ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Kev ua haujlwm ntawm cov ntawv thov kev ruaj ntseg niaj hnub (WAF) yuav tsum tau dav dua li cov npe ntawm qhov tsis zoo los ntawm OWASP Top 10

Kev ua haujlwm ntawm cov ntawv thov kev ruaj ntseg niaj hnub (WAF) yuav tsum tau dav dua li cov npe ntawm qhov tsis zoo los ntawm OWASP Top 10

Rov qab los

Qhov ntsuas, qhov sib xyaw, thiab qhov sib xyaw ntawm cyber hem rau cov ntawv thov tau hloov pauv sai. Tau ntau xyoo, cov neeg siv tau nkag mus rau cov ntawv thov web hauv Is Taws Nem siv cov web browser nrov. Nws yog ib qho tsim nyog los txhawb 2-5 lub web browsers nyob rau lub sijhawm twg los tau, thiab cov txheej txheem rau kev tsim thiab ntsuas cov ntawv thov hauv lub vev xaib raug txwv. Piv txwv li, yuav luag tag nrho cov databases tau tsim siv SQL. Hmoov tsis zoo, tom qab lub sijhawm luv luv, hackers tau kawm siv cov ntawv thov web los nyiag, rho tawm lossis hloov cov ntaub ntawv. Lawv tau txais kev nkag mus tsis raug cai thiab raug tsim txom daim ntawv thov muaj peev xwm siv ntau yam txuj ci, suav nrog kev dag ntxias ntawm cov neeg siv daim ntawv thov, kev txhaj tshuaj, thiab kev tua cov chaw taws teeb. Tsis ntev, kev lag luam web daim ntawv thov kev ruaj ntseg cov cuab yeej hu ua Web Application Firewalls (WAFs) tau los rau hauv kev ua lag luam, thiab cov zej zog tau teb los ntawm kev tsim qhov qhib web application security project, Open Web Application Security Project (OWASP), los txhais thiab tswj cov qauv kev txhim kho thiab cov txheej txheem. . ruaj ntseg daim ntawv thov.

Basic daim ntawv thov kev tiv thaiv

OWASP Top 10 List yog qhov pib ntawm kev ruaj ntseg daim ntawv thov thiab muaj cov npe ntawm cov kev hem thawj txaus ntshai tshaj plaws thiab kev teeb tsa tsis raug uas tuaj yeem ua rau muaj qhov tsis zoo ntawm daim ntawv thov, nrog rau cov tswv yim txhawm rau txheeb xyuas thiab kov yeej kev tawm tsam. OWASP Sab saum toj 10 yog qhov ntsuas pom zoo hauv daim ntawv thov kev lag luam cybersecurity thoob ntiaj teb thiab txhais cov npe tseem ceeb ntawm cov peev txheej uas lub vev xaib kev ruaj ntseg (WAF) yuav tsum muaj.

Tsis tas li ntawd, WAF kev ua haujlwm yuav tsum tau coj mus rau hauv tus account lwm yam kev tawm tsam ntawm cov ntawv thov hauv web, suav nrog cov ntawv thov kev txhaum cai (CSRF), clickjacking, web scraping, thiab cov ntaub ntawv suav nrog (RFI / LFI).

Kev hem thiab kev nyuaj rau kev ua kom muaj kev ruaj ntseg ntawm kev siv niaj hnub no

Niaj hnub no, tsis yog txhua daim ntawv thov raug siv hauv lub network version. Muaj huab apps, mobile apps, APIs, thiab nyob rau hauv qhov tseeb architectures, txawm kev cai software functions. Txhua yam ntawm cov ntawv thov no yuav tsum tau synchronized thiab tswj thaum lawv tsim, hloov kho, thiab ua haujlwm peb cov ntaub ntawv. Nrog rau qhov tshwm sim ntawm cov thev naus laus zis tshiab thiab cov qauv qhia, qhov nyuaj thiab cov teeb meem tshiab tshwm sim nyob rau txhua theem ntawm daim ntawv thov lub neej. Qhov no suav nrog kev txhim kho thiab kev sib koom ua haujlwm (DevOps), ntim khoom, Internet ntawm Yam (IoT), qhib cov cuab yeej, APIs, thiab ntau dua.

