ProHoster > Ka nānā ʻana i ka vulnerability a me ka hoʻomohala palekana. Mahele 1

Ka nānā ʻana i ka vulnerability a me ka hoʻomohala palekana. Mahele 1

Ka nānā ʻana i ka vulnerability a me ka hoʻomohala palekana. Mahele 1

Ma ke ʻano he ʻāpana o kā lākou hana ʻoihana, pono nā mea hoʻomohala, pentesters, a me nā loea palekana i nā kaʻina hana e like me Vulnerability Management (VM), (Secure) SDLC.
Aia ma lalo o kēia mau huaʻōlelo nā ʻano hana like ʻole a me nā mea hana i hoʻohana ʻia i hui pū ʻia, ʻoiai ʻokoʻa nā mea hoʻohana.

ʻAʻole i hiki i ka holomua ʻenehana i kahi e hiki ai i kahi mea hana ke hoʻololi i ke kanaka no ka nānā ʻana i ka palekana o ka ʻoihana a me ka lako polokalamu.
He mea hoihoi ke hoʻomaopopo i ke kumu o kēia a me nā pilikia e kū nei kekahi.

Nā kaʻina hana

Hoʻolālā ʻia ke kaʻina hana Vulnerability Management no ka nānā mau ʻana i ka palekana ʻoihana a me ka hoʻokele patch.
Hoʻolālā ʻia ke kaʻina hana Secure SDLC (“secure development cycle”) e mālama i ka palekana o ka noi i ka wā o ka hoʻomohala ʻana a me ka hana.

ʻO kahi ʻāpana like o kēia mau kaʻina hana ʻo ia ka Vulnerability Assessment process - vulnerability assessment, vulnerability scanning.
ʻO ka ʻokoʻa nui ma waena o VM a me SDLC scanning ʻo ia i ka hihia mua ka pahuhopu e ʻike i nā nāwaliwali i ʻike ʻia i nā polokalamu ʻaoʻao ʻekolu a i ʻole ka hoʻonohonoho ʻana. No ka laʻana, he mana kahiko o Windows a i ʻole ke kaula kaiaulu paʻamau no SNMP.
I ka lua o ka hihia, ʻo ka pahuhopu ka ʻike ʻana i nā nāwaliwali ʻaʻole wale i nā ʻāpana ʻaoʻao ʻekolu (mau hilinaʻi), akā ma ke code o ka huahana hou.

Hana kēia i nā ʻokoʻa i nā mea hana a me nā ala. I koʻu manaʻo, ʻoi aku ka hoihoi o ka hana o ka loaʻa ʻana o nā nāwaliwali hou i kahi noi, no ka mea, ʻaʻole ia e iho i lalo i nā mana manamana lima, hōʻiliʻili i nā hae, nā ʻōlelo huna hoʻoweliweli, etc.
No ke kiʻekiʻe kiʻekiʻe o ka automate scanning o nā mea nāwaliwali o ka noi, koi ʻia nā algorithms e noʻonoʻo i ka semantics o ka noi, kona kumu, a me nā hoʻoweliweli kikoʻī.

Hiki ke hoʻololi pinepine ʻia kahi scanner infrastructure me kahi manawa, e like me kaʻu i kau ai avleonov. ʻO ka manaʻo, ʻo ka helu helu wale nō, hiki iā ʻoe ke noʻonoʻo i kāu ʻenehana i mea palupalu inā ʻaʻole ʻoe i hoʻonui iā ia, e ʻōlelo, no hoʻokahi mahina.

Nā Mea Hana

Hiki ke hana ʻia ka nānā ʻana, e like me ka nānā ʻana i ka palekana me ka hoʻohana ʻana i ka pahu ʻeleʻele a i ʻole ka pahu keʻokeʻo.

Black Box

I ka nānā ʻana i ka blackbox, pono e hiki i ka mea hana ke hana me ka lawelawe ma o nā pilina like e hana pū ai nā mea hoʻohana me ia.

