ProHoster > Ukuskena kobuthathaka kunye nophuhliso olukhuselekileyo. Icandelo loku-1

Ukuskena kobuthathaka kunye nophuhliso olukhuselekileyo. Icandelo loku-1

Ukuskena kobuthathaka kunye nophuhliso olukhuselekileyo. Icandelo loku-1

Njengenxalenye yemisebenzi yabo yobuchwephesha, abaphuhlisi, i-pentesters, kunye neengcali zokhuseleko kufuneka bajongane neenkqubo ezifana ne-Vulnerability Management (VM), (Secure) SDLC.
Ngaphantsi kwala mabinzana kukho iiseti ezahlukeneyo zeendlela kunye nezixhobo ezisetyenziswayo ezidityanisiweyo, nangona abasebenzisi bazo bohluka.

Inkqubela phambili yezobuchwephesha ayikafikeleli kwinqanaba apho isixhobo esinye sinokuthatha indawo yomntu ukuhlalutya ukhuseleko lweziseko ezingundoqo kunye nesoftware.
Kuyathakazelisa ukuqonda ukuba kutheni oku kunjalo, kwaye zeziphi iingxaki umntu ajongene nazo.

Iinkqubo

Inkqubo yoLawulo lwe-Vulnerability yenzelwe ukujonga ngokuqhubekayo ukhuseleko lweziseko ezingundoqo kunye nolawulo lweziqendu.
Inkqubo ye-SDLC ekhuselekileyo ("umjikelo wophuhliso olukhuselekileyo") yenzelwe ukugcina ukhuseleko lwesicelo ngexesha lophuhliso kunye nokusebenza.

Inxalenye efanayo yezi nkqubo yinkqubo yoVavanyo lweVulnerability - uvavanyo lobuthathaka, ukuskena ukuba sesichengeni.
Umahluko omkhulu phakathi kokuskena ngaphakathi kwe-VM kunye ne-SDLC kukuba kwimeko yokuqala, injongo kukufumana ubuthathaka obaziwayo kwisoftware yomntu wesithathu okanye kuqwalaselo. Umzekelo, uguqulelo lwakudala lweWindows okanye umtya woluntu olungagqibekanga lweSNMP.
Kwimeko yesibini, injongo kukufumanisa ubuthathaka kungekhona kuphela kumacandelo eqela lesithathu (ukuxhomekeka), kodwa ngokukodwa kwikhowudi yemveliso entsha.

Oku kubangela ukungafani kwezixhobo kunye neendlela. Ngokombono wam, umsebenzi wokufumana ubuthathaka obutsha kwisicelo unomdla kakhulu, kuba awuhli kuguqulelo loshicilelo lweminwe, ingqokelela yebhena, i-password brute force, njl.
Umgangatho ophezulu wokuskena okuzenzekelayo okuzenzekelayo kobuthathaka besicelo kufuna i-algorithms ethathela ingqalelo i-semantics yesicelo, injongo yaso, kunye nezoyikiso ezithile.

Iskena seziseko ezingundoqo sinokuthi sitshintshwe ngesibali-xesha, njenge avleonov. Inqaku lelokuba ngokwezibalo, unokuthathela ingqalelo isiseko sakho esisesichengeni ukuba awusihlaziyanga, yithi, inyanga.

Zixhobo

Ukuskena, kunye nohlalutyo lokhuseleko, lunokwenziwa njengebhokisi elimnyama okanye ibhokisi elimhlophe.

Ibhokisi leMnyama

Ngokuskena kwebhokisi emnyama, isixhobo kufuneka sikwazi ukusebenza kunye nenkonzo ngokusebenzisa ujongano olufanayo apho abasebenzisi basebenza nalo.

Izikena zezakhiwo (i-Tenable Nessus, i-Qualys, i-MaxPatrol, i-Rapid7 Nexpose, njl.njl.) jonga izibuko zenethiwekhi ezivulekileyo, ziqokelele "iibhena", zichonge iinguqulelo zesoftware ezifakiweyo, kwaye zikhangele isiseko sabo solwazi ngolwazi malunga nobuthathaka kwezi nguqulelo. Bazama kwakhona ukufumanisa iimpazamo zoqwalaselo ezifana namagama ayimfihlo angagqibekanga okanye ukufikelela koluntu kwidatha, i-ciphers ye-SSL ebuthathaka, njl.

