Tinali ndi ma code analyzer 2, zida 4 zoyesera zamphamvu, zaluso zathu ndi zolemba 250. Sikuti zonsezi zikufunika pakali pano, koma mukangoyamba kugwiritsa ntchito DevSecOps, muyenera kupita kumapeto.
. Opanga zilembo: Justin Roiland ndi Dan Harmon.
Kodi SecDevOps ndi chiyani? Nanga bwanji DevSecOps? Kodi pali kusiyana kotani? Security Security - ndi chiyani? Chifukwa chiyani njira yachikale sikugwiranso ntchito? Amadziwa mayankho a mafunso onsewa Yuri Shabalin kuchokera Swordfish Security. Yuri ayankha zonse mwatsatanetsatane ndikusanthula zovuta zakusintha kuchokera ku mtundu wakale wa Application Security kupita ku njira ya DevSecOps: momwe mungayandikire kuphatikizika kwa njira yachitukuko yotetezedwa munjira ya DevOps osaphwanya chilichonse, momwe mungadutse magawo akulu. kuyesa kwachitetezo, zida zomwe zingagwiritsidwe ntchito, ndi zomwe zimasiyana komanso momwe mungakhazikitsire moyenera kuti mupewe misampha.
Za wokamba: Yuri Shabalin - Chief Security Architect mu kampani Swordfish Security. Udindo wokhazikitsa SSDL, pakuphatikiza zida zonse zowunikira ntchito kukhala chitukuko chogwirizana komanso kuyesa zachilengedwe. Zaka 7 zachidziwitso pachitetezo chazidziwitso. Anagwira ntchito ku Alfa-Bank, Sberbank ndi Positive Technologies, yomwe imapanga mapulogalamu ndikupereka ntchito. Wokamba nkhani pamisonkhano yapadziko lonse ZerONights, PHDays, RISSPA, OWASP.
Security Security: ndi chiyani?
Chitetezo cha Ntchito - Ili ndiye gawo lachitetezo lomwe limayang'anira chitetezo cha ntchito. Izi sizikugwira ntchito pazomangamanga kapena chitetezo chamaneti, koma pazomwe timalemba komanso zomwe opanga amagwirirapo ntchito - izi ndi zolakwika ndi zovuta za pulogalamuyo.
Malangizo - Chitetezo cha moyo wokhazikika - yopangidwa ndi Microsoft. Chithunzichi chikuwonetsa mtundu wa SDLC wovomerezeka, ntchito yayikulu yomwe ndikutenga nawo gawo pachitetezo pagawo lililonse lachitukuko, kuyambira pazofunikira mpaka kumasulidwa ndi kupanga. Microsoft idazindikira kuti panali nsikidzi zambiri pamsika, panali zambiri ndipo china chake chimayenera kuchitika, ndipo adapereka njira iyi, yomwe yakhala yovomerezeka.
Kutetezedwa kwa Application ndi SSDL sikungoyang'ana zofooka, monga momwe anthu ambiri amakhulupilira, koma pofuna kupewa kuti zichitike. M'kupita kwa nthawi, njira yovomerezeka ya Microsoft yasinthidwa, kupangidwa, ndikulowetsedwa mumadzi ozama komanso atsatanetsatane.
SDLC yovomerezeka imafotokozedwa mwatsatanetsatane m'njira zosiyanasiyana - OpenSAMM, BSIMM, OWASP. Njira zake ndi zosiyana, koma nthawi zambiri zimakhala zofanana.
Kumanga Chitetezo Mu Kukhwima Model
Ndimakonda kwambiri BSIMM - . Maziko a njirayo ndikugawika kwa njira ya Chitetezo cha Ntchito m'magawo 4: Ulamuliro, Luntha, Ma SSDL Touchpoints ndi Deployment. Dera lililonse lili ndi machitidwe 12, omwe amaimiridwa ngati zochitika 112.
Iliyonse mwa ntchito 112 ili nayo 3 misinkhu yakukhwima: woyamba, wapakatikati ndi wapamwamba. Mutha kuphunzira machitidwe onse a 12 gawo ndi gawo, sankhani zinthu zomwe zili zofunika kwa inu, dziwani momwe mungagwiritsire ntchito ndikuwonjezera pang'onopang'ono zinthu, mwachitsanzo, kusanthula kachidindo kokhazikika komanso kosinthika kapena kuwunikiranso kachidindo. Mumalemba dongosolo ndikugwira ntchito mofatsa molingana ndi zomwe mwasankhazo.
Chifukwa chiyani DevSecOps
DevOps ndi njira yayikulu, yayikulu yomwe chitetezo chiyenera kuganiziridwa.
Poyambirira fufuzani chitetezo. M'zochita, chiwerengero cha magulu achitetezo chinali chochepa kwambiri kuposa tsopano, ndipo sanachite monga ochita nawo ntchitoyi, koma monga bungwe lolamulira ndi loyang'anira lomwe limaika zofunikira pa izo ndikuyang'ana ubwino wa mankhwala kumapeto kwa kumasulidwa. Iyi ndi njira yachikale yomwe magulu achitetezo anali kumbuyo kwa khoma kuchokera ku chitukuko ndipo sanachite nawo ntchitoyi.