Kev xa tawm ntawm cov ntawv thov thiab ntau yam ntawm cov thev naus laus zis tsim cov teeb meem nyuaj thiab nyuaj tsis yog rau cov kws paub txog kev ruaj ntseg nkaus xwb, tab sis kuj rau cov neeg muag khoom kev ruaj ntseg uas tsis tuaj yeem cia siab rau kev sib koom ua ke. Kev ntsuas kev nyab xeeb ntawm daim ntawv thov yuav tsum coj mus rau hauv tus account lawv cov kev lag luam tshwj xeeb los tiv thaiv qhov tsis zoo thiab cuam tshuam cov kev pabcuam zoo rau cov neeg siv.

Lub hom phiaj kawg ntawm hackers feem ntau yog los nyiag cov ntaub ntawv lossis cuam tshuam cov kev pabcuam muaj. Cov neeg tawm tsam kuj tau txais txiaj ntsig los ntawm kev hloov pauv thev naus laus zis. Ua ntej, kev txhim kho ntawm cov thev naus laus zis tshiab tsim ntau qhov sib txawv thiab qhov tsis zoo. Qhov thib ob, lawv muaj ntau yam cuab yeej thiab kev paub hauv lawv cov arsenal los hla kev ntsuas kev nyab xeeb ib txwm muaj. Qhov no ua rau muaj qhov hu ua "qhov chaw tawm tsam" thiab cov koom haum cuam tshuam rau cov kev pheej hmoo tshiab. Cov cai tswj kev ruaj ntseg yuav tsum hloov pauv tas li hauv kev teb rau cov kev hloov pauv hauv kev siv thev naus laus zis thiab kev siv.

Yog li, cov ntawv thov yuav tsum raug tiv thaiv los ntawm ntau qhov kev tawm tsam ntau ntxiv thiab qhov chaw, thiab kev tawm tsam tsis siv neeg yuav tsum tau tawm tsam lub sijhawm tiag tiag raws li kev txiav txim siab paub. Qhov tshwm sim yog nce nqi pauv thiab kev siv zog ua haujlwm, ua ke nrog kev ruaj ntseg tsis muaj zog.

Txoj Haujlwm # 1: Tswj bots

Ntau tshaj 60% ntawm kev khiav tsheb hauv Is Taws Nem yog tsim los ntawm bots, ib nrab ntawm cov tsheb "phem" (raws li Radware Security Report). Cov koom haum nqis peev hauv kev ua kom muaj peev xwm hauv lub network, qhov tseem ceeb ua haujlwm rau qhov tsis tseeb. Qhov tseeb qhov sib txawv ntawm cov neeg siv tiag tiag thiab bots tsheb, nrog rau "zoo" bots (piv txwv li, kev tshawb fawb xyaw thiab cov kev pabcuam sib piv) thiab "phem" bots tuaj yeem ua rau txo nqi thiab txhim kho kev pabcuam zoo rau cov neeg siv.

Bots yuav tsis ua txoj haujlwm no yooj yim, thiab lawv tuaj yeem coj tus cwj pwm ntawm cov neeg siv tiag tiag, hla CAPTCHAs thiab lwm yam teeb meem. Ntxiv mus, nyob rau hauv cov ntaub ntawv ntawm kev tawm tsam siv dynamic IP chaw nyob, kev tiv thaiv raws li IP chaw nyob filtering yuav ua tsis tau zoo. Feem ntau, qhib qhov kev txhim kho cov cuab yeej (piv txwv li, Phantom JS) uas tuaj yeem tswj cov neeg siv khoom-sab JavaScript yog siv los tua brute-force attacks, credential stuffing attacks, DDoS attacks, thiab automated bot attacks.

Txhawm rau tswj hwm bot tsheb kom zoo, yuav tsum muaj kev txheeb xyuas tshwj xeeb ntawm nws qhov chaw (xws li tus ntiv tes) yuav tsum tau. Txij li thaum kev tawm tsam bot tsim ntau cov ntaub ntawv, nws cov ntiv tes tso cai rau nws txheeb xyuas cov haujlwm tsis txaus ntseeg thiab muab cov qhab nia, raws li qhov kev tiv thaiv daim ntawv thov kev txiav txim siab - thaiv / tso cai - nrog tus nqi tsawg kawg ntawm qhov tsis zoo.

