ProHoster > Blog > Utongi > Kutya uye Kusema DevSecOps

Kutya uye Kusema DevSecOps

Takanga tine 2 code analyzers, 4 dynamic test tools, our own crafts uye 250 zvinyorwa. Hazvirevi kuti izvi zvese zvinodiwa mukuita kwazvino, asi kana wangotanga kuita DevSecOps, unofanirwa kuenda kumagumo.

Kutya uye Kusema DevSecOps

Chinhu. Vagadziri vehunhu: Justin Roiland naDan Harmon.

Chii chinonzi SecDevOps? Zvakadini neDevSecOps? Ndeipi misiyano? Chengetedzo Yekushandisa - ndeyei? Sei maitiro echinyakare asingachashandi zvakare? Anoziva mhinduro kumibvunzo yese iyi Yuri Shabalin kubva Swordfish Security. Yuri achapindura zvese zvakadzama uye oongorora matambudziko ekuchinja kubva kukirasi yeChikumbiro Chengetedzo modhi kuenda kuDevSecOps maitiro: maitiro ekuita nemazvo kubatanidzwa kweiyo yakachengeteka yekuvandudza maitiro muDevOps maitiro uye kwete kutyora chero chinhu, maitiro ekufamba nematanho makuru. yekuyedzwa kwekuchengetedza, ndeapi maturusi anogona kushandiswa, uye izvo zvavanosiyana uye maitiro ekuzvigadzirisa nemazvo kudzivirira misungo.


Nezvemutauri Yuri Shabalin - Chief Security Architect mukambani Swordfish Security. Ine basa rekuitwa kweSSDL, yekubatanidzwa kwese kwese kwekushandisa kwekuongorora maturusi mukusimudzira kwakabatana uye yekuyedza ecosystem. 7 makore ane ruzivo mukuchengetedza ruzivo. Akashanda kuAlfa-Bank, Sberbank uye Positive Technologies, iyo inovandudza software uye inopa masevhisi. Mutauri pamisangano yepasi rose ZerONights, PHDays, RISSPA, OWASP.

Kuchengetedzwa Kwekushandisa: ndezvei?

Kuchengetedzwa kwekushandisa -Ichi chikamu chekuchengetedza chine basa rekuchengetedza application. Izvi hazvishande kune zvivakwa kana kuchengetedzeka kwetiweki, asi pane izvo zvatinonyora uye izvo vanogadzira vanoshanda pazviri - uku ndiko kukanganisa uye kusagadzikana kweiyo application pachayo.

Direction SDL kana SDLC - Chengetedzo yekuvandudza hupenyu - yakagadzirwa neMicrosoft. Iyo dhizaini inoratidza iyo canonical SDLC modhi, iro basa guru riri kutora chikamu chekuchengetedza padanho rega rega rekusimudzira, kubva pane zvinodiwa kusvika pakuburitswa nekugadzira. Microsoft yakaona kuti kwaive netsikidzi dzakawandisa muindastiri, pakanga paine dzakawanda dzadzo uye chimwe chinhu chaifanira kuitwa nezvazvo, uye vakakurudzira nzira iyi, iyo yave yechokwadi.

Kutya uye Kusema DevSecOps

Chengetedzo Yekushandisa uye SSDL haina kunangana nekuona kusagadzikana, sezvinowanzotendwa, asi kudzivirira kuitika kwavo. Nekufamba kwenguva, nzira yeMicrosoft canonical yakagadziridzwa, yakagadziridzwa, uye yakaunzwa mune yakadzama, yakadzama dive.

Kutya uye Kusema DevSecOps

Iyo canonical SDLC yakatsanangurwa zvakanyanya mune dzakasiyana nzira - OpenSAMM, BSIMM, OWASP. Maitiro acho akasiyana, asi kazhinji akafanana.

Kuvaka Chengetedzo MuMaturity Model

Ndinozvifarira zvakanyanya BSIMM - Kuvaka Chengetedzo MuMaturity Model. Hwaro hwemaitiro ndiko kupatsanurwa kweChishandiso Chekuchengetedza maitiro muzvikamu zvina: Hutongi, Hungwaru, SSDL Touchpoints uye Deployment. Imwe neimwe domain ine gumi nemaviri maitiro, ayo anomiririrwa se4 zviitiko.

Kutya uye Kusema DevSecOps

Chimwe nechimwe chezviitiko zve112 chine 3 mazinga ekukura: wekutanga, wepakati uye wepamberi. Iwe unogona kudzidza ese gumi nemaviri maitiro echikamu nechikamu, sarudza zvinhu zvakakosha kwauri, funga kuti ungazviita sei uye zvishoma nezvishoma uwedzere zvinhu, semuenzaniso, static uye dynamic code analysis kana code review. Iwe unonyora pasi chirongwa uye wakadzikama kushanda maererano nayo sechikamu chekushandiswa kwemabasa akasarudzwa.

Nei DevSecOps

DevOps yakajairika, yakakura maitiro umo kuchengetedzwa kunofanirwa kuverengerwa.

Pakutanga DevOps zvaisanganisira cheki dzekuchengetedza. Mukuita, huwandu hwezvikwata zvekuchengetedza hwaive hudiki kwazvo kupfuura ikozvino, uye havana kuita sevatori vechikamu mukuita, asi sedare rekutonga uye rinotarisira rinoisa zvinodiwa pairi uye rinotarisa kunaka kwechigadzirwa pakupera kwekuburitswa. Iyi inzira yechinyakare umo zvikwata zvekuchengetedza zvaive kuseri kwemadziro kubva mubudiriro uye hazvina kutora chikamu mukuita.

