Pulogalamu ya ProHoster > Kusanthula kwachiwopsezo ndi chitukuko chotetezeka. Gawo 1

Kusanthula kwachiwopsezo ndi chitukuko chotetezeka. Gawo 1

Kusanthula kwachiwopsezo ndi chitukuko chotetezeka. Gawo 1

Monga gawo la ntchito zawo zamaluso, opanga ma pentesters, ndi akatswiri achitetezo amayenera kuthana ndi njira monga Vulnerability Management (VM), (Secure) SDLC.
Pansi pa mawuwa pali machitidwe osiyanasiyana ndi zida zomwe zimagwiritsidwa ntchito zomwe zimalumikizana, ngakhale ogwiritsa ntchito amasiyana.

Kupita patsogolo kwaukadaulo sikunafike pomwe chida chimodzi chingalowe m'malo mwa munthu pakuwunika chitetezo cha zomangamanga ndi mapulogalamu.
Ndizosangalatsa kumvetsetsa chifukwa chake izi zili choncho, komanso mavuto omwe munthu ayenera kukumana nawo.

Njira

Vulnerability Management process idapangidwa kuti iziyang'anira mosalekeza chitetezo cha zomangamanga ndi kasamalidwe ka zigamba.
Njira Yotetezedwa ya SDLC ("chitetezo chachitukuko chotetezedwa") idapangidwa kuti isunge chitetezo cha ntchito panthawi yachitukuko ndikugwira ntchito.

Gawo lofananira la njirazi ndi ndondomeko ya Vulnerability Assessment - kuunika kwachiwopsezo, kusanthula kwachiwopsezo.
Kusiyana kwakukulu pakati pa kupanga sikani mkati mwa VM ndi SDLC ndikuti poyambirira, cholinga chake ndikupeza zovuta zodziwika mu pulogalamu ya chipani chachitatu kapena mukusintha. Mwachitsanzo, mtundu wakale wa Windows kapena chingwe chosasinthika chamagulu a SNMP.
Pachitsanzo chachiwiri, cholinga ndicho kuzindikira zofooka osati m'magulu a chipani chachitatu (zodalira), koma makamaka mu code ya mankhwala atsopano.

Izi zimabweretsa kusiyanasiyana kwa zida ndi njira. M'malingaliro anga, ntchito yopeza zovuta zatsopano mu pulogalamuyo ndiyosangalatsa kwambiri, chifukwa sichibwera ku zolemba zala, kusonkhanitsa zikwangwani, mphamvu yachinsinsi yachinsinsi, ndi zina zambiri.
Kusanthula kwapamwamba pazavuto za pulogalamu kumafunikira ma aligorivimu omwe amaganizira za semantics ya pulogalamuyo, cholinga chake, ndi ziwopsezo zenizeni.

Scanner ya zomangamanga nthawi zambiri imatha kusinthidwa ndi chowerengera, monga avleonov. Chowonadi ndichakuti mongowerengera, mutha kuwona kuti zomangamanga zanu zili pachiwopsezo ngati simunazisinthe, tinene, mwezi umodzi.

Zida

Kusanthula, komanso kusanthula chitetezo, kumatha kuchitidwa ngati bokosi lakuda kapena bokosi loyera.

Black Box

Ndi blackbox scanning, chidacho chiyenera kugwira ntchito ndi ntchitoyo kudzera m'malo omwe ogwiritsa ntchito amagwiritsa ntchito.

Ma scanner a Infrastructure (Tenable Nessus, Qualys, MaxPatrol, Rapid7 Nexpose, etc.) amayang'ana madoko otseguka a netiweki, sonkhanitsani "zikwangwani", zindikirani mitundu ya mapulogalamu omwe adayikidwa, ndikusaka pazomwe akudziwa kuti adziwe zomwe zingawonongeke m'matembenuzidwewa. Amayesanso kuzindikira zolakwika za kasinthidwe monga mawu achinsinsi osasinthika kapena mwayi wopezeka pagulu, ma ciphers ofooka a SSL, ndi zina zambiri.

Makanema a pulogalamu yapaintaneti (Acunetix WVS, Netsparker, Burp Suite, OWASP ZAP, ndi zina zotero) amathanso kuzindikira zigawo zodziwika bwino ndi mitundu yake (monga CMS, frameworks, malaibulale a JS). Masitepe akuluakulu akukwawa ndikukwawa komanso kufufuta.
Mukukwawa, chokwawa chimasonkhanitsa zambiri zamapulogalamu omwe alipo komanso magawo a HTTP. Panthawi ya fuzzing, magawo onse omwe apezeka amasinthidwa ndi data yosinthidwa kapena yopangidwa kuti apangitse cholakwika ndikuwona chiwopsezo.

Makina ojambulira oterewa ali m'makalasi a DAST ndi IAST - motsatana Dynamic and Interactive Application Security Testing.

White bokosi

Ndi whitebox scanning, pali zosiyana zambiri.
Monga gawo la ndondomeko ya VM, ma scanner (Vulners, Incsecurity Couch, Vuls, Tenable Nessus, etc.) nthawi zambiri amapatsidwa mwayi wogwiritsa ntchito makina popanga sikani yovomerezeka. Chifukwa chake, sikaniyo imatha kutsitsa mitundu yoyikiratu ya phukusi ndi magawo osinthira mwachindunji kuchokera padongosolo, osawaganizira pazikwangwani zautumiki wapaintaneti.
Kujambulitsa ndikolondola komanso kokwanira.

Ngati tilankhula za kusanthula kwa bokosi loyera (CheckMarx, HP Forify, Coverity, RIPS, FindSecBugs, ndi zina zotero) za mapulogalamu, ndiye kuti nthawi zambiri timalankhula za kusanthula kwa ma code static komanso kugwiritsa ntchito zida zofananira za SAST - Static Application Security Testing.

Mavuto

Pali zovuta zambiri pakusanthula! Ndiyenera kuthana ndi ambiri a iwo panokha monga gawo la ntchito yomanga sikani ndi chitetezo njira zachitukuko, komanso pochita ntchito yowunikira chitetezo.

Ndidzasankha magulu atatu amavuto, omwe amatsimikiziridwa ndi zokambirana ndi mainjiniya ndi atsogoleri achitetezo azidziwitso m'makampani osiyanasiyana.

Nkhani Zofufuza pa Webusaiti

  1. Kuvuta kukhazikitsa. Makatani amayenera kutumizidwa, kusinthidwa, kusinthidwa makonda pakugwiritsa ntchito kulikonse, kugawa malo oyesera kuti awoneke ndikukhazikitsidwa munjira ya CI / CD kuti ikhale yogwira mtima. Kupanda kutero, idzakhala njira yopanda ntchito yokhazikika, yongopereka zonyenga zokhazokha
  2. Kutalika kwa scan. Makanema, ngakhale mu 2019, amachita ntchito yolakwika yolembera ma interfaces ndipo amatha kusanthula masamba chikwi ndi magawo 10 lililonse kwa masiku, kuwaganizira mosiyana, ngakhale nambala yomweyi ndi yomwe ili nayo. Panthawi imodzimodziyo, chisankho chotumizira ku kupanga mkati mwa chitukuko chiyenera kupangidwa mwamsanga.
  3. Malingaliro olakwika. Makanema amapereka malingaliro omveka bwino, ndipo sizotheka kuti wopanga mapulogalamu amvetsetse mwachangu kuchokera kwa iwo momwe angachepetsere chiwopsezo, ndipo koposa zonse, kaya zikuyenera kuchitika pakali pano, kapena sizowopsa.
  4. Zowononga pakugwiritsa ntchito. Makanema amatha kuchita chiwopsezo cha DoS pa pulogalamuyo, ndipo amathanso kupanga mabungwe ambiri kapena kusintha zomwe zilipo (mwachitsanzo, kupanga ndemanga masauzande ambiri pabulogu), chifukwa chake simuyenera kuyendetsa mosaganizira chinthucho.
  5. Kusazindikira kwachiwopsezo. Makana nthawi zambiri amagwiritsa ntchito kuchuluka kwa zolipira ndipo amatha kuphonya mosavuta chiopsezo chomwe sichikugwirizana ndi zomwe akugwiritsa ntchito.
  6. Chojambulira sichimamvetsetsa momwe pulogalamuyi imagwirira ntchito. Ojambula okha sadziwa kuti "banki yapaintaneti", "malipiro", "ndemanga" ndi chiyani. Kwa iwo, pali maulalo ndi magawo okhawo, kotero kuti chiwopsezo chachikulu chazovuta zamabizinesi sichinawululidwe, sangaganize kuti alembenso kawiri, kuyang'ana zambiri za anthu ena ndi ID kapena kumaliza malire pozungulira.
  7. Kusamvetsetsa kwa semantics yatsamba ndi scanner. Makanema sangathe kuwerenga FAQ, sangathe kuzindikira ma captcha, sangaganize okha momwe angalembetsere ndikulowanso, kuti simungathe kudina "kutuluka", komanso momwe mungasaina zopempha posintha ma parameter. Zotsatira zake, zambiri zogwiritsa ntchito zitha kukhala zosasunthika konse.

Source Code Scanning Nkhani

  1. Zabwino zabodza. Kusanthula kosasunthika ndi ntchito yovuta yomwe imaphatikizapo kunyengerera zambiri. Nthawi zambiri muyenera kusiya kulondola, ndipo ngakhale makina okwera mtengo amabizinesi amapereka zambiri zabodza.
  2. Kuvuta kukhazikitsa. Kuti muwonjezere kulondola komanso kukwanira kwa kusanthula kosasunthika, ndikofunikira kuwongolera malamulo ajambulidwe, ndipo kulemba malamulowa kumatha kukhala nthawi yambiri. Nthawi zina zimakhala zosavuta kupeza malo onse mu code ndi mtundu wina wa cholakwika ndikuzikonza kusiyana ndi kulemba lamulo kuti muzindikire milandu yotereyi.
  3. Kupanda chithandizo chodalira. Ntchito zazikuluzikulu zimadalira kuchuluka kwa malaibulale ndi mafelemu omwe amakulitsa luso la chilankhulo chokonzekera. Ngati palibe chidziwitso chokhudza malo owopsa ("miyendo") m'mapangidwe awa m'munsi mwa chidziwitso cha scanner, izi zidzakhala malo akhungu, ndipo scanner sichidzamvetsa ngakhale code.
  4. Kutalika kwa scan. Kupeza zofooka mu code ndi ntchito yovuta ponena za ma algorithms komanso. Chifukwa chake, njirayi ikhoza kuchedwetsedwa ndipo imafuna zida zazikulu zamakompyuta.
  5. Kuphunzira kochepa. Ngakhale kugwiritsa ntchito zida komanso nthawi yojambula, opanga zida za SAST amayenera kusinthiratu ndikuwunika osati mayiko onse omwe pulogalamu ikhoza kukhalamo.
  6. Kupeza reproducibility. Kuloza pamzere wodziwika ndikuyimba foni komwe kumatsogolera pachiwopsezo ndikwabwino, koma kwenikweni, nthawi zambiri sikaniyo sipereka chidziwitso chokwanira kuti muwone ngati ili pachiwopsezo chakunja. Kupatula apo, cholakwikacho chingakhalenso mu code yakufa, yomwe siifikirika kwa wowukirayo.

Nkhani Zakusanthula Infrastructure

  1. Kusakwanira kwazinthu. M'malo akuluakulu, makamaka omwe ali olekanitsidwa ndi malo, nthawi zambiri zimakhala zovuta kudziwa kuti ndi ndani omwe angayang'ane. Mwa kuyankhula kwina, ntchito yosanthula ikugwirizana kwambiri ndi ntchito yoyang'anira katundu.
  2. Kuika patsogolo kolakwika. Makina opanga ma network nthawi zambiri amatulutsa zotsatira zambiri ndi zolakwika zomwe sizigwiritsidwa ntchito pochita, koma mwamwayi kuchuluka kwawo kwachiwopsezo kumakhala kwakukulu. Wogula amalandira lipoti lomwe ndi lovuta kutanthauzira, ndipo sizidziwika bwino zomwe ziyenera kukonzedwa poyamba
  3. Malingaliro olakwika. Chidziwitso cha scanner nthawi zambiri chimakhala ndi zidziwitso zazachiwopsezo komanso momwe angakonzere, chifukwa chake ma admins amayenera kukhala ndi zida ndi Google. Zinthu zili bwinoko pang'ono ndi ma scanner a whitebox, omwe angapereke lamulo lachindunji kuti akonze
  4. Zopangidwa ndi manja. Zomangamanga zimatha kukhala ndi ma node ambiri, zomwe zikutanthauza kuti pali zolakwika zambiri, malipoti omwe ayenera kugawidwa ndikuwunikidwa pamanja nthawi iliyonse yobwereza.
  5. Kufalitsa koyipa. Ubwino wa kusanthula kwachitukuko mwachindunji kumadalira kukula kwa chidziwitso chokhudzana ndi kusatetezeka ndi mitundu ya mapulogalamu. Momwemo, zikutuluka, ngakhale atsogoleri amsika alibe chidziwitso chokwanira, ndipo pali zambiri zambiri m'ndandanda wa mayankho aulere omwe atsogoleri alibe.
  6. Mavuto ndi patching. Nthawi zambiri, kuwonongeka kwa zomangamanga ndikukonzanso phukusi kapena kusintha fayilo yosinthira. Vuto lalikulu apa ndikuti dongosolo, makamaka cholowa, limatha kuchita mosayembekezereka chifukwa chakusintha. M'malo mwake, muyenera kuchita mayeso ophatikizika pamaziko amoyo pakupanga.

Njira

Zikhala bwanji?
Ndifotokoza mwatsatanetsatane za zitsanzo komanso momwe mungathanirane ndi zovuta zambiri m'magawo otsatirawa, koma pakadali pano ndikuwonetsa madera omwe mungagwiritse ntchito:

  1. Kuphatikiza zida zosiyanasiyana zojambulira. Pogwiritsa ntchito molondola makina ojambulira angapo, kuwonjezeka kwakukulu kwa chidziwitso ndi khalidwe lachidziwitso likhoza kutheka. Mutha kupeza zofooka zochulukirapo kuposa kuchuluka kwa ma scanner onse omwe amayendetsa payekhapayekha, pomwe mutha kuwunika molondola kuchuluka kwa chiwopsezo ndikupanga malingaliro ambiri.
  2. Kuphatikiza kwa SAST ndi DAST. Ndizotheka kuwonjezera kufalitsa kwa DAST ndi kulondola kwa SAST pogawana zambiri pakati pawo. Kuchokera ku gwero mungapeze zambiri za njira zomwe zilipo, ndipo mothandizidwa ndi DAST mukhoza kufufuza ngati chiwopsezocho chikuwoneka kuchokera kunja.
  3. Machine Learningβ„’. Mu 2015 I anauza (ndi zambiri) za kugwiritsa ntchito ziwerengero kuti apange scanner chidziwitso cha owononga ndikufulumizitsa. Izi ndithudi ndi chakudya cha chitukuko cha automated chitetezo kusanthula m'tsogolo.
  4. Kuphatikiza kwa IAST ndi ma autotests ndi OpenAPI. Mkati mwa CI/CD-paipi, ndizotheka kupanga njira yosanthula potengera zida zomwe zimagwira ntchito ngati ma proxies a HTTP ndi mayeso ogwira ntchito omwe amagwira ntchito pa HTTP. Mayeso a OpenAPI/Swagger ndi makontrakitala azipatsa scanner zambiri zomwe zikusowa pakuyenda kwa data, kupangitsa kuti zitheke kusanthula pulogalamuyi m'maiko osiyanasiyana.
  5. Kusintha kolondola. Pa ntchito iliyonse ndi zomangamanga, muyenera kupanga mbiri yabwino yojambulira, poganizira kuchuluka ndi mawonekedwe a mawonekedwe, matekinoloje omwe amagwiritsidwa ntchito.
  6. Kusintha kwa scanner. Nthawi zambiri, pulogalamu singasinthidwe popanda kusintha sikani. Chitsanzo ndi njira yolipira pomwe pempho lililonse liyenera kusainidwa. Popanda kulemba cholumikizira ku protocol yolowera pachipata, makina ojambulira amangoyang'ana zopempha ndi siginecha yolakwika. M'pofunikanso kulemba masikina apadera amtundu wina wa zolakwika, monga Kusatetezeka Mwachindunji Kutchulidwa
  7. Kuwongolera zoopsa. Kugwiritsiridwa ntchito kwa ma scanner osiyanasiyana ndi kuphatikiza ndi machitidwe akunja monga Asset Management ndi Threat Management adzalola kuti magawo angapo agwiritsidwe ntchito poyesa kuchuluka kwa chiopsezo, kotero kuti oyang'anira akhoza kupeza chithunzi chokwanira cha chitetezo chamakono cha chitukuko kapena chitukuko.

Khalani tcheru ndipo tiyeni tisokoneze kusanja kwachiwopsezo!

Source: www.habr.com

Kuwonjezera ndemanga