ʻImi ʻia nā mea ʻimi ʻenehana (Tenable Nessus, Qualys, MaxPatrol, Rapid7 Nexpose, a me nā mea ʻē aʻe). Ho'āʻo pū lākou e ʻike i nā hewa hoʻonohonoho e like me nā ʻōlelo huna a i ʻole ka wehe ʻana i ka ʻikepili, nā ciphers SSL nāwaliwali, etc.

Hiki i nā mea ʻimi noiʻi pūnaewele (Acunetix WVS, Netsparker, Burp Suite, OWASP ZAP, a me nā mea ʻē aʻe) ke ʻike pū i nā mea i ʻike ʻia a me kā lākou mau mana (no ka laʻana, CMS, frameworks, JS libraries). ʻO nā ʻanuʻu nui o ka scanner ke kolo a me ka fuzzing.
I ka wā e kolo ana, e hōʻiliʻili ka scanner i ka ʻike e pili ana i nā kikowaena noi a me nā ʻāpana HTTP. I ka wā fuzzing, hoʻokomo ʻia ka ʻikepili mutated a i hana ʻia i loko o nā ʻāpana āpau i ʻike ʻia i mea e hoʻonāukiuki ai i kahi hewa a ʻike i kahi nāwaliwali.

No nā papa DAST a me IAST - Dynamic and Interactive Application Security Testing, kēlā me kēia.

ʻO ka pahu uila

Nui aʻe nā ʻokoʻa me ka nānā ʻana i ka pahu keʻokeʻo.
Ma ke ʻano o ke kaʻina hana VM, hāʻawi pinepine ʻia nā scanners (Vulners, Incsecurity Couch, Vuls, Tenable Nessus, etc.) i nā ʻōnaehana ma o ka hana ʻana i kahi scan hōʻoia. No laila, hiki i ka scanner ke hoʻoiho pololei i nā mana o ka pūʻolo i hoʻonohonoho ʻia a me nā ʻāpana hoʻonohonoho mai ka ʻōnaehana, me ka ʻole o ka koho ʻana iā lākou mai nā hae lawelawe pūnaewele.
ʻOi aku ka pololei a me ka piha o ka scan.

Inā mākou e kamaʻilio e pili ana i ka whitebox scanning (CheckMarx, HP Fortify, Coverity, RIPS, FindSecBugs, etc.) o nā noi, a laila ke kamaʻilio pinepine nei mākou e pili ana i ka loiloi code static a me ka hoʻohana ʻana i nā mea hana kūpono o ka papa SAST - Static Application Security Testing.

Nā pilikia

Nui nā pilikia me ka nānā ʻana! Pono wau e launa pū me ka hapa nui o lākou ma ke ʻano he ʻāpana o ka hoʻolako ʻana i kahi lawelawe no ke kūkulu ʻana i ka nānā ʻana a me nā kaʻina hana hoʻomohala palekana, a me ka wā e alakaʻi ai i ka hana loiloi palekana.

E hōʻike wau i nā hui nui 3 o nā pilikia, i hōʻoia ʻia e nā kamaʻilio me nā ʻenekinia a me nā poʻo o nā lawelawe palekana ʻike i nā ʻoihana like ʻole.