Kev ua haujlwm ntawm cov ntawv thov kev ruaj ntseg niaj hnub (WAF) yuav tsum tau dav dua li cov npe ntawm qhov tsis zoo los ntawm OWASP Top 10

Kev Sib Tw # 2: Tiv Thaiv API

Ntau daim ntawv thov sau cov ntaub ntawv thiab cov ntaub ntawv los ntawm cov kev pabcuam uas lawv cuam tshuam nrog APIs. Thaum xa cov ntaub ntawv rhiab ntawm APIs, ntau dua 50% ntawm cov koom haum tsis siv tau lossis ruaj ntseg APIs txhawm rau txheeb xyuas cyberattacks.

Piv txwv ntawm kev siv API:

  • Internet ntawm Yam (IoT) kev koom ua ke
  • Kev sib txuas lus tshuab-rau-machine
  • Serverless Environments
  • Kev thov txawb
  • Event-Driven Applications

API vulnerabilities zoo ib yam li daim ntawv thov vulnerabilities thiab muaj xws li txhaj tshuaj, raws tu qauv kev tawm tsam, parameter manipulation, redirects, thiab bot tawm tsam. Dedicated API gateways pab kom muaj kev sib raug zoo ntawm cov kev pabcuam hauv kev pabcuam uas cuam tshuam nrog APIs. Txawm li cas los xij, lawv tsis muab qhov kawg-rau-kawg daim ntawv thov kev ruaj ntseg zoo li WAF tuaj yeem nrog cov cuab yeej kev nyab xeeb tseem ceeb xws li HTTP header parsing, Txheej 7 nkag mus tswj cov npe (ACL), JSON / XML payload parsing thiab tshuaj xyuas, thiab tiv thaiv txhua qhov tsis zoo los ntawm OWASP Top 10 daim ntawv teev npe. Qhov no ua tiav los ntawm kev tshuaj xyuas qhov tseem ceeb API qhov tseem ceeb siv cov qauv zoo thiab tsis zoo.

Kev Sib Tw # 3: Tsis Muaj Kev Pabcuam

Ib qho kev tawm tsam qub, tsis kam lees kev pabcuam (DoS), txuas ntxiv ua pov thawj nws cov txiaj ntsig hauv kev tawm tsam. Cov neeg tawm tsam muaj ntau yam kev ua tau zoo los cuam tshuam cov kev pabcuam hauv daim ntawv thov, suav nrog HTTP lossis HTTPS dej nyab, kev tawm tsam qis thiab qeeb (xws li SlowLoris, LOIC, Torshammer), kev tawm tsam siv IP chaw nyob dynamic, tsis muaj dej txaus, brute quab yuam - tawm tsam, thiab ntau lwm tus. . Nrog rau kev txhim kho Is Taws Nem ntawm Yam thiab qhov tshwm sim tom ntej ntawm IoT botnets, kev tawm tsam ntawm cov ntawv thov tau dhau los ua qhov tseem ceeb ntawm DDoS tawm tsam. Feem ntau lub xeev WAFs tsuas tuaj yeem tuav tus nqi qis xwb. Txawm li cas los xij, lawv tuaj yeem tshawb xyuas HTTP / S tsheb khiav thiab tshem tawm kev tawm tsam thiab kev sib txuas tsis zoo. Thaum ib qho kev tawm tsam tau raug txheeb xyuas, tsis muaj qhov cuam tshuam rau kev rov hla txoj kev tsheb no. Txij li thaum WAF lub peev xwm los tawm tsam kev tawm tsam yog txwv, yuav tsum muaj kev daws teeb meem ntxiv ntawm lub network perimeter kom cia li thaiv cov pob ntawv "phem" tom ntej. Rau qhov xwm txheej kev nyab xeeb no, ob qho kev daws teeb meem yuav tsum muaj peev xwm sib txuas lus nrog ib leeg los pauv cov ntaub ntawv hais txog kev tawm tsam.