I-Web application scanners (i-Acunetix WVS, i-Netsparker, iBurp Suite, i-OWASP ZAP, njl.njl.) nazo zinokubhaqa iinxalenye ezaziwayo kunye neenguqulelo zazo (umz. i-CMS, i-frameworks, amathala eencwadi e-JS). Awona manyathelo okukhasa aphambili kukurhubuluza kunye nokufutha.
Ngexesha lokurhubuluza, umkhangeli uqokelela ulwazi malunga nojongano lwesicelo olukhoyo kunye neeparamitha zeHTTP. Ngexesha le-fuzzing, zonke iiparameters ezichongiweyo zitshintshwa ngedatha eguqulweyo okanye eyenziweyo ukuze ikhuphe impazamo kwaye ibone ubungozi.

Izicelo ezinjalo zeskena zezeklasi ze-DAST kunye ne-IAST - ngokulandelelana kweDynamic kunye ne-Interactive Application Security Testing.

Ibhokisi emhlophe

Ngokuskena kwebhokisi emhlophe, kukho umahluko ongakumbi.
Njengenxalenye yenkqubo ye-VM, iiskena (i-Vulners, i-Insecurity Couch, i-Vuls, i-Tenable Nessus, njl.) zihlala zinikwa ukufikelela kwiisistim ngokwenza iskeni esiqinisekisiweyo. Ke, iskena sinokukhuphela iinguqulelo zepakethe ezifakiweyo kunye neeparamitha zoqwalaselo ngokuthe ngqo kwisistim, ngaphandle kokuziqikelela kwiibhena zenkonzo yenethiwekhi.
Ukuskena kuchaneke ngakumbi kwaye kuphelele.

Ukuba sithetha nge-whitebox scanning (CheckMarx, HP Forify, Coverity, RIPS, FindSecBugs, njl.) yezicelo, ngoko ngokuqhelekileyo sithetha malunga nohlalutyo lwekhowudi ye-static kunye nokusetyenziswa kwezixhobo zeklasi ze-SAST ezihambelanayo - Uvavanyo loKhuseleko lweSicelo esisisigxina.

Iingxaki

Kukho iingxaki ezininzi ngokuskena! Ndimele ndijongane noninzi lwabo ngokobuqu njengenxalenye yonikezelo lwenkonzo yokwakha ukuskena kunye neenkqubo zophuhliso ezikhuselekileyo, kunye naxa uqhuba umsebenzi wohlalutyo lokhuseleko.

Ndiza kukhetha amaqela aphambili eengxaki ezi-3, ezikwaqinisekiswa ngeencoko neenjineli kunye neentloko zeenkonzo zokhuseleko lolwazi kwiinkampani ezahlukeneyo.

Imiba yokuSkena kwiSicelo seWebhu

  1. Ubunzima bokuphumeza. I-scanners kufuneka isetyenziswe, iqwalaselwe, ilungelelaniswe kwisicelo ngasinye, yabelwe indawo yokuvavanya izikena kwaye iphunyezwe kwinkqubo ye-CI / CD ukuze isebenze. Ngaphandle koko, kuya kuba yinkqubo esemthethweni engenamsebenzi, ekhupha kuphela iimpawu zobuxoki
  2. Ubude beskena. Iscanner, nangowama-2019, zenza umsebenzi ombi wokudityaniswa konxibelelwano kwaye zinokuskena iwaka lamaphepha aneeparamitha ezili-10 lilinye kangangeentsuku, uzithathela ingqalelo ngokwahlukileyo, nangona ikhowudi efanayo inoxanduva kubo. Ngexesha elifanayo, isigqibo sokuthumela kwimveliso ngaphakathi komjikelezo wophuhliso kufuneka senziwe ngokukhawuleza.
  3. Iingcebiso ezimbi. I-scanners inika iingcebiso ngokubanzi ngokufanelekileyo, kwaye akusoloko kunokwenzeka ukuba umphuhlisi aqonde ngokukhawuleza ukusuka kubo indlela yokunciphisa izinga lomngcipheko, kwaye okona kubaluleke kakhulu, nokuba kufuneka kwenziwe ngoku, okanye ayisoyiki okwangoku.
  4. Impembelelo eyonakalisayo kwisicelo. I-scanners inokwenza lula uhlaselo lwe-DoS kwisicelo, kwaye banokwenza inani elikhulu lamaqumrhu okanye batshintshe esele bekho (umzekelo, ukwenza amashumi amawaka ezimvo kwiblogi), ngoko akufuneki uqhube ngokungenangqondo ukuskena imveliso.
  5. Umgangatho ophantsi wokubona ukuba sesichengeni. Abaskena bakholisa ukusebenzisa uluhlu olumiselweyo lwemithwalo ehlawulwayo kwaye banokuphoswa ngokulula sesichengeni esingangeni kukuziphatha kwabo kwesicelo okwaziwayo.
  6. Iskena asiyiqondi imisebenzi yesicelo. Abaskena ngokwabo abazi ukuba yintoni "ibhanki ye-Intanethi", "intlawulo", "izimvo". Kubo, kukho amakhonkco kunye neeparamitha kuphela, ngoko ke umaleko omkhulu wobungozi obunokwenzeka bengqondo yeshishini uhlala utyhilekile ngokupheleleyo, abayi kuqikelela ukwenza ukucinywa kabini, ukukroba idatha yabanye abantu nge-ID okanye ukugqibezela ibhalansi ngokujikeleza.
  7. Ukungaqondi kakuhle kwesemantics yamaphepha sisikena. I-scanners ayikwazi ukufunda i-FAQ, ayikwazi ukuqaphela i-captchas, abayi kuqikelela ngokwabo indlela yokubhalisa kunye nokungena kwakhona, ukuba awukwazi ukucofa "ukuphuma", kunye nendlela yokusayina izicelo xa utshintsha amaxabiso eparameter. Ngenxa yoko, uninzi lwesicelo sinokuhlala singaskenwanga kwaphela.