Kutya uye Kusema DevSecOps

Dambudziko guru nderekuti kuchengetedzwa kwemashoko kwakasiyana nekusimudzira. Kazhinji iyi ndiyo imwe mhando yeruzivo rwekuchengetedza dunhu uye ine 2-3 hombe uye inodhura maturusi. Kamwe chete mwedzi mitanhatu yega yega, iyo kodhi kodhi kana application inoda kuongororwa inosvika, uye kamwe pagore inogadzirwa pentests. Zvese izvi zvinotungamira kune chokwadi chekuti zuva rekuburitsa indasitiri rakanonoka, uye mugadziri anoratidzwa kune yakakura nhamba yekusagadzikana kubva kune otomatiki maturusi. Hazvibviri kuparadzanisa nekugadzirisa zvose izvi, nokuti migumisiro yemwedzi mitanhatu yapfuura haina kurongeka, asi heino batch itsva.

Mukufamba kwebasa rekambani yedu, tinoona kuti kuchengetedzeka munzvimbo dzese nemaindasitiri kunonzwisisa kuti yave nguva yekubata uye kutenderera nebudiriro pavhiri rimwe chete - mu Agile. Iyo DevSecOps paradigm inokwana zvakakwana neagile budiriro nzira, kuita, tsigiro uye kutora chikamu mukuburitswa kwese uye kudzokorora.

Kutya uye Kusema DevSecOps

Shanduko kuenda kuDevSecOps

Izwi rinonyanya kukosha muSecurity Development Lifecycle ndeye "maitiro". Iwe unofanirwa kunzwisisa izvi usati wafunga nezvekutenga maturusi.

Kungobatanidza maturusi muchirongwa cheDevOps hakuna kukwana-kutaurirana uye kunzwisisa pakati pevatori vechikamu kwakakosha.

Vanhu vanonyanya kukosha, kwete maturusi.

Kazhinji, kuronga nzira yakachengeteka yekuvandudza kunotanga nekusarudza nekutenga chishandiso, uye kunopera nekuedza kubatanidza chishandiso mune yazvino maitiro, ayo anoramba achiedza. Izvi zvinotungamirira kumigumisiro inosuruvarisa, nokuti maturusi ose ane maitiro avo uye zvisingakwanisi.

Mhosva yakajairika ndeye iyo iyo dhipatimendi rekuchengetedza rakasarudza yakanaka, inodhura chishandiso chine hupamhi hwekugona, uye yakauya kune vanogadzira kuti vaisanganise mukuita. Asi hazvishande - maitiro akagadzirwa nenzira yekuti izvo zvinogumira zvechishandiso chakatotengwa hazvikodzeri mune yazvino paradigm.

Kutanga, tsanangura kuti ndeupi mhedzisiro yaunoda uye kuti maitiro acho achataridzika sei. Izvi zvichabatsira kunzwisisa mabasa echishandiso uye chengetedzo mukuita.

Tanga nezviri kutoshandiswa

Usati watenga maturusi anodhura, tarisa zvaunazvo. Kambani yega yega ine kuchengetedza zvinodiwa pakusimudzira, kune cheki, mapentest - wadii kushandura zvese izvi kuita fomu rinonzwisisika uye rakanakira munhu wese?

Kazhinji zvinodiwa ipepa reTalmud rinorara pasherufu. Pane imwe nyaya patakasvika kune imwe kambani kuti titarise maitiro uye tikakumbira kuona zvinodiwa zvekuchengetedza software. Nyanzvi yakabata neizvi yakatora nguva yakareba ichitsvaga:

- Zvino, pane imwe nzvimbo mune zvinyorwa pakanga paine nzira iyo gwaro iri rakarara.

Somugumisiro, takagamuchira gwaro racho papera vhiki.

Nezvinodiwa, cheki uye zvimwe zvinhu, gadzira peji pane e.g. Kubvumirana - yakanakira munhu wese.

Zviri nyore kugadzirisa zvauinazvo uye uzvishandise kuti utange.

Shandisa Security Champions

Kazhinji, muavhareji kambani ine 100-200 vanogadzira, pane imwe nyanzvi yekuchengetedza inoita mabasa akati wandei uye haina nguva yekutarisa zvese. Kunyangwe akaedza nepaanogona napo, iye ega haatarise kodhi yese inogadzirwa nebudiriro. Kune zviitiko zvakadaro, pfungwa yakagadzirwa - Security Champions.

Chengetedzo Champions vanhu vari mukati mechikwata chebudiriro vanofarira kuchengetedzwa kwechigadzirwa chako.

Kutya uye Kusema DevSecOps

Chengetedzo Champion inzvimbo yekupinda muchikwata chekusimudzira uye muevhangeri wechengetedzo akakungurutswa mune imwe.

Kazhinji, kana nyanzvi yezvekuchengetedza yauya kuchikwata chekusimudzira uye inotaura chikanganiso mukodhi, anogamuchira mhinduro inokatyamadza:

- Uye ndiwe ani? Ndiri kukuona kekutanga. Zvese zvakanaka neni - shamwari yangu yepamusoro yakandipa "kunyorera" pakuongorora kwekodhi, tinoenderera mberi!

Aya ndiwo mamiriro akajairwa, nekuti kune kuvimba kwakanyanya kune vakuru kana kungoti vetimu pamwe navo avo mugadziri anogara achipindirana kubasa uye mukuongorora kodhi. Kana, panzvimbo yemukuru wekuchengetedza, Security Champion inotaura chikanganiso nemigumisiro, ipapo shoko rake richava nehuremu hwakawanda.