Vuto lalikulu ndikuti chitetezo cha chidziwitso ndi chosiyana ndi chitukuko. Nthawi zambiri iyi ndi mtundu wina wachitetezo chazidziwitso ndipo imakhala ndi zida zazikulu 2-3 komanso zodula. Kamodzi pa miyezi isanu ndi umodzi iliyonse, code code kapena ntchito yomwe imayenera kufufuzidwa imafika, ndipo kamodzi pachaka imapangidwa . Zonsezi zimapangitsa kuti tsiku lotulutsidwa la mafakitale lichedwe, ndipo wopanga mapulogalamuwa amakumana ndi zovuta zambiri kuchokera ku zida zodzipangira okha. Sizingatheke kusokoneza ndi kukonza zonsezi, chifukwa zotsatira za miyezi isanu ndi umodzi yapitayi sizinasinthidwe, koma apa pali gulu latsopano.
M'kati mwa ntchito ya kampani yathu, tikuwona kuti chitetezo m'madera onse ndi mafakitale amamvetsetsa kuti ndi nthawi yoti tigwire ndi kupota ndi chitukuko pa gudumu lomwelo - mu . Paradigm ya DevSecOps imagwirizana bwino ndi njira yachitukuko yachikale, kukhazikitsa, kuthandizira ndi kutenga nawo mbali pakutulutsidwa kulikonse ndi kubwereza.
Kusintha kupita ku DevSecOps
Mawu ofunikira kwambiri mu Security Development Lifecycle ndi "ndondomeko". Muyenera kumvetsetsa izi musanaganize zogula zida.
Kuphatikizira zida munjira ya DevOps sikokwanira-kulumikizana ndi kumvetsetsana pakati pa omwe akuchita nawo ntchito ndikofunikira.
Anthu ndi ofunika kwambiri, osati zida.
Nthawi zambiri, kukonzekera njira yachitukuko yotetezeka kumayamba ndi kusankha ndi kugula chida, ndipo kumatha ndi kuyesa kuphatikizira chidacho muzochitika zamakono, zomwe zimakhalabe zoyesayesa. Izi zimabweretsa zotsatira zosautsa, chifukwa zida zonse zili ndi mawonekedwe awoawo komanso zolephera.
Chochitika chodziwika bwino ndi pamene dipatimenti yachitetezo idasankha chida chabwino, chokwera mtengo chomwe chili ndi kuthekera kwakukulu, ndipo idabwera kwa opanga kuti achiphatikizepo. Koma sizikugwira ntchito - ndondomekoyi imapangidwa m'njira yoti malire a chida chogulidwa kale asagwirizane ndi ndondomeko yamakono.
Choyamba, fotokozani zotsatira zomwe mukufuna komanso momwe ndondomekoyo idzawonekere. Izi zidzathandiza kumvetsetsa udindo wa chida ndi chitetezo pakuchitapo kanthu.
Yambani ndi zomwe zikugwiritsidwa ntchito kale
Musanagule zida zodula, yang'anani zomwe muli nazo kale. Kampani iliyonse ili ndi zofunikira zachitetezo pachitukuko, pali macheke, ma pentes - bwanji osasintha zonsezi kukhala mawonekedwe omveka komanso osavuta kwa aliyense?
Kawirikawiri zofunika ndi pepala la Talmud lomwe lili pa alumali. Panali vuto pamene tidabwera ku kampani kuti tiwone njirazo ndikufunsa kuti tiwone zofunikira zachitetezo cha pulogalamuyo. Katswiri yemwe adachita izi adakhala nthawi yayitali kufunafuna:
- Tsopano, penapake muzolemba panali njira yomwe chikalatachi chagona.
Chifukwa cha zimenezi, tinalandira chikalatacho patatha mlungu umodzi.
Pazofuna, macheke ndi zinthu zina, pangani tsamba mwachitsanzo. Chikumbumtima - ndi yabwino kwa aliyense.
Ndikosavuta kukonzanso zomwe muli nazo kale ndikuzigwiritsa ntchito kuti muyambe.
Gwiritsani Ntchito Chitetezo
Nthawi zambiri, mumakampani omwe ali ndi opanga 100-200, pali katswiri m'modzi wachitetezo yemwe amagwira ntchito zingapo ndipo alibe nthawi yoyang'ana chilichonse. Ngakhale atayesetsa, iye yekha sangayang'ane code yonse yomwe chitukukocho chimapanga. Pazifukwa zotere, lingaliro lapangidwa - .
Security Champions ndi anthu omwe ali mgulu lachitukuko omwe ali ndi chidwi ndi chitetezo cha malonda anu.
Security Champion ndi malo olowera mugulu lachitukuko ndipo mlaliki wachitetezo adalowa m'modzi.
Nthawi zambiri, katswiri wachitetezo akabwera ku gulu lachitukuko ndikuwonetsa cholakwika mu code, amalandira yankho lodabwitsa:
- Ndipo ndiwe ndani? Ndikukuwonani koyamba. Chilichonse chili bwino ndi ine - mnzanga wamkulu adandipatsa "kulemba" pazowunikira, timapitilira!
Izi ndizochitika, chifukwa pali kukhulupilira kwakukulu kwa akuluakulu kapena ongogwira nawo ntchito omwe amapanga nawo nthawi zonse kuntchito ndi kubwereza ndondomeko. Ngati, m'malo mwa mkulu wa chitetezo, Mtsogoleri wa Chitetezo akuwonetsa zolakwika ndi zotsatira zake, ndiye kuti mawu ake adzakhala ndi kulemera kwakukulu.
Komanso, Madivelopa amadziwa ma code awo bwino kuposa katswiri aliyense wachitetezo. Kwa munthu yemwe ali ndi mapulojekiti osachepera 5 mu chida chowunikira chokhazikika, nthawi zambiri zimakhala zovuta kukumbukira ma nuances onse. Oteteza Chitetezo amadziwa zomwe amagulitsa: zomwe zimalumikizana ndi zomwe ziyenera kuyang'ana poyamba - zimakhala zogwira mtima.
