Ukubuyisela emva
Isikali, ukwakhiwa, kunye nokwakhiwa kwezisongelo ze-cyber kwizicelo zivela ngokukhawuleza. Kangangeminyaka emininzi, abasebenzisi bafikelele kwiinkqubo zewebhu kwi-Intanethi besebenzisa izikhangeli zewebhu ezidumileyo. Kwakuyimfuneko ukuxhasa iziphequluli zewebhu ezi-2-5 nangaliphi na ixesha, kwaye iseti yemigangatho yokuphuhlisa nokuvavanya usetyenziso lwewebhu yayilinganiselwe. Umzekelo, phantse zonke iidatabase zakhiwa kusetyenziswa iSQL. Ngelishwa, emva kwexesha elifutshane, abahlaseli bafunde ukusebenzisa izicelo zewebhu ukuba, ukucima okanye ukutshintsha idatha. Baye bafumana ukufikelela ngokungekho mthethweni kunye nokusetyenziswa kakubi kwezicelo ngokusebenzisa iindlela ezahlukeneyo zobuchule, kubandakanywa ukukhohlisa kwabasebenzisi besicelo, i-injection, kunye nokubulawa kwekhowudi ekude. Kungekudala, izixhobo zokhuseleko zesicelo sewebhu ezibizwa ngokuba yi-Web Application Firewalls (WAFs) zeza kwimarike, kwaye uluntu lwaphendula ngokudala iprojekthi yokhuseleko yesicelo sewebhu evulekileyo, iProjekthi yoKhuseleko lweSicelo seWebhu evulekileyo (OWASP), ukuchaza nokugcina imigangatho yophuhliso kunye neendlela. izicelo ezikhuselekileyo.
Ukhuseleko lwesicelo esisisiseko
yindawo yokuqalwa yokhuseleko lwezicelo kwaye iqulathe uluhlu lwezona zoyikiso ziyingozi kunye noqwalaselo olugwenxa olungakhokelela kubuthathaka besicelo, kunye neendlela zokubona kunye nokoyisa uhlaselo. I-OWASP Top 10 luphawu oluvunyiweyo kwishishini le-cybersecurity yesicelo kwihlabathi liphela kwaye ichaza uluhlu oluphambili lwezakhono ekufuneka inkqubo yokhuseleko lwewebhu (WAF) ibe nayo.
Ukongeza, ukusebenza kwe-WAF kufuneka kuthathelwe ingqalelo olunye uhlaselo oluqhelekileyo kwizicelo zewebhu, kubandakanywa ne-cross-site application forgery (CSRF), ukucofa, ukukrala kwewebhu, kunye nokufakwa kwefayile (RFI/LFI).
Izoyikiso kunye nemingeni yokuqinisekisa ukhuseleko lwezicelo zanamhlanje
Namhlanje, ayizizo zonke izicelo eziphunyezwayo kwinguqulelo yenethiwekhi. Kukho ii-apps zefu, ii-apps eziphathwayo, ii-APIs, kunye nolwakhiwo lwamva nje, kunye nemisebenzi yesoftware yesiko. Zonke ezi ntlobo zezicelo kufuneka zilungelelaniswe kwaye zilawulwe njengoko zenza, ziguqula, kwaye ziqhubekisa idatha yethu. Ngokufika kobuchwepheshe obutsha kunye neeparadigms, ubunzima obutsha kunye nemingeni evela kuzo zonke izigaba zobomi besicelo. Oku kubandakanya uphuhliso kunye nokusebenza ngokubambisana (i-DevOps), izitya, i-Intanethi yezinto (IoT), izixhobo ezivulekileyo zomthombo, ii-APIs, kunye nokunye.
Ukusasazwa kokusasazwa kwezicelo kunye nokwahlukahlukana kobuchwephesha kudala imingeni enzima nentsonkothileyo kungekuphela nje kwiingcali zokhuseleko lolwazi, kodwa nakubathengisi bezisombululo zokhuseleko abangasakwazi ukuthembela kwindlela edibeneyo. Amanyathelo okhuseleko lwesicelo kufuneka athathele ingqalelo kwiinkcukacha zabo zoshishino ukukhusela iimpawu zobuxoki kunye nokuphazamiseka komgangatho weenkonzo kubasebenzisi.
Eyona njongo yabahlaseli ngokuqhelekileyo kukuba idatha okanye ukuphazamisa ukufumaneka kweenkonzo. Abahlaseli nabo bayazuza kwindaleko yobuchwepheshe. Okokuqala, uphuhliso lwetekhnoloji entsha ludala izikhewu ezinokubakho kunye nobuthathaka. Okwesibini, banezixhobo ezininzi kunye nolwazi kwi-arsenal yabo yokudlula imilinganiselo yokhuseleko yemveli. Oku kwandisa kakhulu into ebizwa ngokuba "yi-attack surface" kunye nokuvezwa kwemibutho kwimingcipheko emitsha. Imigaqo-nkqubo yokhuseleko kufuneka ihlale itshintsha ekuphenduleni utshintsho kwiteknoloji kunye nezicelo.