Zvakare, vanogadzira vanoziva kodhi yavo zvirinani kupfuura chero nyanzvi yekuchengetedza. Kune munhu ane angangoita mashanu mapurojekiti mune static yekuongorora chishandiso, zvinowanzonetsa kurangarira ese nuances. Security Champions vanoziva chigadzirwa chavo: chii chinopindirana nei uye chii chekutanga kutarisa - ivo vanonyanya kushanda.

Saka funga kushandisa Security Champions uye kuwedzera pesvedzero yetimu yako yekuchengetedza. Izvi zvinobatsirawo kune shasha pachayo: kusimudzira kwehunyanzvi mumunda mutsva, kuwedzera tekinoroji horizons, kusimudzira tekinoroji, manejimendi uye hutungamiriri hunyanzvi, kuwedzera kukosha kwemusika. Ichi chimwe chinhu cheinjiniya yemagariro, "meso" ako muchikwata chekusimudzira.

Kuedza matanho

Paradigm 20 kusvika 80 inotaura kuti 20% yekuedza inounza 80% yemigumisiro. Iyi 20% maitiro ekuongorora mashandisirwo anogona uye anofanirwa kuve otomatiki. Mienzaniso yezviitwa zvakadaro ndeye static analysis - SAST, dynamic analysis - DAST ΠΈ Open Source control. Ini ndichakutaurira zvakadzama nezvezviitwa, uye nezve maturusi, ndeapi maficha atinowanzo sangana nawo kana tichivasuma mukuita, uye maitiro ekuzviita nemazvo.

Kutya uye Kusema DevSecOps

Matambudziko makuru emidziyo

Ini ndicharatidza matambudziko akakodzera kune ese zviridzwa uye anoda kutariswa. Ndichaaongorora zvakadzama kuti ndisazoadzokorora zvakare.

Nguva yakareba yekuongorora. Kana kubva pakuzvipira kuburitsa zvinotora maminetsi makumi matatu kune ese bvunzo uye kusangana, ipapo ruzivo rwekuchengetedza ruzivo runotora zuva. Saka hapana achanonoka kuita. Tora chikamu ichi uye tora mhedziso.

High level Nhema Negative kana Nhema Positive. Zvese zvigadzirwa zvakasiyana, zvese zvinoshandisa masisitimu akasiyana uye yavo yekukodha maitiro. Pane akasiyana macodebases uye matekinoroji, maturusi anogona kuratidza akasiyana mazinga eNhema Negative uye Nhema Positive. Saka tarisa kuti chii chaizvo chiri mukati yako makambani uye nokuda yako maapplication acharatidza mhedzisiro yakanaka uye yakavimbika.

Hapana kubatanidzwa nemidziyo iripo. Tarisa zvishandiso maererano nekubatanidzwa nezvaunotoshandisa. Semuenzaniso, kana iwe uine Jenkins kana TeamCity, tarisa kubatanidzwa kwezvishandiso neiyi software, uye kwete neGitLab CI, yausingashandise.

Kushaikwa kana kuwandisa kuomarara kwekugadzirisa. Kana chishandiso chisina API, saka nei ichidikanwa? Zvese zvinogona kuitwa muinterface zvinofanirwa kuwanikwa kuburikidza neAPI. Sezvineiwo, chishandiso chinofanirwa kuve nekugona kugadzirisa macheki.

Hapana Chigadzirwa Chekuvandudza Roadmap. Budiriro haina kumira, isu tinogara tichishandisa hurongwa hutsva nemabasa, kunyora kodhi yekare mumitauro mitsva. Tinoda kuve nechokwadi chekuti chishandiso chatinotenga chichatsigira hurongwa hutsva uye matekinoroji. Naizvozvo, zvakakosha kuziva kuti chigadzirwa chine chokwadi uye chakarurama Roadmap development.

Maitiro ezvirongwa

Pamusoro pezvinhu zvezvishandiso, funga nezvezvinhu zvekuvandudza maitiro. Semuenzaniso, kutadzisa budiriro kukanganisa kwakajairika. Ngatitarisei mamwe maficha anofanirwa kuverengerwa uye izvo timu yekuchengetedza inofanirwa kutarisisa.

Kuti urege kupotsa kusimudzira uye kuburitsa mazuva ekupedzisira, gadzira mitemo yakasiyana uye zvakasiyana show stoppers - maitiro ekumisa nzira yekuvaka pamberi pekusagadzikana - kune nharaunda dzakasiyana. Semuenzaniso, isu tinonzwisisa kuti bazi razvino rinoenda kunzvimbo yekusimudzira kana UAT, zvinoreva kuti hatimire toti:

"Une hurema pano, hapana kumwe kwaunoenda!"

Panguva ino, zvakakosha kuudza vanogadzira kuti pane nyaya dzekuchengetedza dzinoda kutariswa.

Kuvapo kwehutera hakusi chipingamupinyi chekuenderera mberi nekuyedzwa: bhuku, kubatanidza kana bhuku rekushandisa. Kune rimwe divi, isu tinofanirwa kuwedzera kuchengetedzwa kwechigadzirwa, uye kuti vanogadzira vasaregeredza zvavanoona zvakachengeteka. Naizvozvo, dzimwe nguva tinoita izvi: pachigadziko, painotenderedzwa kunzvimbo yebudiriro, tinongozivisa budiriro:

- Varume, mune matambudziko, ndapota teererai kwavari.

Padanho reUAT tinoratidza zvakare yambiro nezvekusagadzikana, uye padanho rekuburitsa tinoti:

- Vakomana, takakuyambirai kakawanda, hapana chawakaita - isu hatikusiyei kunze neizvi.