Chifukwa chake lingalirani kugwiritsa ntchito Security Champions ndikukulitsa chikoka cha gulu lanu lachitetezo. Izi ndizothandizanso kwa ngwazi mwiniwake: chitukuko chaukadaulo m'munda watsopano, kukulitsa luso lake, kukulitsa luso laukadaulo, kasamalidwe ndi utsogoleri, kukulitsa mtengo wamsika. Ichi ndi chinthu china cha uinjiniya wamagulu, "maso" anu mugulu lachitukuko.
Magawo oyesera
akuti 20% ya khama limapanga 80% ya zotsatira. 20% iyi ndi njira zowunikira ntchito zomwe zitha ndipo ziyenera kukhala zokha. Zitsanzo za zochitika zoterezi ndi kusanthula kosasintha - SAST, dynamic analysis - DAST ΠΈ Open Source control. Ndikufotokozerani zambiri za zochitikazo, komanso za zida, zomwe timakumana nazo nthawi zambiri tikamaziyambitsa, komanso momwe tingachitire molondola.
Mavuto akuluakulu a zida
Ndidzawonetsa zovuta zomwe zimagwirizana ndi zida zonse zomwe zimafunikira chisamaliro. Ndiwasanthula mwatsatanetsatane kuti ndisabwerezenso.
Kusanthula nthawi yayitali. Ngati kudzipereka kumasula kumatenga mphindi 30 pamayeso onse ndi kusonkhana, ndiye kuti kuwunika kwachitetezo chazidziwitso kudzatenga tsiku. Kotero palibe amene angachedwetse ndondomekoyi. Ganizirani za izi ndikupeza mfundo.
High Level Bodza Zoipa kapena Zonama. Zogulitsa zonse ndizosiyana, zonse zimagwiritsa ntchito masinthidwe osiyanasiyana komanso kalembedwe kawo ka zolemba. Pama codebase ndi matekinoloje osiyanasiyana, zida zitha kuwonetsa magawo osiyanasiyana a False Negative and False Positive. Ndiye yang'anani zomwe zili mkati anu makampani ndi kwa yanu mapulogalamu adzawonetsa zotsatira zabwino komanso zodalirika.
Palibe kuphatikiza ndi zida zomwe zilipo. Onani zida zomwe zikugwirizana ndi zomwe mumagwiritsa ntchito kale. Mwachitsanzo, ngati muli ndi Jenkins kapena TeamCity, yang'anani kuphatikiza kwa zida ndi pulogalamuyi, osati ndi GitLab CI, yomwe simugwiritsa ntchito.
Kusowa kapena kuchulukirachulukira kwa makonda. Ngati chida chilibe API, ndiye chifukwa chiyani chikufunika? Chilichonse chomwe chingachitike mu mawonekedwe ayenera kupezeka kudzera mu API. Momwemo, chidacho chiyenera kukhala ndi kuthekera kosintha macheke.
Palibe Product Development Roadmap. Chitukuko sichimayima, nthawi zonse timagwiritsa ntchito machitidwe ndi ntchito zatsopano, ndikulembanso code yakale m'zinenero zatsopano. Tikufuna kutsimikiza kuti chida chomwe timagula chimathandizira machitidwe ndi matekinoloje atsopano. Chifukwa chake, ndikofunikira kudziwa kuti mankhwalawa ali ndi zenizeni komanso zolondola chitukuko.
Zotsatira za ndondomeko
Kuphatikiza pa zida za zida, ganizirani zomwe zikuchitika pakupanga chitukuko. Mwachitsanzo, kulepheretsa chitukuko ndi kulakwitsa kofala. Tiyeni tiwone zina zomwe ziyenera kuganiziridwa komanso zomwe gulu lachitetezo liyenera kulabadira.
Kuti musaphonye chitukuko ndikumasula masiku omaliza, pangani malamulo osiyana ndi zosiyana kuwonetsa zoyimitsa - Njira zoyimitsa ntchito yomanga pamaso pa zofooka - kwa malo osiyanasiyana. Mwachitsanzo, timamvetsetsa kuti nthambi yomwe ilipo tsopano imapita kumalo opangira chitukuko kapena UAT, zomwe zikutanthauza kuti sitimayima ndikuti:
"Muli ndi zofooka pano, simungapitenso kwina!"
Pakadali pano, ndikofunikira kuuza opanga kuti pali nkhani zachitetezo zomwe zimafunikira chisamaliro.
Kukhalapo kwa zofooka sikulepheretsa kuyesa kupitilira: pamanja, kuphatikiza kapena buku. Kumbali ina, tifunika kuonjezera chitetezo cha malonda, komanso kuti opanga asanyalanyaze zomwe amapeza kuti ndizotetezeka. Chifukwa chake, nthawi zina timachita izi: poyimilira, ikaperekedwa ku chitukuko, timangodziwitsa zachitukuko:
- Anyamata, muli ndi mavuto, chonde mverani.
Pa siteji ya UAT tikuwonetsanso machenjezo okhudzana ndi chiwopsezo, ndipo pomasulidwa timati:
- Anyamata, tidakuchenjezani kangapo, simunachite kalikonse - sitikutulutsani ndi izi.