Kev ua haujlwm ntawm cov ntawv thov kev ruaj ntseg niaj hnub (WAF) yuav tsum tau dav dua li cov npe ntawm qhov tsis zoo los ntawm OWASP Top 10
Fig 1. Lub koom haum ntawm kev sib txuas lus thiab kev tiv thaiv daim ntawv thov siv cov piv txwv ntawm Radware kev daws teeb meem

Kev Sib Tw # 4: Kev Tiv Thaiv Nruam

Cov ntawv thov hloov nquag. Kev txhim kho thiab kev siv cov txheej txheem xws li dov hloov tshiab txhais tau hais tias kev hloov kho tshwm sim yam tsis muaj kev cuam tshuam los ntawm tib neeg lossis kev tswj hwm. Nyob rau hauv xws li ib puag ncig dynamic, nws yog ib qho nyuaj rau tswj kom txaus ua hauj lwm kev ruaj ntseg txoj cai yam tsis muaj ib tug loj tus naj npawb ntawm cov cuav zoo. Cov ntawv thov txawb tau hloov kho ntau zaus dua li cov ntawv thov web. Cov ntawv thov thib peb tuaj yeem hloov pauv yam tsis tau koj paub. Qee lub koom haum tab tom nrhiav kev tswj hwm ntau dua thiab pom kev kom nyob twj ywm rau saum cov kev pheej hmoo. Txawm li cas los xij, qhov no tsis yog ib txwm ua tiav, thiab kev tiv thaiv daim ntawv thov kev ntseeg siab yuav tsum tau siv lub zog ntawm kev kawm tshuab los suav rau thiab pom cov peev txheej muaj, txheeb xyuas cov kev hem thawj, thiab tsim thiab txhim kho kev ruaj ntseg cov cai thaum muaj kev hloov kho daim ntawv thov.

tshawb pom

Raws li cov apps ua lub luag haujlwm tseem ceeb hauv lub neej niaj hnub, lawv dhau los ua lub hom phiaj tseem ceeb rau hackers. Cov khoom plig muaj peev xwm rau cov neeg ua phem ua phem thiab muaj peev xwm poob rau kev lag luam yog qhov loj heev. Qhov nyuaj ntawm daim ntawv thov kev ruaj ntseg ua hauj lwm tsis tuaj yeem overstated muab tus naj npawb thiab variations ntawm daim ntawv thov thiab hem.

Hmoov zoo, peb nyob rau ntawm lub sijhawm uas kev txawj ntse tuaj yeem tuaj yeem pab peb. Tshuab kawm-raws li algorithms muab lub sijhawm tiag tiag, yoog raws kev tiv thaiv tiv thaiv kev cyber hem thawj tshaj plaws tsom rau kev siv. Lawv kuj tau hloov kho cov cai tswj hwm kev nyab xeeb los tiv thaiv lub vev xaib, mobile, thiab huab siv-thiab APIs-tsis muaj qhov tsis zoo.

Nws yog ib qho nyuaj rau kwv yees kom paub tseeb tias tiam tom ntej ntawm daim ntawv thov cyberthreats (tej zaum kuj yog raws li kev kawm tshuab) yuav yog. Tab sis cov koom haum tuaj yeem ua cov kauj ruam los tiv thaiv cov neeg siv khoom cov ntaub ntawv, tiv thaiv cov cuab yeej cuab tam, thiab ua kom muaj kev pabcuam nrog cov txiaj ntsig zoo rau kev lag luam.

Cov kev siv tau zoo thiab cov txheej txheem los ua kom muaj kev nyab xeeb ntawm daim ntawv thov, hom tseem ceeb thiab cov vectors ntawm kev tawm tsam, thaj chaw muaj kev pheej hmoo thiab qhov khoob hauv kev tiv thaiv cyber ntawm cov ntawv thov web, nrog rau kev paub thoob ntiaj teb thiab kev coj ua zoo tshaj plaws tau nthuav tawm hauv Radware txoj kev tshawb fawb thiab tshaj tawm "Web Application Security nyob rau hauv lub ntiaj teb kev sib txuas nrog Digital".

Tau qhov twg los: www.hab.com

Ntxiv ib saib