Kana tikataura nezve kodhi uye dynamics, saka zvinodikanwa kuratidza uye kunyevera pamusoro pekusagadzikana chete kweaya maficha uye kodhi iyo ichangobva kunyorwa mune ino chimiro. Kana mugadziri akafambisa bhatani nemapikisi matatu tomuudza kuti ane SQL jekiseni ipapo saka inoda kugadziriswa nekuchimbidza, izvi hazvina kunaka. Tarisa chete pane zvakanyorwa izvozvi uye pane shanduko inouya kune application.

Ngatiti isu tine chimwe chikanganiso chinoshanda - nzira iyo application haifanirwe kushanda: mari haina kutamiswa, kana iwe ukadzvanya bhatani hapana shanduko kune rinotevera peji, kana chigadzirwa hachiregi. Security Defects - aya ndiwo zvikanganiso zvakafanana, asi kwete maererano nekushanda kwekushanda, asi mukuchengeteka.

Haasi ese matambudziko emhando yesoftware matambudziko ekuchengetedza. Asi matambudziko ese ekuchengetedza ane chekuita nesoftware mhando. Sherif Mansour, Expedia.

Sezvo kusakwana kwese kwakafanana, kunofanirwa kunge kuri munzvimbo imwechete nekukanganisa kwese kwebudiriro. Saka kanganwa nezve mishumo uye anotyisa maPDF ayo hapana anoverenga.

Kutya uye Kusema DevSecOps

Pandakanga ndichishanda pane imwe kambani yekusimudzira, ndakagamuchira mushumo kubva kune static analysis maturusi. Ndakarivhura, ndakatya, ndikagadzira kofi, ndakavhura mapeji 350, ndikavhara ndokuenderera mberi nekushanda. Mishumo mikuru mishumo yakafa. Kazhinji hapana kwavanoenda, mavara anobviswa, akakanganwa, akarasika, kana bhizinesi rinoti rinogamuchira njodzi.

Kuita sei? Isu tinongoshandura kukanganisa kwakasimbiswa kwatakawana kuita fomu yakanakira kusimudzira, semuenzaniso, tinoiisa mumashure muJira. Isu tinoisa pamberi pekukanganisa uye nekuzvibvisa mukurongeka kwekutanga, pamwe nekukanganisa kwekushanda uye kukanganisa kwebvunzo.

Static Analysis - SAST

Iyi ongororo yekodhi yekusagadzikana., asi hazvina kufanana neSonarQube. Isu hatingotarise mapatani kana maitiro. Nzira dzinoverengeka dzinoshandiswa pakuongorora: maererano nemuti wekushaya simba, maererano DataFlow, nekuongorora mafaira ekugadzirisa. Izvi ndizvo zvese zvine chekuita nekodhi pachayo.

Pros of the approach: kuona kusasimba mukodhi padanho rekutanga rebudirirokana pasina zvimire kana maturusi akagadzirira, uye kuwedzera kwekuongorora kugona: kuongorora chikamu chekodhi chachinja, uye chete chimiro chatiri kuita izvozvi, chinoderedza nguva yekuongorora.

ΠœΠΈΠ½ΡƒΡΡ‹ - uku ndiko kushaikwa kwerutsigiro rwemitauro inodiwa.

Zvinofanira kubatanidzwa, izvo zvinofanirwa kunge zviri mumidziyo, mumaonero angu anozvimiririra:

  • Kubatanidza chishandiso: Jenkins, TeamCity uye Gitlab CI.
  • Nzvimbo yekuvandudza: Intellij IDEA, Visual Studio. Izvo zviri nyore kuti mugadziri asafambe nenzira isinganzwisisike iyo ichiri kuda kurangarirwa, asi kuti aone zvese zvinodikanwa zvakabatanidzwa uye kusasimba kwaakawana chaiko kubasa munzvimbo yake yekusimudzira.
  • Kuongorora kwekodhi: SonarQube uye bhuku rekuongorora.
  • Defect trackers: Jira uye Bugzilla.

Mufananidzo wacho unoratidza vamwe vamiririri vakanakisisa ve static analysis.

Kutya uye Kusema DevSecOps

Hasi iwo maturusi akakosha, asi maitiro, saka kune Open Source mhinduro dzakanakirawo kuyedza maitiro.

Kutya uye Kusema DevSecOps

SAST Open Source haizowana huwandu hukuru hwekusagadzikana kana yakaoma DataFlows, asi inogona uye inofanirwa kushandiswa pakuvaka maitiro. Vanobatsira kunzwisisa kuti chirongwa ichi chichavakwa sei, ndiani achapindura tsikidzi, ndiani achashuma, uye ndiani achashuma. Kana iwe uchida kuita nhanho yekutanga yekuvaka chengetedzo yekodhi yako, shandisa Open Source mhinduro.

Izvi zvingabatanidzwa sei kana iwe uri pakutanga kwerwendo rwako uye usina chinhu: hapana CI, hapana Jenkins, hapana TeamCity? Ngatitarisei kubatanidzwa mukuita.

Kubatanidzwa kweCVS level

Kana iwe uine Bitbucket kana GitLab, unogona kubatanidza pamwero Concurrent Versions System.

Nechiitiko - dhonza chikumbiro, zvipira. Iwe unotarisa kodhi uye chimiro chekuvaka chinoratidza kana cheki chekuchengetedza chapfuura kana chakundikana.

Feedback. Chokwadika, mhinduro inodikanwa nguva dzose. Kana iwe wakangoita chengetedzo parutivi, uise mubhokisi uye usina kuudza chero munhu nezvazvo, uye ipapo pakupera kwemwedzi wakarasa boka rezvipembenene - izvi hazvina kunaka uye hazvina kunaka.

