IGraudit ixhasa iilwimi ezininzi zokucwangcisa kwaye ikuvumela ukuba udibanise uvavanyo lokhuseleko lwekhowudi ngqo kwinkqubo yophuhliso.
umthombo: (UMarkus Spiske)
Uvavanyo yinxalenye ebalulekileyo yomjikelo wobomi bophuhliso lwesoftware. Kukho iintlobo ezininzi zovavanyo, nganye kuzo isombulula ingxaki yayo. Namhlanje ndifuna ukuthetha malunga nokufumana iingxaki zokhuseleko kwikhowudi.
Ngokucacileyo, kwizinto zanamhlanje zophuhliso lwesoftware, kubalulekile ukuqinisekisa ukhuseleko lwenkqubo. Ngexesha elithile, igama elikhethekileyo i-DevSecOps yade yaziswa. Eli gama libhekisa kuthotho lweenkqubo ezijolise ekuchongeni nasekususeni ubuthathaka kwisicelo. Kukho izisombululo ezikhethekileyo zomthombo ovulekileyo wokukhangela ubuthathaka ngokuhambelana nemigangatho , ezichaza iintlobo ezahlukeneyo kunye nokuziphatha kobuthathaka kwikhowudi yomthombo.
Kukho iindlela ezahlukeneyo zokusombulula iingxaki zokhuseleko, ezifana noVavanyo lweSicelo soKhuseleko lweSicelo (i-SAST), uvavanyo loKhuseleko lweSicelo seDynamic (DAST), uvavanyo loKhuseleko lweSicelo esiSebenzayo (i-IAST), uHlalutyo loBume beSoftware, njalo njalo.
Uvavanyo oluzinzileyo lokhuseleko lwesicelo luchonga iimpazamo kwikhowudi esele ibhaliwe. Le ndlela ayifuni ukuba isicelo siqhutywe, yingakho kuthiwa uhlalutyo lwe-static.
Ndiza kugxila kuhlalutyo lwekhowudi ye-static kwaye ndisebenzise isixhobo esilula somthombo ovulekileyo ukubonisa yonke into eyenziwayo.
Kutheni ndikhethe isixhobo esivulelekileyo sokuhlalutya ukhuseleko lwekhowudi emileyo
Kukho izizathu ezininzi zoku: okokuqala, kusimahla kuba usebenzisa isixhobo esiphuhliswe luluntu olufana nolwabantu abafuna ukunceda abanye abaphuhlisi. Ukuba uneqela elincinci okanye uqalise, unethuba elihle lokugcina imali ngokusebenzisa isoftware evulekileyo yokuvavanya ukhuseleko lwekhowudi yakho. Okwesibini, kuphelisa isidingo sokuba uqeshe iqela elahlukileyo le-DevSecOps, ukwehlisa ngakumbi iindleko zakho.
Izixhobo ezilungileyo zomthombo ovulekileyo zihlala ziyilwa kuthathelwa ingqalelo iimfuno ezikhulayo zokuguquguquka. Ngoko ke, zinokusetyenziswa phantse kuyo nayiphi na indawo engqongileyo, equka uluhlu olubanzi lwemisebenzi. Kulula kakhulu kubaphuhlisi ukudibanisa izixhobo ezinjalo kunye nenkqubo esele beyakhile ngelixa besebenza kwiiprojekthi zabo.
Kodwa kunokubakho amaxesha apho ufuna isici esingafumanekiyo kwisixhobo osikhethayo. Kule meko, unethuba lokufota ikhowudi yayo kwaye uphuhlise isixhobo sakho esisekelwe kuyo kunye nokusebenza okufunayo.
Kuba kwiimeko ezininzi uphuhliso lwesoftware yomthombo ovulekileyo luphenjelelwa ngokusebenzayo luluntu, isigqibo sokwenza utshintsho senziwe ngokukhawuleza kwaye ukuya kwinqanaba: abaphuhlisi beprojekthi yomthombo ovulekileyo baxhomekeke kwingxelo kunye neengcebiso ezivela kubasebenzisi, kwiingxelo zabo. iimpazamo ezifunyenweyo kunye nezinye iingxaki.
Ukusebenzisa iGraudit yoHlalutyo loKhuseleko lweKhowudi
Ungasebenzisa izixhobo ezahlukeneyo zomthombo ovulekileyo wokuhlalutya ikhowudi engatshintshiyo; Abaphuhlisi babanye babo balandela iingcebiso ze-OWASP kwaye bazame ukugubungela iilwimi ezininzi kangangoko kunokwenzeka.