Ngati tilankhula za ma code ndi ma dynamics, ndiye kuti ndikofunikira kuwonetsa ndikuchenjeza za zofooka zokha za mawonekedwe ndi ma code omwe adangolembedwa patsamba lino. Ngati wopanga asuntha batani ndi ma pixel a 3 ndipo timamuuza kuti ali ndi jakisoni wa SQL pamenepo ndipo ayenera kukonzedwa mwachangu, izi ndizolakwika. Yang'anani pazomwe zalembedwa pano komanso kusintha komwe kumabwera pakugwiritsa ntchito.
Tinene kuti tili ndi vuto linalake - momwe ntchitoyo siyenera kugwirira ntchito: ndalama sizisamutsidwa, mukadina batani palibe kusintha patsamba lotsatira, kapena chinthucho sichimanyamula. Zowonongeka Zachitetezo - izi ndi zolakwika zomwezo, koma osati ponena za ntchito yogwiritsira ntchito, koma mu chitetezo.
Sikuti mavuto onse amtundu wa mapulogalamu ndizovuta zachitetezo. Koma zovuta zonse zachitetezo zimagwirizana ndi mtundu wa mapulogalamu. Sherif Mansour, Expedia.
Popeza kuti zofooka zonse ndi zolakwika zofanana, ziyenera kukhala pamalo amodzi ndi zolakwika zonse zachitukuko. Chifukwa chake iwalani malipoti ndi ma PDF owopsa omwe palibe amene amawawerenga.
Pamene ndinali kugwira ntchito pa kampani yachitukuko, ndinalandira lipoti kuchokera ku zida zowunikira zosasunthika. Ndinatsegula, ndinachita mantha, ndinapanga khofi, ndinadutsa masamba 350, ndinatseka ndikupitiriza kugwira ntchito. Malipoti akuluakulu ndi malipoti akufa. Nthawi zambiri samapita kulikonse, zilembo zimachotsedwa, kuyiwalika, kutayika, kapena bizinesi imati imavomereza kuopsa kwake.
Zoyenera kuchita? Timangotembenuza zolakwika zomwe tazipeza kukhala mawonekedwe osavuta kupanga, mwachitsanzo, timawayika motsalira ku Jira. Timayika zolakwika patsogolo ndikuzichotsa potengera zofunikira, komanso zolakwika zamachitidwe ndi zolakwika zoyesa.
Kusanthula kwa Static - SAST
Uku ndi kusanthula ma code pazovuta., koma sizofanana ndi SonarQube. Sitingoyang'ana masitayelo kapena masitayilo. Njira zingapo zimagwiritsidwa ntchito pakuwunika: malinga ndi mtengo wosatetezeka, malinga ndi , mwa kusanthula mafayilo osinthira. Izi ndizo zonse zomwe zimakhudza code yokha.
Ubwino wa njira: kuzindikira zofooka mu code kumayambiriro kwa chitukukopamene palibe maimidwe kapena zida zopangidwa okonzeka panobe, ndi luso lowonjezera la sikani: kusanthula gawo la code lomwe lasintha, ndi gawo lokhalo lomwe tikuchita pano, zomwe zimachepetsa nthawi yosanthula.
ΠΠΈΠ½ΡΡΡ - uku ndiko kusowa thandizo kwa zilankhulo zofunika.
Zofunikira zogwirizana, zomwe ziyenera kukhala mu zida, mwa lingaliro langa lokhazikika:
- Chida chophatikizira: Jenkins, TeamCity ndi Gitlab CI.
- Chitukuko: Intellij IDEA, Visual Studio. Ndikosavuta kuti wopanga mapulogalamu asayang'ane mawonekedwe osamvetsetseka omwe akufunikabe kuloweza pamtima, koma kuti awone zonse zofunikira ndi zofooka zomwe adazipeza pamalo ogwirira ntchito m'malo ake achitukuko.
- Ndemanga yamakhodi: SonarQube ndi kuwunika kwamanja.
- Otsatira zolakwika: Jira ndi Bugzilla.
Chithunzichi chikuwonetsa ena mwa oimira abwino kwambiri a static analysis.
Sizida zomwe ndizofunikira, koma ndondomekoyi, kotero pali njira zothetsera Open Source zomwe zilinso zabwino kuyesa ndondomekoyi.
SAST Open Source sichipeza zofooka zambiri kapena zovuta za DataFlows, koma zimatha ndipo ziyenera kugwiritsidwa ntchito popanga njira. Amathandizira kumvetsetsa momwe ndondomekoyi idzamangidwe, omwe angayankhe pa nsikidzi, omwe adzapereke lipoti, ndi omwe adzapereke lipoti. Ngati mukufuna kuchita gawo loyamba lomanga chitetezo cha code yanu, gwiritsani ntchito njira zothetsera Open Source.
Izi zingaphatikizidwe bwanji ngati muli kumayambiriro kwa ulendo wanu ndipo mulibe kanthu: palibe CI, palibe Jenkins, palibe TeamCity? Tiyeni tiganizire kuphatikiza mu ndondomekoyi.
Kuphatikiza kwa CVS level
Ngati muli ndi Bitbucket kapena GitLab, mutha kuphatikiza pamlingo .
Mwa chochitika - kukoka pempho, kudzipereka. Mumasanthula kachidindo ndipo mawonekedwe ake amawonetsa ngati cheke chachitetezo chadutsa kapena chalephera.
Ndemanga. Inde, mayankho amafunikira nthawi zonse. Ngati mwangochita chitetezo pambali, muyike m'bokosi ndipo simunauze aliyense za izo, ndiyeno kumapeto kwa mwezi munataya gulu la nsikidzi - izi sizolondola komanso sizabwino.