Kubatanidzwa nekodhi yekuongorora system

Pane imwe nguva, isu takaita semuongorori akasarudzika wehunyanzvi hweAppSec mushandisi mune akati wandei mapurojekiti akakosha. Zvichienderana nekuti zvikanganiso zvakaonekwa here mukodhi nyowani kana kuti hapana zvikanganiso, muongorori anoisa chimiro pachikumbiro chekudhonza kuti "gamuchire" kana "kuda basa" - zvese zvakanaka, kana zvinongedzo kune izvo chaizvo zvinoda kuvandudzwa. inoda kuvandudzwa. Nekubatanidzwa neshanduro iri kuenda mukugadzirwa, isu takagonesa kurambidza kusanganisa kana bvunzo dzekuchengetedza ruzivo dzikasapasa. Isu takabatanidza izvi mugwaro rekuongorora kodhi, uye vamwe vatori vechikamu muchiitiko ichi vakaona mamiriro ekuchengetedza eiyi maitiro.

Kubatanidzwa neSonarQube

Vakawanda vakadaro quality gedhi maererano nekodhi yemhando. Zvakafanana pano - iwe unogona kugadzira iwo masuwo mamwe chete eSAST maturusi. Pachave neiyo yakafanana interface, iyo yakafanana yemhando gedhi, chete ichadaidzwa gedhi rekuchengetedza. Uye zvakare, kana iwe uine maitiro uchishandisa SonarQube, unogona nyore kubatanidza zvese ipapo.

Kubatanidzwa pamwero weCI

Zvese pano zvakare zviri nyore:

  • Pamwe chete ne autotests, miedzo yeyuniti.
  • Kukamura nematanho ebudiriro: dev, bvunzo, prod. Mitemo yakasiyana-siyana kana mamiriro akasiyana-siyana ekukundikana angabatanidzwa: kumisa gungano, usamisa gungano.
  • Synchronous / asynchronous kutanga. Isu takamirira kupera kwebvunzo dzekuchengetedza kana kwete. Kureva kuti takangoatanga toenderera mberi, tobva tawana chimiro chekuti zvese zvakanaka kana zvakaipa.

Zvose zviri munyika yepingi yakakwana. Hakuna chinhu chakadaro muhupenyu chaihwo, asi isu tinoedza. Mhedzisiro yekumhanyisa cheki chekuchengetedza inofanirwa kunge yakafanana nemhedzisiro yemayuniti bvunzo.

Semuyenzaniso, takatora purojekiti hombe uye takasarudza kuti ikozvino tichaiongorora neSAST - OK. Isu takasundira chirongwa ichi muSAST, chakatipa 20 kusasimba uye nechisarudzo chakasimba takasarudza kuti zvese zvaive zvakanaka. 000 kusasimba ndicho chikwereti chedu chehunyanzvi. Isu tinoisa chikwereti mubhokisi, isu tichaibvisa zvishoma nezvishoma uye towedzera tsikidzi kune dzakaremara trackers. Ngatitorei kambani, tiite zvese isu, kana kuti Security Champions vatibatsire - uye chikwereti chehunyanzvi chichadzikira.

Uye kusakwana kwese kuchangobva kubuda mukodhi nyowani kunofanirwa kubviswa nenzira imwechete nekukanganisa muyuniti kana mune autotests. Zvichienderana, gungano rakatanga, takamhanya, bvunzo mbiri uye bvunzo mbiri dzekuchengetedza dzakakundikana. Zvakanaka - takaenda, takatarisa zvakaitika, takagadzirisa chimwe chinhu, tikagadzirisa chimwe, takamhanya panguva inotevera - zvese zvaive zvakanaka, hapana hutsva hutsva hwakaonekwa, hapana bvunzo dzakakundikana. Kana basa iri rakadzika uye iwe uchifanira kurinzwisisa zvakanaka, kana kugadzirisa kusasimba kunokanganisa akakura akaturikidzana ezviri pasi pehodhi: bug yakawedzerwa kune defect tracker, inoiswa pamberi uye kugadziriswa. Nehurombo, nyika haina kukwana uye miedzo dzimwe nguva inokundikana.

Muenzaniso wegedhi rekuchengetedza ndeye analogue yegedhi remhando, maererano nekuvapo uye nhamba yekusagadzikana mukodhi.

Kutya uye Kusema DevSecOpsIsu tinobatanidza neSonarQube - iyo plugin yakaiswa, zvese zviri nyore uye zvinotonhorera.

Kubatanidzwa nenzvimbo yebudiriro

Sarudzo dzekubatanidza:

  • Kumhanyisa scan kubva munzvimbo yekusimudzira usati wazvipira.
  • Ona zvawanikwa.
  • Kuongororwa kwemigumisiro.
  • Kuwiriranisa neserver.

Izvi ndizvo zvinoita sekugamuchira mhinduro kubva kuseva.

Kutya uye Kusema DevSecOps

Munzvimbo yedu yebudiriro Intellect IDEA chimwe chinhu chekuwedzera chinongooneka chinokuzivisa iwe kuti kusagadzikana kwakadaro kwakaonekwa panguva yekuongororwa. Iwe unogona nekukurumidza kugadzirisa iyo kodhi, tarisa mazano uye Kuyerera Girafu. Izvi zvese zviri panzvimbo yebasa remugadziri, iri nyore kwazvo - hapana chikonzero chekutevera mamwe malink uye kutarisa chimwe chinhu chekuwedzera.

Open Source

Iyi ndiyo nyaya yandinofarira. Wese munhu anoshandisa Open Source raibhurari - nei uchinyora boka remadondoro nemabhasikoro kana iwe uchigona kutora yakagadzirira-yakagadzirwa raibhurari umo zvese zvatoitwa?