Nā pilikia e nānā ana i ka polokalamu kele pūnaewele

  1. Paʻakikī o ka hoʻokō. Pono e hoʻolālā, hoʻonohonoho, hoʻonohonoho pono ʻia no kēlā me kēia noi, hoʻokaʻawale i kahi ʻano hoʻāʻo no nā scans a hoʻokō ʻia i ke kaʻina CI/CD no ka maikaʻi. Inā ʻaʻole, he kaʻina hana kūpono ʻole ia e hoʻopuka wale i nā hopena maikaʻi ʻole
  2. Ka lōʻihi scan. ʻOiai i ka makahiki 2019, hana maikaʻi ʻole nā ​​​​scanners i ka dedulicating interfaces a hiki ke hoʻopau i nā lā i ka nānā ʻana i hoʻokahi tausani ʻaoʻao me 10 mau ʻāpana ma kēlā me kēia, e noʻonoʻo ana iā lākou he ʻokoʻa, ʻoiai ke kuleana like ke kuleana no lākou. I ka manawa like, pono e hoʻoholo koke ʻia ka hoʻoholo no ka hoʻolaha ʻana i ka hana i loko o ka pōʻai hoʻomohala
  3. Nā ʻōlelo paipai maikaʻi ʻole. Hāʻawi nā Scanners i nā ʻōlelo aʻoaʻo maʻamau, a ʻaʻole hiki i ka mea hoʻomohala ke hoʻomaopopo koke iā lākou pehea e hōʻemi ai i ke kiʻekiʻe o ka pilikia, a ʻo ka mea nui loa, inā pono e hana ʻia i kēia manawa, a i ʻole he makaʻu.
  4. Ka hopena luku ma ka noi. Hiki i nā Scanners ke hana i kahi hoʻouka DoS ma kahi noi, a hiki ke hana i kahi helu nui o nā hui a hoʻololi paha i nā mea i loaʻa (no ka laʻana, hana i nā ʻumi kaukani manaʻo ma kahi blog), no laila ʻaʻole pono ʻoe e hoʻomaka i kahi scan i ka hana.
  5. Haʻahaʻa haʻahaʻa o ka vulnerability detection. Hoʻohana maʻamau ka poʻe Scanner i kahi ʻano paʻa o nā uku uku a hiki ke nalo i kahi nāwaliwali i kūpono ʻole i ke ʻano hiʻohiʻona ʻike ʻia o ka noi.
  6. ʻAʻole maopopo ka scanner i nā hana o ka noi. ʻAʻole ʻike nā scanner iā lākou iho i ke ʻano o ka "Internet banking", "payment", "comment". No lākou, aia wale nō nā loulou a me nā ʻāpana, no laila ʻaʻole i uhi ʻia kahi papa nui o nā nāwaliwali o ka ʻoihana ʻoihana; ʻaʻole lākou e noʻonoʻo e hana i kahi papa inoa ʻelua, e mākaʻikaʻi i ka ʻikepili o kekahi ma ka ID, a i ʻole e hoʻonui i ke koena ma o ka hoʻopuni ʻana.
  7. ʻAʻole maopopo i ka scanner ke ʻano o nā ʻaoʻao. ʻAʻole hiki i nā mea nānā ke heluhelu i nā FAQ, ʻaʻole hiki ke ʻike i nā captchas, a ma o lākou iho ʻaʻole lākou e noʻonoʻo pehea e hoʻopaʻa inoa ai a laila komo hou, ʻaʻole hiki iā ʻoe ke kaomi i ka "logout," a pehea e kau inoa ai i nā noi ke hoʻololi i ka ʻāpana. waiwai. ʻO ka hopena, ʻaʻole hiki ke nānā ʻia ka hapa nui o ka noi.

Nā pilikia i ka nānā ʻana i ke code kumu

  1. Nā mea maikaʻi hoʻopunipuni. He hana koʻikoʻi ka nānā ʻana o Static e pili ana i nā kālepa-off he nui. Pono e kaumaha pinepine ʻia ka pololei, a ʻo nā ʻoihana ʻoihana makamae hoʻi e hana i ka nui o nā hopena maikaʻi ʻole
  2. Paʻakikī o ka hoʻokō. No ka hoʻonui ʻana i ka pololei a me ka hoʻopiha piha ʻana o ka loiloi static, pono e hoʻomaʻemaʻe i nā lula scanning, a ʻo ke kākau ʻana i kēia mau lula hiki ke hana nui. I kekahi manawa ʻoi aku ka maʻalahi o ka loaʻa ʻana o nā wahi āpau i ke code me kekahi ʻano bug a hoʻoponopono iā lākou ma mua o ke kākau ʻana i kahi lula e ʻike i nā hihia like
  3. Ka nele i ke kākoʻo hilinaʻi. Pili nā papahana nui i ka nui o nā hale waihona puke a me nā papa hana e hoʻonui ai i nā hiki o ka ʻōlelo hoʻonohonoho. Inā ʻaʻohe ʻike i ka waihona ʻike o ka scanner e pili ana i nā "pololei" i loko o kēia mau papa hana, e lilo ia i wahi makapō a ʻaʻole maopopo i ka scanner ke code.
  4. Ka lōʻihi scan. ʻO ka loaʻa ʻana o nā nāwaliwali i ke code he hana paʻakikī e pili ana i nā algorithms. No laila, lōʻihi paha ke kaʻina hana a koi i nā kumuwaiwai koʻikoʻi.
  5. Haʻahaʻa uhi. ʻOiai ka hoʻohana ʻana i nā kumuwaiwai a me ka manawa scanning, pono nā mea hoʻomohala SAST e hana i ka hoʻololi ʻana a me ka nānā ʻana ʻaʻole i nā mokuʻāina āpau i loaʻa i ka papahana.
  6. ʻO ka hana hou ʻana o nā ʻike. ʻO ke kuhikuhi ʻana i ka laina kikoʻī a me ka hoʻopaʻa kelepona e alakaʻi ai i kahi nāwaliwali he mea nui, akā ʻo ka ʻoiaʻiʻo, ʻaʻole hāʻawi pinepine ka scanner i ka ʻike e nānā ai i ka hele ʻana o kahi nāwaliwali mai waho. Ma hope o nā mea a pau, aia paha ka hewa i ke code make, ʻaʻole hiki ke loaʻa i ka mea hoʻouka