Kuphatikizana ndi ndondomeko yowunikira ma code
Kamodzi, tidakhala ngati owunikira osasinthika kwa wogwiritsa ntchito waukadaulo wa AppSec pama projekiti angapo ofunikira. Kutengera ngati zolakwika zazindikirika mu code yatsopano kapena palibe zolakwika, wowunikirayo amayika mawonekedwe pazopempha kuti "avomereze" kapena "ntchito yofunikira" - mwina zonse zili bwino, kapena maulalo pazomwe zikuyenera kukonzedwa. ziyenera kukonzedwa. Kuti tiphatikize ndi mtundu womwe ukupita kukupanga, talola kuletsa kuphatikizika ngati kuyesa kwachitetezo sikunapatsidwe. Tidaphatikizanso izi pakuwunika kwa ma code, ndipo ena omwe adatenga nawo gawo adawona zitetezo panjirayi.
Kuphatikiza ndi SonarQube
Ambiri atero kutengera mtundu wa code. Ndizofanana pano - mutha kupanga zipata zomwezo pazida za SAST. Padzakhala mawonekedwe omwewo, chipata chamtundu womwewo, chokhacho chidzatchedwa chipata chachitetezo. Komanso, ngati muli ndi njira yogwiritsira ntchito SonarQube, mutha kuphatikiza chilichonse pamenepo.
Kuphatikiza pamlingo wa CI
Chilichonse apa ndi chophweka:
- Pamodzi ndi autotests, mayeso a unit.
- Gawani potengera magawo a chitukuko: dev, test, prod. Mitundu yosiyanasiyana ya malamulo kapena mikhalidwe yolephereka ingaphatikizidwe: kuyimitsa msonkhano, osayimitsa msonkhano.
- Synchronous/asynchronous launch. Tikuyembekezera kutha kwa mayeso achitetezo kapena ayi. Ndiko kuti, tangowayambitsa ndikupita patsogolo, ndiyeno timakhala ndi udindo woti zonse ndi zabwino kapena zoipa.
Zonse zili mu dziko la pinki langwiro. Palibe chinthu choterocho m'moyo weniweni, koma timayesetsa. Zotsatira zakuyendetsa macheke achitetezo ziyenera kukhala zofanana ndi zoyeserera zamayunitsi.
Mwachitsanzo, tidatenga pulojekiti yayikulu ndikusankha kuti tiyang'ane ndi SAST - OK. Tidakankhira pulojekitiyi ku SAST, idatipatsa ziwopsezo za 20 ndipo mwa lingaliro lamphamvu tidaganiza kuti zonse zili bwino. Zofooka za 000 ndi ngongole yathu yaukadaulo. Timayika ngongoleyo m'bokosi, tidzayichotsa pang'onopang'ono ndikuwonjezera nsikidzi kwa otsata zolakwika. Tiyeni tibwereke kampani, tichite zonse tokha, kapena kuti Security Champions atithandize - ndipo ngongole zaukadaulo zichepa.
Ndipo zofooka zonse zomwe zangotuluka kumene mu code yatsopano ziyenera kuchotsedwa mofanana ndi zolakwika mu unit kapena autotests. Kunena zoona, msonkhano udayamba, tidauyendetsa, mayeso awiri ndi mayeso awiri achitetezo adalephera. CHABWINO - tinapita, tinayang'ana zomwe zidachitika, kukonza chinthu chimodzi, kukonza china, kuthamangitsa nthawi ina - zonse zinali bwino, palibe zofooka zatsopano zomwe zidawoneka, palibe mayeso omwe adalephera. Ngati ntchitoyi ndi yozama ndipo muyenera kuimvetsetsa bwino, kapena kukonza zofooka kumakhudza zigawo zazikulu za zomwe zili pansi pa hood: cholakwika chinawonjezeredwa ku tracker yachilema, imayikidwa patsogolo ndikuwongolera. Tsoka ilo, dziko silili langwiro ndipo mayesero nthawi zina amalephera.
Chitsanzo cha chipata cha chitetezo ndi analogue ya chipata cha khalidwe, ponena za kukhalapo ndi chiwerengero cha zofooka mu code.
Timaphatikizana ndi SonarQube - pulogalamu yowonjezera imayikidwa, chirichonse chiri chosavuta komanso chozizira.
Kuphatikizana ndi chilengedwe chachitukuko
Zosankha zophatikizira:
- Kuthamanga jambulani kuchokera kumalo otukuka musanapereke.
- Onani zotsatira.
- Kusanthula zotsatira.
- Kulunzanitsa ndi seva.
Izi ndi momwe zimawonekera kulandira zotsatira kuchokera ku seva.
M'malo athu achitukuko chinthu chowonjezera chimangowoneka chomwe chimakudziwitsani kuti zowopsa zotere zidapezeka pakujambula. Mutha kusintha kachidindo nthawi yomweyo, yang'anani pazomwe mungakonde komanso . Zonsezi zili pamalo ogwirira ntchito, omwe ndi osavuta kwambiri - palibe chifukwa chotsatira maulalo ena ndikuyang'ana zina zowonjezera.
Chotsani Chotsegula
Uwu ndiye mutu womwe ndimakonda kwambiri. Aliyense amagwiritsa ntchito malaibulale a Open Source - bwanji lembani ndodo ndi njinga zambiri pomwe mutha kutenga laibulale yopangidwa kale momwe zonse zakhazikitsidwa kale?
Zachidziwikire, izi ndi zoona, koma malaibulale amalembedwanso ndi anthu, amaphatikizanso zoopsa zina komanso pali zofooka zomwe zimanenedwa nthawi ndi nthawi, kapena mosalekeza. Choncho, pali sitepe yotsatira mu Application Security - uku ndikuwunika kwa Open Source zigawo.
