stored. When employees move restricted data into the cloud without authorization, the business contracts may be violated and legal action could ensue.

云计算中的合同有些棘手。 它通常会限制授权谁访问数据，如何使用数据以及在何处以及如何存储数据。 当员工未经授权将受限制的数据移动到云中时，可能会违反业务合同并且可能会采取法律行动。

For instance, if your cloud service provider maintains the right to share all data uploaded to the cloud with third parties under their terms and conditions, they are breaching a confidentiality agreement with your company.

例如，如果您的云服务提供商保留根据其条款与条件与第三方共享上传到云的所有数据的权利，则它们违反了与您公司的保密协议。

This could lead to leakage of data from your customers, employees, and other stakeholders that may have been uploaded to the cloud.

这可能导致您的客户，员工和其他利益相关者的数据泄漏，这些数据可能已经上传到云中。

如何防止与客户或业务合作伙伴的违约行为 (How to Prevent Contractual Breaches with Customers or Business Partners)

The cloud service contract should include the rights to review, monitor, and audit reports. This way, any security risk can be identified at an early stage before it becomes an issue. Companies should also ensure that they are not locked into a service contract and switching vendors can be a smooth exercise.

云服务合同应包含查看，监视和审核报告的权利。 这样，可以在任何安全风险成为问题之前及早发现它。 公司还应确保不将他们锁定在服务合同之内，并且更换供应商可以是一个平稳的过程。

This means that the service contract should include service termination rights for the business (for example, change of control, service deterioration, regulatory requirements, security/confidentiality beach, etc.)

这意味着服务合同应包括企业的服务终止权利(例如，控制权变更，服务恶化，法规要求，安全/保密海滩等)。

The service contract should also highlight the intellectual property risk, as cloud services may include the use of IP or other software rights under a license agreement. The organization could then be dragged into a legal dispute if a third party claims infringement against the cloud service provider.

服务合同还应强调知识产权风险，因为云服务可能包括根据许可协议使用IP或其他软件权利。 如果第三方声称对云服务提供商的侵权，则该组织可能会陷入法律纠纷。

最后的想法 (Final Thoughts)

Companies operating in the cloud are taking a preventable yet big risk if they are not looking at mitigating the risks that come with it. Businesses must have strong cloud security policies that can be well integrated into the IT processes that teams use to build applications and deploy in the cloud infrastructure.

如果云计算公司不希望减轻其带来的风险，那么他们正面临着可预防但又巨大的风险。 企业必须具有强大的云安全策略，这些策略可以很好地集成到团队用来构建应用程序和在云基础架构中部署的IT流程中。

The adoption of cloud computing has transformed the way both companies and hackers work. It has brought a gamut of opportunities as well as a whole new set of cloud security risks. Enterprises need to continuously address cloud security risks and challenges while adopting the right security tools to help make the operational work easier.

云计算的采用改变了公司和黑客的工作方式。 它带来了很多机遇以及全新的云安全风险。 企业需要不断采用云安全风险和挑战，同时采用正确的安全工具来帮助简化运营工作。

Cypress Data Defense’s cloud security solution integrates the latest security technologies with your cloud infrastructure. With the right technology, cloud security experts, and forethought, companies can leverage the benefits of cloud computing.

赛普拉斯数据防御的云安全解决方案将最新的安全技术与您的云基础架构集成在一起。 借助正确的技术，云安全专家和富有远见的公司，公司可以利用云计算的优势。

关于作者： (About Author:)

Steve Kosten is a Principal Security Consultant at Cypress Data Defense and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course.

Steve Kosten是赛普拉斯数据防御部门的首席安全顾问，并且是Java / JEE：开发防御性应用程序课程中SANS DEV541安全编码的讲师。