ʻO nā pilikia ka nānā ʻana i nā ʻōnaehana

  1. ʻAʻole lawa ka waihona. Ma nā ʻōnaehana nui, ʻoi aku ka nui o nā mea i hoʻokaʻawale ʻia ma ka ʻāina, ʻoi aku ka paʻakikī o ka ʻike ʻana i nā host e nānā. I nā huaʻōlelo ʻē aʻe, pili pili ka hana scanning i ka hana hoʻokele waiwai
  2. ʻAʻole i hoʻonohonoho mua ʻia. Hoʻopuka pinepine nā mea nānā pūnaewele i nā hopena he nui me nā hemahema ʻaʻole hiki ke hoʻohana ʻia i ka hoʻomaʻamaʻa, akā kiʻekiʻe ko lākou pae pilikia. Loaʻa i ka mea kūʻai kahi hōʻike paʻakikī ke wehewehe, a ʻaʻole maopopo ka mea e pono e hoʻoponopono mua ʻia.
  3. Nā ʻōlelo paipai maikaʻi ʻole. Loaʻa i ka waihona ʻike o ka scanner ka ʻike maʻamau wale nō e pili ana i ka nāwaliwali a pehea e hoʻoponopono ai, no laila pono nā luna e hoʻopaʻa iā lākou iho me Google. ʻOi aku ka maikaʻi o ke kūlana me nā mīkini pahu keʻokeʻo, hiki ke hoʻopuka i kahi kauoha kikoʻī e hoʻoponopono
  4. Hana lima. Hiki ke loaʻa i nā infrastructures nā nodes he nui, ʻo ia hoʻi ka nui o nā hemahema, nā hōʻike e pono e hoʻopaʻa ʻia a nānā ʻia me ka lima i kēlā me kēia hoʻololi.
  5. ʻAʻohe uhi. ʻO ka maikaʻi o ka scanning infrastructure e pili pono ana i ka nui o ka waihona ʻike e pili ana i nā nāwaliwali a me nā ʻano polokalamu. ma kahi, huli mai, ʻo nā alakaʻi o ka mākeke ʻaʻole i loaʻa kahi kumu ʻike piha, a ʻo nā ʻikepili o nā hoʻonā manuahi he nui nā ʻike i loaʻa ʻole i nā alakaʻi.
  6. Nā pilikia me ka paʻi ʻana. ʻO ka pinepine, ʻo ka hoʻopili ʻana i nā nāwaliwali o ka ʻenehana e pili ana i ka hoʻonui ʻana i kahi pūʻolo a hoʻololi paha i kahi faila hoʻonohonoho. ʻO ka pilikia nui ma ʻaneʻi, ʻo kahi ʻōnaehana, ʻoi aku ka mea hoʻoilina, hiki ke hana me ka ʻike ʻole ʻia ma muli o kahi hōʻano hou. ʻO ka mea nui, pono ʻoe e hana i nā hoʻokolohua hoʻohui i nā ʻōnaehana ola i ka hana.