Apha siza kusebenzisa , into eluncedo yomgca womyalelo olula oza kusivumela ukuba sifumane ubuthathaka kwisiseko sethu sekhowudi. Ixhasa iilwimi ezahlukeneyo, kodwa iseti yazo ilinganiselwe. I-Graudit iphuhliswe ngokusekwe kusetyenziso lwe-grep, eyathi yakhutshwa phantsi kwelayisensi ye-GNU.
Kukho izixhobo ezifanayo zokuhlalutya ikhowudi ye-static - Isixhobo soHlolo oluLubi loKhuseleko (i-RATS), i-Securitycompass Web Application Analysis Tool (SWAAT), i-flawfinder kunye nokunye. Kodwa iGraudit ibhetyebhetye kakhulu kwaye ineemfuno zobugcisa ezincinci. Nangona kunjalo, unokuba neengxaki uGraudit engenako ukuzisombulula. Emva koko ungajonga ezinye iinketho apha .
Sinokusidibanisa esi sixhobo kwiprojekthi ethile, okanye senze ukuba sifumaneke kumsebenzisi okhethiweyo, okanye sisebenzise ngaxeshanye kuzo zonke iiprojekthi zethu. Oku kukwalapho ukuguquguquka kweGraudit kungena khona. Ke masilinganise irepo kuqala:
$ git clone https://github.com/wireghoul/grauditNgoku masenze ikhonkco lokomfuziselo ukuze iGraudit iyisebenzise kwifomathi yomyalelo
$ cd ~/bin && mkdir graudit
$ ln --symbolic ~/graudit/graudit ~/bin/grauditMasifake isibizo kwi-.bashrc (okanye nayiphi na ifayile yoqwalaselo oyisebenzisayo):
#------ .bashrc ------
alias graudit="~/bin/graudit"Phinda uqalise:
$ source ~/.bashrc # OR
$ exex $SHELL
Makhe sijonge ukuba ukufakela kuphumelele na:
$ graudit -hUkuba ubona into efanayo, ngoko yonke into ilungile.
Ndiza kuvavanya enye yeeprojekthi zam ezikhoyo. Ngaphambi kokuba usebenzise isixhobo, kufuneka idluliselwe isiseko sedatha esihambelana nolwimi apho iprojekthi yam ibhalwe khona. Oovimba beenkcukacha bakwi ~/gradit/signatures ulawulo:
$ graudit -d ~/gradit/signatures/js.dbKe, ndivavanye iifayile ezimbini zejs kwiprojekthi yam, kwaye iGraudit ibonise ulwazi malunga nokuba semngciphekweni kwikhowudi yam kwikhonsoli:
Unokuzama ukuvavanya iiprojekthi zakho ngendlela efanayo. Ungabona uluhlu lwedatha yeelwimi ezahlukeneyo zokucwangcisa .
Izinto eziluncedo kunye nokungalunganga kweGraudit
IGraudit ixhasa iilwimi ezininzi zokucwangcisa. Ngoko ke, ifanelekile kuluhlu olubanzi lwabasebenzisi. Inokukhuphisana ngokwaneleyo kunye naziphi na ii-analogues zamahhala okanye ezihlawulwayo. Kwaye kubaluleke kakhulu ukuba uphuculo lusenziwa kwiprojekthi, kwaye uluntu aluncedi kuphela abaphuhlisi, kodwa nabanye abasebenzisi abazama ukufumana isixhobo.
Esi sisixhobo esisebenzayo, kodwa ukuza kuthi ga ngoku asikwazi ukuphawula ngokuthe ngqo ukuba yintoni ingxaki ngeqhekeza lekhowudi. Abaphuhlisi bayaqhubeka nokuphucula iGraudit.
Kodwa kuyo nayiphi na imeko, kuluncedo ukunikela ingqalelo kwiingxaki zokhuseleko ezinokuthi zibekho kwikhowudi xa usebenzisa izixhobo ezinje.
Qala...
Kweli nqaku, ndijonge enye yeendlela ezininzi zokufumana ubuthathaka - uvavanyo lokhuseleko lwesicelo esimileyo. Ukuqhuba uhlalutyo lwekhowudi emileyo kulula, kodwa sisiqalo nje. Ukufunda ngakumbi malunga nokhuseleko lwekhowudi yakho, kufuneka udibanise ezinye iintlobo zovavanyo kubomi bakho bophuhliso lwesoftware.
Njengentengiso
kwaye ukhetho oluchanekileyo lwesicwangciso soluhlu lwerhafu luya kukuvumela ukuba ungaphazamiseki kancinci kuphuhliso ngeengxaki ezingathandekiyo - yonke into iya kusebenza ngaphandle kokungaphumeleli kunye nexesha eliphezulu kakhulu!
umthombo: www.habr.com