Open Source Analysis - OSA
Chidacho chimaphatikizapo magawo atatu akuluakulu.
Kufufuza zofooka m'malaibulale. Mwachitsanzo, chida chimadziwa kuti tikugwiritsa ntchito laibulale ina, ndi kuti mu kapena pali zovuta zina mu zolondolera zolakwika zomwe zikugwirizana ndi mtundu uwu wa laibulale. Mukayesa kugwiritsa ntchito, chidacho chidzapereka chenjezo kuti laibulale ili pachiwopsezo ndikukulangizani kuti mugwiritse ntchito mtundu wina womwe ulibe zovuta.
Kusanthula kwa chiyero cha chilolezo. Izi sizodziwika kwambiri pano, koma ngati mumagwira ntchito kunja, ndiye kuti nthawi ndi nthawi mutha kupeza msonkho kumeneko pogwiritsa ntchito gawo lotseguka lomwe silingagwiritsidwe ntchito kapena kusinthidwa. Malinga ndi ndondomeko ya laibulale yovomerezeka, sitingathe kuchita izi. Kapena, ngati tidasintha ndikuigwiritsa ntchito, tiyenera kutumiza khodi yathu. Inde, palibe amene akufuna kufalitsa kachidindo kazinthu zawo, koma mukhoza kudziteteza ku izi.
Kusanthula kwa zigawo zomwe zimagwiritsidwa ntchito m'malo opangira mafakitale. Tiyerekeze zongopeka kuti potsiriza tamaliza chitukuko ndi kutulutsa kutulutsidwa kwaposachedwa kwa microservice yathu. Amakhala kumeneko modabwitsa - sabata, mwezi, chaka. Sitikuzisonkhanitsa, sitimayang'ana chitetezo, zonse zikuwoneka kuti zili bwino. Koma mwadzidzidzi, masabata awiri atatulutsidwa, chiwopsezo chachikulu chikuwonekera mu gawo la Open Source, lomwe timagwiritsa ntchito pomanga izi, m'malo ogulitsa. Ngati sitilemba zomwe timagwiritsa ntchito komanso komwe timagwiritsa ntchito, ndiye kuti sitingawone chiwopsezo ichi. Zida zina zimatha kuyang'anira zofooka m'malaibulale omwe akugwiritsidwa ntchito pamakampani. Ndizothandiza kwambiri.
Zida:
- Ndondomeko zosiyana za magawo osiyanasiyana a chitukuko.
- Kuwunika zigawo mu malo mafakitale.
- Kuwongolera malaibulale mkati mwa bungwe.
- Thandizo la machitidwe osiyanasiyana omanga ndi zilankhulo.
- Kusanthula kwazithunzi za Docker.
Zitsanzo zochepa za atsogoleri amakampani omwe akuchita kusanthula kwa Open Source.
Yaulere yokha ndi iyi kuchokera ku OWASP. Mutha kuyiyatsa m'magawo oyamba, muwone momwe imagwirira ntchito komanso zomwe imathandizira. Kwenikweni, zonsezi ndizinthu zamtambo, kapena pamalopo, koma kumbuyo kwawo zimatumizidwabe ku intaneti. Satumiza malaibulale anu, koma ma hashes kapena mfundo zawo, zomwe amawerengera, ndi zolemba zala ku seva yawo kuti alandire zambiri za kukhalapo kwa zofooka.
Kuphatikiza njira
Kuwongolera kozungulira kwama library, zomwe zimatsitsidwa kuchokera kunja. Tili ndi nkhokwe zakunja ndi zamkati. Mwachitsanzo, Event Central imayendetsa Nexus, ndipo tikufuna kuwonetsetsa kuti palibe zovuta m'nkhokwe yathu zomwe zili ndi "zovuta" kapena "zapamwamba". Mutha kusintha ma proxying pogwiritsa ntchito chida cha Nexus Firewall Lifecycle kuti zofooka zotere zidulidwe ndipo zisathere m'malo osungiramo.
Kuphatikiza ku CI. Pamlingo womwewo ndi ma autotest, mayeso a mayunitsi ndikugawikana mu magawo otukuka: dev, test, prod. Pa gawo lililonse, mutha kutsitsa malaibulale aliwonse, gwiritsani ntchito chilichonse, koma ngati pali zovuta ndi "zovuta", mwina ndizoyenera kukopa chidwi cha omanga pa izi panthawi yotulutsidwa.
Kuphatikizana ndi zinthu zakale: Nexus ndi JFrog.
Kuphatikizika mu chilengedwe chachitukuko. Zida zomwe mumasankha ziyenera kukhala zogwirizana ndi malo otukuka. Wopanga mapulogalamu ayenera kukhala ndi mwayi wopeza zotsatira za sikani kuchokera kuntchito yake, kapena kutha kusanthula ndikuwunika yekha codeyo kuti ali pachiwopsezo asanayambe ku CVS.
Kuphatikiza kwa CD. Ichi ndi chinthu chabwino chomwe ndimakonda komanso chomwe ndidalankhula kale - kuyang'anira kuwonekera kwachiwopsezo chatsopano m'malo ogulitsa. Zimagwira ntchito monga chonchi.