Kutya uye Kusema DevSecOps

Ehe, ichi ichokwadi, asi maraibhurari anonyorwawo nevanhu, anosanganisirawo dzimwe njodzi uye kune zvakare kusakanganiswa kunogara kuchitaurwa, kana nguva nenguva. Naizvozvo, pane danho rinotevera muKuchengetedzwa Kwekushandisa - uku ndiko kuongororwa kweOpen Source zvikamu.

Open Source Analysis - OSA

Chishandiso chinosanganisira matanho makuru matatu.

Kutsvaga kusasimba mumaraibhurari. Semuenzaniso, chishandiso chinoziva kuti tiri kushandisa imwe raibhurari, uye iyo mukati CVE kana kuti pane kusazvibata mumabhagi trackers ane chekuita neiyi vhezheni yeraibhurari. Paunenge uchiedza kuishandisa, chishandiso chinoburitsa yambiro yekuti raibhurari iri panjodzi uye inokupa zano kuti ushandise imwe vhezheni iyo isina njodzi.

Ongororo yekuchena kwerezinesi. Izvi hazvisati zvanyanya kufarirwa pano, asi kana ukashanda kunze kwenyika, saka nguva nenguva unogona kuwana mutero ipapo wekushandisa yakavhurika sosi chikamu chisingagoni kushandiswa kana kuchinjwa. Zvinoenderana nemutemo weraibhurari ine rezinesi, isu hatigone kuita izvi. Kana, kana isu takaigadzirisa nekuishandisa, tinofanira kutumira kodhi yedu. Zvechokwadi, hapana munhu anoda kubudisa kodhi yezvigadzirwa zvavo, asi iwe unogonawo kuzvidzivirira kubva kune izvi.

Kuongororwa kwezvikamu zvinoshandiswa munzvimbo yeindasitiri. Ngatimbofungidzira mamiriro ekufungidzira kuti isu takazopedza kusimudzira uye kuburitsa yazvino kuburitswa kwemicroservice yedu. Anogara ikoko zvinoshamisa - vhiki, mwedzi, gore. Isu hatizviunganidze, hatiite cheki chekuchengetedza, zvese zvinoita kunge zvakanaka. Asi kamwe-kamwe, mavhiki maviri mushure mekuburitswa, kusagadzikana kwakanyanya kunooneka muOpen Source chikamu, icho chatinoshandisa mune iyi chaiyo kuvaka, munzvimbo yeindasitiri. Kana tikasarekodha kuti chii uye kupi kwatinoshandisa, saka isu hatizongoona kusagadzikana uku. Mamwe maturusi ane kugona kutarisa kusasimba mumaraibhurari ari kushandiswa pari zvino muindasitiri. Inobatsira zvikuru.

Zviratidzo:

  • Mitemo yakasiyana yematanho akasiyana ebudiriro.
  • Monitoring zvikamu munzvimbo yeindasitiri.
  • Kudzora maraibhurari mukati mesangano.
  • Tsigiro yeakasiyana masisitimu ekuvaka nemitauro.
  • Kuongorora kweDocker mifananidzo.

Mienzaniso mishoma yevatungamiriri veindasitiri vari kuita ongororo yeOpen Source.

Kutya uye Kusema DevSecOps
Chega chemahara ndeichi Dependency-Check kubva kuOWASP. Iwe unogona kuibatidza mumatanho ekutanga, ona kuti inoshanda sei uye kuti inotsigira chii. Chaizvoizvo, izvi zvese zvigadzirwa zvegore, kana pa-nzvimbo, asi kuseri kwenheyo yavo zvichiri kutumirwa kuInternet. Ivo havatumire maraibhurari ako, asi hashi kana hunhu hwavo, hwavanoverengera, uye zvigunwe kune server yavo kuti vagamuchire ruzivo nezve kuvapo kwekusagadzikana.

Kubatanidzwa kwemaitiro

Perimeter kutonga kwemaraibhurari, izvo zvinotorwa kubva kunze. Tine matura ekunze uye emukati. Semuyenzaniso, Chiitiko Chepakati chinomhanyisa Nexus, uye tinoda kuona kuti hapana hudziviriro mukati medura redu ine "yakakosha" kana "yepamusoro" chimiro. Iwe unogona kugadzirisa proxying uchishandisa iyo Nexus Firewall Lifecycle chishandiso kuitira kuti kusadzivirirwa kwakadaro kugurwe uye kusazopedzisira kwapinda mune yemukati repository.

Kubatanidzwa muCI. Padanho rimwe chete neautotests, bvunzo dzeyuniti uye kupatsanurwa mumatanho ebudiriro: dev, bvunzo, prod. Pane imwe neimwe nhanho, unogona kudhawunirodha chero maraibhurari, shandisa chero chinhu, asi kana paine chinhu chakaoma ne "chinonetsa" chimiro, pamwe zvakakodzera kukwevera kutarisa kwevagadziri kune izvi padanho rekuburitswa mukugadzira.

Kubatanidzwa nezvinhu zvakagadzirwa: Nexus uye JFrog.

Kubatanidzwa munharaunda yekusimudzira. Zvishandiso zvaunosarudza zvinofanirwa kuve nekubatanidzwa nenzvimbo dzekusimudzira. Mugadziri anofanirwa kuwana mibairo yekuongorora kubva kubasa kwake, kana kugona kuongorora uye kutarisa iyo kodhi iye pachake nekuda kwekusagadzikana asati azvipira kuCVS.

CD kubatanidzwa. Ichi chinhu chinotonhorera chandinoda chaizvo uye chandatotaura nezvacho - kutarisa kubuda kwekusagadzikana kutsva munzvimbo yeindasitiri. Inoshanda chinhu chakadai.