Hoʻokokoke

Pehea e?
E haʻi hou aku wau iā ʻoe e pili ana i nā hiʻohiʻona a pehea e hoʻoponopono ai i nā pilikia he nui i helu ʻia ma nā ʻāpana aʻe, akā i kēia manawa e kuhikuhi wau i nā kuhikuhi nui e hiki ai iā ʻoe ke hana:

  1. ʻO ka hōʻuluʻulu ʻana o nā mea hana scan like ʻole. Me ka hoʻohana pono ʻana o kekahi mau scanners, hiki iā ʻoe ke hoʻokō i kahi piʻi nui o ka waihona ʻike a me ka maikaʻi o ka ʻike. Hiki iā ʻoe ke ʻike i nā nāwaliwali ʻoi aʻe ma mua o ka huina o nā scanners āpau i hoʻokuʻu ʻia, ʻoiai hiki iā ʻoe ke loiloi pololei i ke kiʻekiʻe o ka pilikia a hana i nā manaʻo hou aʻe.
  2. Hoʻohui ʻia o SAST a me DAST. Hiki ke hoʻonui i ka uhi o DAST a me ka pololei o SAST ma o ka hoʻololi ʻana i ka ʻike ma waena o lākou. Mai nā kumu hiki iā ʻoe ke loaʻa ka ʻike e pili ana i nā ala i loaʻa, a me ka hoʻohana ʻana iā DAST hiki iā ʻoe ke nānā inā ʻike ʻia ka nāwaliwali mai waho.
  3. Aʻo Mīkini™. I ka makahiki 2015 I hai aku (a nui aʻe) e pili ana i ka hoʻohana ʻana i nā helu helu no ka hāʻawi ʻana i ka ʻike o ka hacker a wikiwiki iā lākou. He meaʻai maoli kēia no ka hoʻomohala ʻana i ka loiloi palekana automated i ka wā e hiki mai ana.
  4. Hoʻohui ʻia o IAST me nā autotests a me OpenAPI. I loko o ka pipeline CI/CD, hiki ke hana i kahi kaʻina scanning e pili ana i nā mea hana e hana ma ke ʻano he HTTP proxy a me nā hoʻokolohua hana e hana ana ma luna o HTTP. Hāʻawi nā hoʻāʻo OpenAPI/Swagger a me nā ʻaelike i ka scanner i ka ʻike nalo e pili ana i nā kahe ʻikepili a hiki iā ia ke nānā i ka noi ma nā mokuʻāina like ʻole.
  5. Hoʻonohonoho pololei. No kēlā me kēia noi a me nā ʻōnaehana, pono ʻoe e hana i kahi ʻaoʻao scanning kūpono, e noʻonoʻo ana i ka helu a me ke ʻano o nā interface a me nā ʻenehana i hoʻohana ʻia.
  6. Hoʻopilikino scanner. ʻAʻole hiki ke nānā pinepine ʻia kahi noi me ka hoʻololi ʻole i ka scanner. ʻO kahi laʻana he ʻīpuka uku, kahi e kau inoa ai kēlā me kēia noi. Me ka ʻole o ke kākau ʻana i kahi mea hoʻohui i ka protocol gateway, e hoʻopaʻa ʻole nā ​​​​scanners me nā noi me ka pūlima hewa. Pono nō hoʻi e kākau i nā scanners kūikawā no kahi ʻano hemahema, e like me ʻIke Kuhikuhi Kuhikuhi ʻole ʻole
  7. Hooponopono pilikia. ʻO ka hoʻohana ʻana i nā scanners like ʻole a me ka hoʻohui ʻana me nā ʻōnaehana waho e like me Asset Management and Threat Management e ʻae i ka hoʻohana ʻana i nā ʻāpana he nui e loiloi i ke kiʻekiʻe o ka pilikia, i hiki ai i ka hoʻokele ke kiʻi i kahi kiʻi kūpono o ke kūlana palekana o kēia manawa o ka hoʻomohala ʻana a i ʻole nā ​​​​hana.

E hoʻomau a hoʻopau kākou i ka nānā ʻana i nā nāwaliwali!

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka