Retrospective
Huyero, kuumbwa, uye kuumbwa kwekutyisidzira kwecyber kune maapplication zviri kukurumidza kubuda. Kwemakore akawanda, vashandisi vakawana mawebhusaiti paInternet vachishandisa mabhurawuza anozivikanwa ewebhu. Zvaive zvakakodzera kutsigira 2-5 web browser panguva ipi zvayo, uye seti yezviyero zvekugadzira uye yekuyedza mawebhusaiti aive mashoma. Semuenzaniso, anenge ese dhatabhesi akavakwa pachishandiswa SQL. Nehurombo, mushure menguva pfupi, matsotsi akadzidza kushandisa mawebhusaiti kuba, kudzima kana kushandura data. Vakawana kupinda zvisiri pamutemo uye kushungurudzwa masimba ekushandisa vachishandisa nzira dzakasiyana siyana, kusanganisira hunyengeri hwevashandisi vekushandisa, jekiseni, uye kure kodhi kuuraya. Nenguva isipi, maturusi ekuchengetedza webhu ekuchengetedza anonzi Web Application Firewalls (WAFs) akauya pamusika, uye nharaunda yakapindura nekugadzira yakavhurika yewebhu application kuchengetedza chirongwa, iyo Open Web Application Security Project (OWASP), kutsanangura nekuchengetedza mazinga ebudiriro uye nzira. .
Basic application dziviriro
ndiyo nzvimbo yekutanga kuchengetedza maapplication uye ine runyorwa rwekutyisidzira kwakanyanya uye zvisizvo izvo zvinogona kutungamira mukusagadzikana kwekushandisa, pamwe nemaitiro ekuona nekukunda kurwiswa. Iyo OWASP Yepamusoro gumi mucherechedzo unozivikanwa mukushandiswa kwecybersecurity indasitiri pasi rese uye inotsanangura iwo musimboti runyorwa rwezvikwanisiro izvo webhu chengetedzo yekuchengetedza (WAF) system inofanirwa kuve nayo.
Pamusoro pezvo, mashandiro eWAF anofanirwa kufunga nezve kumwe kurwiswa kwakajairwa pamawebhusaiti, kusanganisira kuyambuka-saiti chikumbiro chekunyepedzera (CSRF), kudzvanya, kukwesha webhu, uye kusanganisa faira (RFI/LFI).
Kutyisidzira uye matambudziko ekuvimbisa kuchengetedzwa kwezvishandiso zvemazuva ano
Nhasi, haasi ese maapplication anoitwa mune network vhezheni. Kune makore mapurogiramu, nharembozha, APIs, uye mune ichangoburwa zvivakwa, kunyangwe tsika software mabasa. Ese aya marudzi ezvishandiso anofanirwa kuwiriraniswa uye kudzorwa pavanenge vachigadzira, kugadzirisa, uye kugadzirisa data redu. Nekuuya kwematekinoroji matsva nemaparadigms, kuomarara kutsva nematambudziko anomuka pamatanho ese ehupenyu hwekushandisa. Izvi zvinosanganisira kusimudzira uye kubatanidza mashandiro (DevOps), midziyo, Internet yezvinhu (IoT), yakavhurika sosi maturusi, APIs, nezvimwe.
Kuendeswa kwakagoverwa kwezvikumbiro uye kusiyana-siyana kwetekinoroji kunogadzira matambudziko akaomarara uye akaomarara kwete chete kune nyanzvi dzekuchengetedza ruzivo, asiwo kune yekuchengetedza mhinduro vatengesi vasingachakwanise kuvimba nenzira yakabatana. Matanho ekuchengetedza ekushandisa anofanirwa kufunga nezve bhizinesi ravo kudzivirira manyepo uye kukanganisa kwemhando yemasevhisi evashandisi.
Chinangwa chekupedzisira chevabiki kazhinji ndechekuba data kana kukanganisa kuwanikwa kwesevhisi. Vanorwisa vanobatsirwawo neshanduko yetekinoroji. Chekutanga, kuvandudzwa kwetekinoroji nyowani kunogadzira mamwe mapeji anogona kuitika uye kusasimba. Chechipiri, ivo vane mamwe maturusi uye ruzivo mune yavo arsenal yekunzvenga echinyakare kuchengetedza matanho. Izvi zvinowedzera zvakanyanya izvo zvinonzi "kurwiswa kwepamusoro" uye kuratidzwa kwemasangano kune njodzi nyowani. Mitemo yekuchengetedza inofanirwa kugara ichichinja mukupindura kune shanduko mune tekinoroji uye maapplication.
Nekudaro, zvikumbiro zvinofanirwa kuchengetedzwa kubva kune inoramba ichiwedzera nzira dzekurwisa uye masosi, uye kurwisa otomatiki kunofanirwa kuverengerwa munguva chaiyo zvichibva pane zvine ruzivo sarudzo. Mhedzisiro yacho ndeyekuwedzera mari yekutengeserana uye basa remawoko, pamwe nekuderera kwekuchengetedza chimiro.
Basa #1: Kugadzirisa bots
Kupfuura 60% yeInternet traffic inogadzirwa ne bots, hafu yacho "yakaipa" traffic (maererano ne ). Masangano anoisa mari mukuwedzera network network, kunyanya kushandira mutoro wekunyepedzera. Kunyatsosiyanisa pakati pechokwadi chemushandisi traffic uye bot traffic, pamwe ne "yakanaka" bots (somuenzaniso, injini dzekutsvaga nemitengo yekuenzanisa masevhisi) uye "yakaipa" mabhoti anogona kuguma nekukosha kwekuchengetedza mari uye nekuvandudzwa kwehutano hwevashandisi.
Mabhoti haasi kuzoita kuti basa iri rive nyore, uye vanogona kutevedzera maitiro evashandisi chaivo, kunzvenga maCAPTCHA uye zvimwe zvipingamupinyi. Zvakare, kana iri nyaya yekurwiswa uchishandisa ane simba IP kero, dziviriro yakavakirwa paIP kero kusefa inoshaya basa. Kazhinji, maturusi ekuvandudza sosi (semuenzaniso, Phantom JS) anogona kubata mutengi-parutivi JavaScript anoshandiswa kutangisa kurwiswa kwechisimba, kurwiswa kwezvitupa, DDoS kurwiswa, uye automated bot kurwisa.
Kuti unyatso gadzirisa bot traffic, yakasarudzika kuzivikanwa kwekwairi (senge chigunwe) inodiwa. Sezvo kurwiswa kwebhoti kuchigadzira marekodhi akawanda, zvigunwe zvayo zvinoibvumira kuona chiitiko chinofungira uye kugovera zvibodzwa, zvichibva pane iyo iyo application system yekudzivirira inoita sarudzo ine ruzivo - block / bvumidza - ine hushoma mwero wenhema.
Dambudziko #2: Kuchengetedza API
Zvishandiso zvakawanda zvinounganidza ruzivo uye data kubva kumasevhisi avanodyidzana nawo kuburikidza nemaAPI. Kana uchitumira data rakadzama kuburikidza neAPIs, anopfuura makumi mashanu muzana emasangano haabvumidze kana kuchengetedza maAPI kuti aone cyberattacks.
Mienzaniso yekushandisa API:
- Internet yezvinhu (IoT) kubatanidzwa
- Muchina-kune-muchina kutaurirana
- Serverless Environments
- Mafoni ekushandisa
- Chiitiko-Zvinofambiswa Zvikumbiro
Kusagadzikana kweAPI kwakafanana nekusagadzikana kwechishandiso uye kunosanganisira majekiseni, kurwiswa kweprotocol, parameter manipulation, redirects, uye bot kurwisa. Yakatsaurirwa API magedhi anobatsira kuona kuenderana pakati pemasevhisi masevhisi anopindirana kuburikidza nemaAPI. Nekudaro, ivo havape yekupedzisira-kusvika-kumagumo application chengetedzo senge WAF inogona neakakosha maturusi ekuchengetedza akadai seHTTP musoro parsing, Layer 7 yekuwana yekudzora runyorwa (ACL), JSON/XML payload parsing uye kuongorora, uye dziviriro kubva panjodzi dzese kubva. OWASP Yepamusoro gumi runyorwa Izvi zvinowanikwa nekuongorora yakakosha API tsika uchishandisa yakanaka uye yakaipa mhando.
Dambudziko #3: Kuramba Basa
Yechinyakare kurwisa vector, kuramba basa (DoS), inoramba ichiratidza kushanda kwayo mukurwisa zvikumbiro. Varwi vane nzira dzakasiyana-siyana dzakabudirira dzekuvhiringidza masevhisi ekushandisa, anosanganisira mafashama eHTTP kana HTTPS, kurwiswa kwakaderera-uye-kunonoka (semuenzaniso SlowLoris, LOIC, Torshammer), kurwisa vachishandisa kero yeIP ine simba, buffer over, brute force -attacks, nezvimwe zvakawanda. . Nekuvandudzwa kweInternet yezvinhu uye nekuzobuda kweIoT botnets, kurwiswa kwezvikumbiro kwave kutarisisa kukuru kwekurwiswa kweDDoS. Mazhinji maWAF akasarudzika anogona kungobata huwandu hushoma hwemutoro. Nekudaro, ivo vanogona kuongorora HTTP/S traffic inoyerera uye kubvisa kurwisa traffic uye kwakaipa kubatana. Kana kurwiswa kwaonekwa, hapana chikonzero chekupfuura iyi traffic. Sezvo kugona kweWAF kudzinga kurwiswa kushoma, imwe mhinduro inodiwa pane network perimeter kuti ivhare otomatiki mapaketi "akaipa" anotevera. Kune iyi chengetedzo mamiriro, ese ari maviri mhinduro anofanirwa kutaurirana kune mumwe nemumwe kuchinjana ruzivo nezve kurwiswa.
Fig 1. Sangano rehutano hwakakwana uye kuchengetedzwa kwekushandiswa uchishandisa muenzaniso weRadware solutions
Dambudziko rechina: Dziviriro Inoenderera
Maapplication anochinja kazhinji. Kuvandudza uye nzira dzekuita senge rolling updates zvinoreva kuti shanduko dzinoitika pasina kupindira kwevanhu kana kutonga. Mumamiriro ezvinhu akadaro ane simba, zvakaoma kuchengetedza mitemo yekuchengeteka inoshanda zvakakwana pasina nhamba yakawanda yezvinyorwa zvenhema. Zvishandiso zvefoni zvinogadziridzwa kakawanda kupfuura maapplication ewebhu. Wechitatu-bato zvikumbiro zvinogona kuchinja pasina ruzivo rwako. Mamwe masangano ari kutsvaga kutonga kwakakura uye kuoneka kuti arambe ari pamusoro penjodzi dzinogona kuitika. Nekudaro, izvi hazviitike nguva dzose, uye kuchengetedzwa kwechishandiso kwakavimbika kunofanirwa kushandisa simba remuchina kudzidza kuzvidavirira uye kuona zviwanikwa zviripo, kuongorora zvinogona kutyisidzira, uye kugadzira uye kukwidziridza mitemo yekuchengetedza pakaitika shanduko yekushandisa.
zvakawanikwa
Sezvo maapplication achiita basa rinowedzera kukosha muhupenyu hwezuva nezuva, vanova chinangwa chikuru chevanobira. Mibayiro inobvira yevapari vemhosva uye kurasikirwa kungangoitika kumabhizimisi kwakakura. Iyo yakaoma yebasa rekuchengetedza application haigone kuwedzeredzwa kupihwa nhamba uye nekusiyana kwekushandisa uye kutyisidzira.
Sezvineiwo, isu tiri panguva iyo hungwaru hwekugadzira hunogona kuuya kuzotibatsira. Muchina kudzidza-kwakavakirwa algorithms inopa inochinja, chaiyo-nguva dziviriro kubva kune yakanyanya kukwirisa application-yakanangwa cyber kutyisidzira. Ivo zvakare vanogadzirisa otomatiki marongero ekuchengetedza kuchengetedza webhu, nharembozha, uye makore zvikumbiro-uye maAPIs-pasina manyepo.
Zvakaoma kufanotaura nechokwadi kuti chizvarwa chinotevera chekushandisa cyberthreats (pamwe zvakare yakavakirwa pamushini kudzidza) chichava. Asi masangano anogona zvechokwadi kutora matanho ekuchengetedza data revatengi, kuchengetedza zvinhu zvehungwaru, uye kuona kuwanikwa kwesevhisi nemabhenefiti makuru ebhizinesi.
Nzira dzinoshanda uye nzira dzekuona kuchengetedzwa kwekushandisa, iwo makuru marudzi uye mavheji ekurwiswa, nzvimbo dzine njodzi uye mapundu mukuchengetedzwa kwecyber kwewebhu maapplication, pamwe neruzivo rwepasirese uye maitiro akanakisa anoratidzwa muRadware kudzidza uye kushuma "".
Source: www.habr.com