Ke, izicelo kufuneka zikhuselwe kwiindlela ezahlukeneyo zokuhlasela kunye nemithombo, kwaye uhlaselo oluzenzekelayo kufuneka lubalwe ngexesha lokwenyani ngokusekelwe kwizigqibo ezinolwazi. Isiphumo kukunyuka kweendleko zentengiselwano kunye nomsebenzi wezandla, kunye nokuma kokhuseleko olubuthathaka.
Umsebenzi #1: Ukulawula i-bots
Ngaphezulu kwe-60% yetrafikhi ye-Intanethi iveliswa yi-bots, isiqingatha sayo "sibi" itrafikhi (ngoko ). Imibutho yenza utyalo-mali ekwandiseni umthamo wothungelwano, ngokusisiseko ikhonza umthwalo ongeyonyani. Ukwahlula ngokuchanekileyo phakathi kwe-traffic yomsebenzisi wangempela kunye ne-bot traffic, kunye ne-bots "elungileyo" (umzekelo, iinjini zokukhangela kunye neenkonzo zokuthelekisa ixabiso) kunye ne-bots "embi" inokubangela ukonga ixabiso elibalulekileyo kunye nokuphuculwa komgangatho wenkonzo kubasebenzisi.
Iibhothi aziyi kwenza lo msebenzi ube lula, kwaye banokuxelisa ukuziphatha kwabasebenzisi bokwenene, badlule iiCAPTCHA kunye neminye imiqobo. Ngaphezu koko, kwimeko yokuhlaselwa kusetyenziswa iidilesi ze-IP eziguquguqukayo, ukhuseleko olusekelwe kwi-IP idilesi yokucoca alusebenzi. Rhoqo, izixhobo zophuhliso lwemithombo evulekileyo (umzekelo, iPhantom JS) ezinokujongana nomxhasi weJavaScript zisetyenziselwa ukuphehlelela uhlaselo lonyanzeliso, uhlaselo lokupakisha, uhlaselo lweDDoS, kunye nohlaselo lwebhot oluzenzekelayo.
Ukulawula ngokufanelekileyo i-traffic bot, ukuchongwa okukodwa komthombo wayo (njengomnwe weminwe) kuyadingeka. Ekubeni ukuhlaselwa kwe-bot kuvelisa iirekhodi ezininzi, iminwe yayo ivumela ukuba ibone umsebenzi okrokrelayo kwaye inike amanqaku, ngokusekelwe apho inkqubo yokukhusela isicelo yenza isigqibo esinolwazi - ibhlokhi / vumela - kunye nomlinganiselo omncinci wobuxoki.
Umngeni #2: Ukukhusela i-API
Izicelo ezininzi ziqokelela ulwazi kunye nedatha kwiinkonzo abasebenzisana nazo ngee-APIs. Xa uhambisa idatha ebucayi nge-APIs, ngaphezu kwe-50% yemibutho ayiqinisekisi okanye ikhusele i-APIs ukuze ibone ukuhlaselwa kwe-cyber.
Imizekelo yokusebenzisa i-API:
- Ukudityaniswa kwe-Intanethi yezinto (IoT).
- Unxibelelwano ngomatshini ukuya kumatshini
- IiNdawo Ezingenasiva
- Izicelo zeselfowuni
- Iinkqubo eziqhutywa kuMnyhadala
Ubuthathaka be-API bufana nokuba semngciphekweni kwesicelo kwaye kubandakanya inaliti, uhlaselo lweprothokholi, ukukhohlisa iparamitha, ukuqondisa ngokutsha, kunye nohlaselo lwe-bot. Amasango e-API anikezelweyo anceda ukuqinisekisa ukuhambelana phakathi kweenkonzo zesicelo ezisebenzisana ngee-APIs. Nangona kunjalo, ababoneleli ngokhuseleko lwesicelo sokuphela-ukuya-ekupheleni njenge-WAF inako ngezixhobo zokhuseleko eziyimfuneko ezifana nokwahlulahlula kwentloko yeHTTP, uluhlu lolawulo lofikelelo lwe-Layer 7 (ACL), i-JSON/XML yokuhlawula umthwalo wokuhlawula kunye nokuhlolwa, kunye nokukhuselwa kubo bonke ubuthathaka obuvela. Uluhlu lwe-OWASP oluPhezulu lwe-10. Oku kuphunyezwa ngokuhlola amaxabiso angundoqo e-API usebenzisa imifuziselo eyakhayo nengalunganga.