Tili ndi Public Component Repositories - zida zina kunja, ndi malo athu mkati. Tikufuna kuti ikhale ndi zigawo zodalirika zokha. Tikamayimilira pempho, timayang'ana ngati laibulale yotsitsa ilibe zovuta. Ngati zili pansi pa mfundo zina zomwe timakhazikitsa ndikugwirizanitsa ndi chitukuko, ndiye kuti sitimayiyika ndipo timalimbikitsidwa kugwiritsa ntchito mtundu wina. Chifukwa chake, ngati pali china chake chovuta komanso choyipa mulaibulale, ndiye kuti wopangayo sangalandire laibulale pamalo oyika - agwiritse ntchito mtundu wapamwamba kapena wotsika.
- Pomanga, timayang'ana kuti palibe amene wazembera chilichonse choipa, kuti zigawo zonse ndi zotetezeka ndipo palibe amene wabweretsa chilichonse choopsa pa flash drive.
- Tili ndi magawo odalirika okha munkhokwe.
- Potumiza, timayang'ananso phukusi lokha: nkhondo, mtsuko, DL kapena chithunzi cha Docker kuti tiwonetsetse kuti ikugwirizana ndi mfundozo.
- Tikalowa m'makampani, timawunika zomwe zikuchitika m'mafakitale: zofooka zazikulu zimawonekera kapena sizikuwoneka.
Dynamic Analysis - DAST
Zida zowunikira zamphamvu ndizosiyana kwambiri ndi zonse zomwe zanenedwa kale. Uwu ndi mtundu wa kutsanzira ntchito ya wogwiritsa ntchito ndi pulogalamuyo. Ngati iyi ndi pulogalamu yapaintaneti, timatumiza zopempha, kutengera ntchito ya kasitomala, dinani mabatani akutsogolo, tumizani deta yopangira mawonekedwe: zolemba, mabulaketi, otchulidwa m'makalata osiyanasiyana, kuti muwone momwe ntchitoyo imagwirira ntchito ndi njira. deta yakunja.
Dongosolo lomwelo limakupatsani mwayi kuti muwone zovuta za template mu Open Source. Popeza DAST sichidziwa Open Source yomwe tikugwiritsa ntchito, imangoponya "zoyipa" ndikusanthula mayankho a seva:
- Inde, pali vuto la deserialization pano, koma osati pano.
Pali zoopsa zazikuluzikulu mu izi, chifukwa ngati mutayesa chitetezo ichi pa benchi yomwe oyesa amagwira nayo ntchito, zinthu zosasangalatsa zikhoza kuchitika.
- Kulemera kwakukulu pa intaneti ya seva yogwiritsira ntchito.
- Palibe zophatikiza.
- Kutha kusintha makonda a pulogalamu yowunikiridwa.
- Palibe chithandizo chaukadaulo wofunikira.
- Kuvuta kukhazikitsa.
Tidakhala ndi vuto pomwe tidayambitsa AppScan: tidakhala nthawi yayitali kuyesa kugwiritsa ntchito pulogalamuyi, tinali ndi maakaunti atatu ndipo tinali okondwa - pamapeto pake tiwona chilichonse! Tidayambitsa sikani, ndipo chinthu choyamba chomwe AppScan idachita chinali kulowa pagulu la admin, kuboola mabatani onse, kusintha theka la data, kenako kupha seva ndi yake. -zopempha. Kukula ndi kuyesa anati:
- Anyamata, mukundiseka?! Tidakupatsani maakaunti, ndipo mwakhazikitsa choyimira!
Ganizirani zoopsa zomwe zingatheke. Momwemo, konzani malo osiyana oyesa chitetezo chazidziwitso, chomwe chitha kukhala chotalikirana ndi chilengedwe chonse mwanjira ina, ndikuyang'ana gulu la admin, makamaka pamachitidwe apamanja. Ichi ndi pentest - magawo otsala a khama omwe sitikuwaganizira pano.
Ndikoyenera kuganizira kuti mutha kugwiritsa ntchito izi ngati analogue ya kuyesa katundu. Pa gawo loyamba, mutha kuyatsa sikani yosinthika yokhala ndi ulusi wa 10-15 ndikuwona zomwe zimachitika, koma nthawi zambiri, monga momwe zimasonyezera, palibe chabwino.
Zida zingapo zomwe timakonda kugwiritsa ntchito.
Kuwunikira koyenera ndi "mpeni waku Switzerland" kwa katswiri aliyense wachitetezo. Aliyense amachigwiritsa ntchito ndipo ndichosavuta. Mtundu watsopano wamawonekedwe abizinesi tsopano watulutsidwa. Ngati m'mbuyomu zinali zongoyimilira zokhazokha zokhala ndi mapulagini, tsopano opanga mapulagini akupanga seva yayikulu yomwe ingathe kuyang'anira othandizira angapo. Izi ndizabwino, ndikupangira kuti muyese.
Kuphatikiza njira
Kuphatikiza kumachitika bwino komanso mophweka: kuyamba kupanga sikani pambuyo unsembe bwino zofunsira maimidwe ndi kupanga sikani pambuyo poyeserera kophatikizana kopambana.
Ngati maphatikizidwewo sagwira ntchito kapena pali ziboda ndi ntchito zoseketsa, ndizopanda pake komanso zopanda pake - ziribe kanthu zomwe titumiza, seva idzayankhanso chimodzimodzi.
- Momwemo, malo oyesera osiyana.
- Musanayese, lembani ndondomeko yolowera.
- Kuyesa kwa kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe ka kayendetsedwe kana bwino ka za za kapanganilinganganiXNUMXANIXNUMXjoweweweweweweshonishonishonishoni iri pa__*]
ndondomeko
A pang'ono generalized za ndondomeko ambiri ndi za ntchito ya aliyense chida makamaka. Ntchito zonse ndizosiyana - imodzi imagwira ntchito bwino ndi kusanthula kwamphamvu, ina ndi kusanthula kokhazikika, yachitatu ndi kusanthula kwa OpenSource, mapentes, kapena china chilichonse, mwachitsanzo, zochitika ndi .
Njira iliyonse imafunikira kuwongolera.
Kuti mumvetsetse momwe ndondomeko imagwirira ntchito komanso komwe ingawongoleredwe, muyenera kusonkhanitsa zoyezetsa kuchokera ku chilichonse chomwe mungachipeze, kuphatikiza ma metrics opangira, ma metrics kuchokera ku zida, komanso kuchokera kwa otsata zolakwika.
Chidziwitso chilichonse ndi chothandiza. Ndikofunikira kuyang'ana mosiyanasiyana pomwe izi kapena chidacho chimagwiritsidwa ntchito bwino, pomwe njirayo imatsika. Kungakhale koyenera kuyang'ana nthawi zoyankhira zachitukuko kuti muwone komwe mungasinthire ndondomekoyi potengera nthawi. Deta yochulukirapo, magawo ambiri amatha kumangidwa kuchokera pamwamba mpaka tsatanetsatane wa ndondomeko iliyonse.
Popeza ma analyzer onse osasunthika komanso osunthika ali ndi ma API awo, njira zawo zoyambira, mfundo, ena ali ndi ma scheduler, ena alibe - tikulemba chida. AppSec Orchestrator, zomwe zimakulolani kuti mupange malo amodzi olowera muzochita zonse kuchokera ku mankhwala ndikuwongolera kuchokera kumalo amodzi.
Oyang'anira, otukula ndi mainjiniya achitetezo ali ndi malo amodzi olowera pomwe amatha kuwona zomwe zikuyenda, kukonza ndikuyendetsa sikani, kulandira zotsatira zojambulira, ndikupereka zofunikira. Tikuyesera kuchoka pamapepala, kumasulira chirichonse kukhala chaumunthu, chomwe chimagwiritsidwa ntchito ndi chitukuko - masamba pa Confluence ndi udindo ndi ma metrics, zolakwika mu Jira kapena m'ma tracker osiyanasiyana olakwika, kapena kuphatikizira mu ndondomeko yofanana / yofanana mu CI. /CD.
Zitengera Zapadera
Zida si chinthu chachikulu. Choyamba ganizirani ndondomekoyi - ndiye gwiritsani ntchito zida. Zidazi ndi zabwino koma zokwera mtengo, kotero mutha kuyamba ndi ndondomeko ndikumanga kulankhulana ndi kumvetsetsa pakati pa chitukuko ndi chitetezo. Kuchokera pachitetezo, palibe chifukwa chokhalira "kusiya" chirichonse. Kuchokera pamalingaliro a chitukuko, ngati pali chinthu chapamwamba cha mega chovuta kwambiri, ndiye chiyenera kuchotsedwa, ndipo osayang'anitsitsa vutoli.
Mankhwala khalidwe - cholinga wamba zonse chitetezo ndi chitukuko. Timachita chinthu chimodzi, timayesetsa kuonetsetsa kuti zonse zikuyenda bwino ndipo palibe zoopsa za mbiri kapena kuwonongeka kwachuma. Ichi ndichifukwa chake timalimbikitsa njira ya DevSecOps, SecDevOps kuti tipititse patsogolo kulumikizana ndikusintha mtundu wazinthu.
Yambani ndi zomwe muli nazo kale: zofunika, zomangamanga, macheke pang'ono, maphunziro, malangizo. Palibe chifukwa chogwiritsa ntchito nthawi yomweyo machitidwe onse pama projekiti onse - sunthani mobwerezabwereza. Palibe muyezo umodzi - kuyesa ndi kuyesa njira zosiyanasiyana ndi zothetsera.
Pali chizindikiro chofanana pakati pa zolakwika zachitetezo cha chidziwitso ndi zolakwika zogwirira ntchito.
Sinthani zonsechimayenda. Chilichonse chomwe sichisuntha, sunthani ndikuchisintha. Ngati chinachake chichitidwa ndi manja, si mbali yabwino ya ndondomekoyi. Mwina ndi koyenera kuti muwunikenso ndikuwusinthanso.
Ngati kukula kwa gulu la IS kuli kochepa - gwiritsani ntchito Security Champions.
Mwina zomwe ndalankhula sizingagwirizane ndi inu ndipo mudzabwera ndi zanuzanu - ndipo ndizabwino. Koma sankhani zida kutengera zomwe mukufuna panjira yanu. Musayang'ane zomwe anthu ammudzi akunena, kuti chida ichi ndi choipa ndipo ichi ndi chabwino. Mwina zosiyana zidzakhala zoona pa malonda anu.
Zofunikira pazida.
- Mlingo Wotsika Wonama Zabwino.
- Nthawi yokwanira yowunikira.
- Kugwiritsa ntchito mosavuta.
- Kupezeka kwa zophatikiza.
- Kumvetsetsa njira yopangira zinthu.
- Kuthekera kwa zida zosinthira mwamakonda.
Lipoti la Yuri lidasankhidwa kukhala limodzi mwazabwino kwambiri pa DevOpsConf 2018. Kuti mudziwe bwino malingaliro osangalatsa komanso zochitika zothandiza, bwerani ku Skolkovo pa Meyi 27 ndi 28. mkati . Zabwinonso, ngati mwakonzeka kugawana zomwe mwakumana nazo, ndiye kwa lipotilo mpaka Epulo 21.
Source: www.habr.com