Kutya uye Kusema DevSecOps

Tine Public Component Repositories - mamwe maturusi kunze, uye yedu yemukati repository. Tinoda kuti ive nezvikamu zvinovimbwa chete. Paunenge uchikumbira chikumbiro, tinotarisisa kuti raibhurari yakadhawunirodherwa haina kukuvara. Kana ikawira pasi pemamwe marongero atinoseta uye tichinyatso kurongedza nebudiriro, isu hatizviise uye tinokurudzirwa kushandisa imwe vhezheni. Saizvozvo, kana paine chinhu chakanyanya kutsoropodza uye chakashata muraibhurari, saka mugadziri haagamuchire raibhurari padanho rekuisa - rega ashandise shanduro yepamusoro kana yakaderera.

  • Kana tichivaka, tinotarisa kuti hapana akatsvedza chero chinhu chakaipa, kuti zvese zvikamu zvakachengeteka uye hapana akaunza chero chinhu chine njodzi pane flash drive.
  • Tine chete zvinhu zvakavimbika mudura.
  • Kana tichiendesa, isu tinombotarisa pasuru pachayo: hondo, chirongo, DL kana Docker mufananidzo kuti ive nechokwadi chekuti inoenderana nepolicy.
  • Kana tichipinda muindastiri, isu tinotarisisa zviri kuitika munharaunda yeindasitiri: kusasimba kwakanyanya kunooneka kana kusaoneka.

Dynamic Analysis - DAST

Dynamic yekuongorora maturusi akasiyana zvakanyanya kubva kune zvese zvakambotaurwa. Iyi imhando yekutevedzera yebasa remushandisi nekushandisa. Kana ichi chiri chewebhu application, tinotumira zvikumbiro, tichitevedzera basa remutengi, tinya mabhatani ari kumberi, tumira data rekunyepedzera kubva pafomu: makotesheni, mabhureki, mavara mune akasiyana encodings, kuti uone mashandiro anoshanda uye maitiro. data rekunze.

Iyo yakafanana sisitimu inobvumidza iwe kuti utarise kusasimba kwe template mu Open Source. Sezvo DAST isingazive kuti ndeipi Open Source yatiri kushandisa, inongokanda "yakashata" mapatani uye inoongorora mhinduro dzesevha:

- Ehe, pane dambudziko rekubvisa pano, asi kwete pano.

Kune njodzi huru mune izvi, nekuti kana iwe ukaitisa iyi bvunzo yekuchengeteka pabhenji rimwechete iro vanoedza vanoshanda naro, zvinhu zvisingafadzi zvinogona kuitika.

  • Yakakwira mutoro pane application server network.
  • Hapana kubatanidzwa.
  • Kugona kushandura marongero eiyo yakaongororwa application.
  • Iko hakuna tsigiro kune inodiwa matekinoroji.
  • Zvakaoma kuisa.

Takava nemamiriro ezvinhu patakazotangisa AppScan: takapedza nguva yakareba tichiedza kuwana mukana kune iyo application, takawana matatu maakaundi uye takafara - isu pakupedzisira tichatarisa zvese! Takatanga scan, uye chinhu chekutanga chakaitwa neAppScan kwaive kupinda mune ye admin, kubaya mabhatani ese, shandura hafu yedata, uyezve kuuraya zvachose server neayo. mailform-kukumbira. Kubudirira nekuyedza akati:

- Guys, uri kutamba neni here?! Isu takakupa maakaundi, uye iwe wakamisa chimiro!

Funga nezvengozi dzinogona kuitika. Zvakanakisa, gadzirira imwe yakamira yekuyedza chengetedzo yeruzivo, iyo ichave yakaparadzaniswa kubva kune yakasara nharaunda neimwe nzira, uye nemamiriro ezvinhu tarisa iyo admin pani, zviri nani mune yemanyorero mode. Iyi ipentest - iwo asara maperesenti ekuedza atisiri kufunga izvozvi.

Zvakakodzera kufunga kuti iwe unogona kushandisa izvi seanalogue yekuyedzwa kwemutoro. Padanho rekutanga, unogona kubatidza dhizaini scanner ine 10-15 tambo uye woona zvinoitika, asi kazhinji, sezviratidziro zvinoratidza, hapana chakanaka.

Zvishoma zvishoma zvatinowanzoshandisa.

Kutya uye Kusema DevSecOps

Yakakodzera kuratidzwa Burp Suite i "Swiss banga" kune chero nyanzvi yekuchengetedza. Wese munhu anoishandisa uye zviri nyore kwazvo. Iyo itsva demo vhezheni yebhizinesi edition yaburitswa. Kana pakutanga yaingove yekumira yega utility ine plugins, ikozvino vagadziri vari kupedzisira vagadzira hombe sevha kubva kwazvinozogoneka kubata akati wandei vamiririri. Izvi zvakanaka, ndinokurudzira kuti uzviedze.

Kubatanidzwa kwemaitiro

Kubatanidzwa kunoitika chaizvo uye zviri nyore: tanga kuongorora mushure mekubudirira kuisirwa zvikumbiro zvekumira uye kutarisisa mushure mekubudirira kuyedzwa kwekubatanidza.

Kana iyo yakabatanidzwa isingashande kana paine stubs uye kunyomba mabasa, hazvina maturo uye hazvina basa - zvisinei kuti ndeipi patani yatinotumira, sevha icharamba ichipindura nenzira imwe chete.

  • Zvakanaka, imwe nzvimbo yekuedza yakasiyana.
  • Usati waedza, nyora pasi kutevedzana kwekupinda.
  • Kuedzwa kwehurongwa hwekutonga ndeye manual chete.

gadzira

Zvidiki zvakajairwa nezve maitiro mune zvese uye nezve basa rechimwe chishandiso kunyanya. Zvese zvikumbiro zvakasiyana - chimwe chinoshanda zvirinani neane simba ongororo, imwe ine static ongororo, yechitatu ine OpenSource ongororo, pentest, kana chimwe chinhu zvachose, semuenzaniso, zviitiko Waf.

Maitiro ese anoda control.

Kuti unzwisise kuti maitirwo anoshanda sei uye kwaanogona kuvandudzwa, unofanirwa kuunganidza metrics kubva kune zvese zvaunogona kuisa maoko ako pamusoro, kusanganisira mametric ekugadzira, metrics kubva kumaturusi, uye kubva kune akaremara trackers.

Chero ruzivo runobatsira. Izvo zvinodikanwa kuti utarise kubva kumakona akasiyana uko ichi kana icho chishandiso chinoshandiswa zviri nani, uko maitiro acho anonyatso sags. Zvingave zvakakodzera kutarisa nguva dzekupindura budiriro kuti uone kwainovandudza maitiro zvichienderana nenguva. Iyo data yakawanda, iyo yakawanda zvikamu zvinogona kuvakwa kubva kumusoro-nhanho kusvika kune mamwe maitiro ega ega.

Kutya uye Kusema DevSecOps

Sezvo vese static uye dynamic analyzer vane yavo APIs, yavo yekutangisa nzira, misimboti, vamwe vane zvirongwa, vamwe havana - tiri kunyora chishandiso. AppSec Orchestrator, iyo inokubvumira kuti ugadzire imwe nzvimbo yekupinda muhutano hwose kubva pachigadzirwa uye kuigadzirisa kubva pane imwe pfungwa.

Mamaneja, vanogadzira uye mainjiniya ekuchengetedza vane imwe nzvimbo yekupinda kubva kwavanogona kuona zvirikumhanya, gadzirisa uye mhanyisa scan, gamuchira scan, uye tumira zvinodiwa. Tiri kuyedza kubva pamapepa, kushandura zvese kuita zvemunhu, izvo zvinoshandiswa nebudiriro - mapeji eConfluence ane chimiro uye metrics, kuremara muJira kana mune akasiyana akaremara trackers, kana kubatanidzwa mune synchronous / asynchronous process muCI. /CD.

Zvitsva Zvitsva

Zvishandiso hazvisi chinhu chikuru. Kutanga funga kuburikidza nekuita - wozoshandisa zvishandiso. Zvishandiso zvakanaka asi zvinodhura, saka unogona kutanga nemaitiro uye kuvaka kutaurirana nekunzwisisa pakati pekusimudzira nekuchengetedza. Kubva pakuona kwekuchengeteka, hapana chikonzero che "kumisa" zvinhu zvose. Kubva pakuona kwekusimudzira, kana pane chimwe chinhu chakakwirira mega super yakakosha, saka inoda kubviswa, uye kwete kufuratira dambudziko racho.

Chigadzirwa chemhando - chinangwa chakafanana zvose kuchengeteka nebudiriro. Isu tinoita chinhu chimwe, tinoedza kuve nechokwadi chekuti zvese zvinoshanda nemazvo uye hapana njodzi dzezita kana kurasikirwa kwemari. Ichi ndicho chikonzero isu tichikurudzira nzira yeDevSecOps, SecDevOps yekuvandudza kutaurirana nekuvandudza kunaka kwechigadzirwa.

Tanga nezvaunazvo: zvinodiwa, zvivakwa, chikamu cheki, kudzidziswa, nhungamiro. Iko hakuna chikonzero chekukurumidza kushandisa maitiro ese kune ese mapurojekiti - famba uchidzokorodza. Hapana chiyero chimwe chete - experiment uye edza nzira dzakasiyana uye mhinduro.

Pane chiratidzo chakaenzana pakati pekukanganisa kwekuchengetedza ruzivo uye kukanganisa kwekushanda.

Automate zvesezvinofamba. Chero chipi chisingafambe, fambisa uye uzvigadzirise. Kana chimwe chinhu chikaitwa nemaoko, hachisi chikamu chakanaka chekuita. Zvichida zvakakosha kuti uiongorore uye uzviite otomatiki zvakare.

Kana saizi yeI timu idiki - shandisa Security Champions.

Zvimwe zvandataura nezvazvo hazvikukodzeri uye iwe uchauya nechimwe chako - uye izvo zvakanaka. Asi sarudza maturusi zvichienderana nezvinodiwa pakuita kwako. Usatarise zvinotaurwa nenharaunda, kuti chishandiso ichi chakashata uye ichi chakanaka. Zvichida zvinopesana zvichave zvechokwadi kune chigadzirwa chako.

Zvinodiwa zvezvishandiso.

  • Low level False Positive.
  • Nguva yekuongorora yakakwana.
  • Kusununguka kwekushandisa.
  • Kuwanikwa kwekubatanidzwa.
  • Kunzwisisa nzira yekuvandudza chigadzirwa.
  • Kugona kwekugadzirisa zvishandiso.

Chirevo chaYuri chakasarudzwa seimwe yeakanakisa paDevOpsConf 2018. Kuti uzive zvakatonyanya kufadza pfungwa uye zviitiko zvinoshanda, huya kuSkolkovo musi waMay 27 uye 28. DevOpsConf mukati mutambo RIT++. Zvichiri nani, kana wagadzirira kugovera ruzivo rwako, ipapo shandisa kumushumo kusvika Kubvumbi 21.

Source: www.habr.com

Voeg