Umngeni #3: Ukwala iNkonzo
I-vector endala yokuhlaselwa, ukuphika kwenkonzo (DoS), iyaqhubeka nokubonisa ukusebenza kwayo ekuhlaseleni izicelo. Abahlaseli banoluhlu lweendlela eziphumelelayo zokuphazamisa iinkonzo zesicelo, kuquka i-HTTP okanye i-HTTPS izikhukhula, ukuhlaselwa okuphantsi kunye nokucothayo (umzekelo, i-SlowLoris, i-LOIC, i-Torshammer), ukuhlaselwa kusetyenziswa idilesi ye-IP eguquguqukayo, i-buffer overflow, i-brute force-attacks, kunye nabanye abaninzi. . Ngokuphuhliswa kwe-Intanethi yezinto kunye nokuvela okulandelayo kwee-botnet ze-IoT, ukuhlaselwa kwezicelo kuye kwaba yingqwalasela ephambili yokuhlaselwa kweDDoS. Uninzi lwee-WAFs ezisemgangathweni zinokuphatha kuphela inani elilinganiselweyo lomthwalo. Nangona kunjalo, banokuhlola ukuhamba kwetrafikhi ye-HTTP/S kwaye basuse itrafikhi yokuhlaselwa kunye noqhagamshelo olubi. Emva kokuba uhlaselo luchongiwe, akukho sizathu sokudlula kwakhona le traffic. Ekubeni amandla e-WAF okugxotha ukuhlaselwa alinganiselwe, isisombululo esongezelelweyo siyafuneka kwi-perimeter yenethiwekhi ukuvala ngokuzenzekelayo iipakethi "ezimbi" ezilandelayo. Kule meko yokhuseleko, zombini izisombululo kufuneka zikwazi ukunxibelelana omnye komnye ukutshintshiselana ngolwazi malunga nokuhlaselwa.
Umzobo 1. Umbutho wothungelwano olubanzi kunye nokukhuselwa kwesicelo usebenzisa umzekelo wezisombululo zeRadware
Umngeni #4: Ukhuseleko oluqhubekayo
Izicelo zitshintsha rhoqo. Uphuhliso kunye nokuphunyezwa kweendlela ezinje ngohlaziyo luthetha ukuba uhlengahlengiso lwenzeka ngaphandle kokungenelela okanye ulawulo lomntu. Kwiimeko eziguquguqukayo ezinjalo, kunzima ukugcina imigaqo-nkqubo yokhuseleko esebenzayo ngokufanelekileyo ngaphandle kwenani eliphezulu lezinto zobuxoki. Izicelo eziphathwayo zihlaziywa rhoqo kakhulu kunewebhu. Izicelo zomntu wesithathu zingatshintsha ngaphandle kolwazi lwakho. Eminye imibutho ifuna ulawulo olukhulu kunye nokubonakala ukuze ihlale phezu kweengozi ezinokubakho. Nangona kunjalo, oku akusoloko kufezekiswa, kwaye ukukhuselwa kwesicelo esithembekileyo kufuneka kusebenzise amandla okufunda umatshini kwi-akhawunti kunye nokubona izibonelelo ezikhoyo, ukuhlalutya izinto ezisongelayo, kunye nokudala kunye nokwandisa imigaqo-nkqubo yokhuseleko xa kwenzeka ukuguqulwa kwesicelo.
ezifunyanisiweyo
Njengoko ii-apps zidlala indima ebalulekileyo kubomi bemihla ngemihla, ziba yeyona nto iphambili ekujoliswe kuyo kubaduni. Imivuzo enokubakho kwizaphuli-mthetho kunye nelahleko enokubakho kumashishini mikhulu. Ubunzima bomsebenzi wokhuseleko wesicelo awukwazi ukugqithiswa ngokunikezelwa kwenani kunye nokwahluka kwezicelo kunye nezoyikiso.
Ngethamsanqa, sikwinqanaba lexesha apho ubukrelekrele bokwenziwa bunokuza kusinceda. Ii-algorithms ezisekelwe kumatshini wokufunda zibonelela ngexesha lokwenyani, ukhuseleko oluguquguqukayo ngokuchasene nezona zoyikiso ziphambili ze-cyber ezijolise kwizicelo. Baphinde bahlaziye ngokuzenzekelayo imigaqo-nkqubo yokhuseleko ukukhusela iwebhu, iselula, kunye nezicelo zefu-kunye ne-APIs-ngaphandle kwezinto zobuxoki.
Kunzima ukuqikelela ngokuqinisekileyo ukuba isizukulwana esilandelayo sesicelo se-cyberthreats (mhlawumbi sisekwe kukufunda koomatshini) siya kuba. Kodwa imibutho ngokuqinisekileyo inokuthatha amanyathelo okukhusela idatha yabathengi, ukukhusela ipropathi enomgangatho ophezulu wokuqonda, kunye nokuqinisekisa ukufumaneka kwenkonzo ngeenzuzo ezinkulu zeshishini.
Iindlela ezisebenzayo kunye neendlela zokuqinisekisa ukhuseleko lwesicelo, ezona ntlobo ziphambili kunye ne-vectors zohlaselo, iindawo ezinobungozi kunye nezithuba ekukhuselweni kwe-cyber kwizicelo zewebhu, kunye namava ehlabathi kunye nezenzo ezilungileyo zichazwe kwisifundo seRadware kunye nengxelo "".
umthombo: www.habr.com