Umthombo weMiba yokuSkena iKhowudi

  1. Iimpawu zobuxoki. Uhlalutyo lwe-Static ngumsebenzi onzima obandakanya ukuthobela okuninzi. Rhoqo kufuneka uncame ukuchaneka, kwaye iiskena zeshishini ezibizayo zikhupha inani elikhulu lezinto ezingeyonyani.
  2. Ubunzima bokuphumeza. Ukwandisa ukuchaneka kunye nokuphelela kohlalutyo lwe-static, kuyimfuneko ukucokisa imigaqo yokuskena, kwaye ukubhala le migaqo kunokutya ixesha elide. Ngamanye amaxesha kulula ukufumana zonke iindawo kwikhowudi kunye nolunye uhlobo lwe-bug kwaye uzilungise kunokubhala umgaqo wokubona iimeko ezinjalo.
  3. Ukunqongophala kwenkxaso yokuxhomekeka. Iiprojekthi ezinkulu zixhomekeke kwinani elikhulu lamathala eencwadi kunye nezikhokelo ezandisa izakhono zolwimi lwenkqubo. Ukuba akukho lwazi malunga neendawo ezinobungozi ("i-sinks") kwezi zikhokelo kwisiseko solwazi lweskena, oku kuya kuba yindawo eyimfama, kwaye iskena asiyi kuqonda nje ikhowudi.
  4. Ubude beskena. Ukufumana ubuthathaka kwikhowudi ngumsebenzi onzima ngokwemigaqo ye-algorithms ngokunjalo. Ke ngoko, inkqubo inokulibaziseka kwaye ifune izixhobo ezibalulekileyo zekhompyutha.
  5. Ukhuseleko oluphantsi. Ngaphandle kokusetyenziswa kobutyebi kunye nobude beskeni, abaphuhlisi bezixhobo ze-SAST kusafuneka babhenele ekuyekeleni kwaye bahlalutye ayizizo zonke iindawo apho inkqubo inokungena kuyo.
  6. Ukufumana ukuveliswa kwakhona. Ukwalatha kumgca othile kunye nesitaki sokufowuna esikhokelela ekubeni sesichengeni kukhulu, kodwa enyanisweni, amaxesha amaninzi iskena asiboneleli ngolwazi olwaneleyo lokukhangela ubuthathaka bangaphandle. Emva kwayo yonke loo nto, isiphene sinokubakho kwikhowudi efileyo, engenakufikeleleka kumhlaseli.

Imiba yokuPhonononga iziseko zophuhliso

  1. Uluhlu lwempahla olunganelanga. Kumaziko amakhulu, ngakumbi lawo ahlulwe ngokwejografi, ihlala iyeyona nto inzima kakhulu ukufumanisa ukuba zeziphi iinginginya zokuskena. Ngamanye amazwi, umsebenzi wokuskena unxulumene ngokusondeleyo nomsebenzi wolawulo lwee-asethi.
  2. Ukubekwa phambili okubi. Izikena zenethiwekhi zihlala zivelisa iziphumo ezininzi ezineziphene ezingasebenzisekiyo ekusebenzeni, kodwa ngokusesikweni inqanaba labo lomngcipheko liphezulu. Umthengi ufumana ingxelo ekunzima ukuyitolika, kwaye akucaci ukuba yintoni ekufuneka ilungiswe kuqala
  3. Iingcebiso ezimbi. Isiseko solwazi lwesikena sihlala siqulethe ulwazi ngokubanzi malunga nokuba sesichengeni kunye nendlela yokuyilungisa, ke abalawuli kuya kufuneka bazixhobise ngoGoogle. Imeko ingcono kancinci nge-whitebox scanners, ezinokukhupha umyalelo othile wokulungisa
  4. Yenziwe ngesandla. Iziseko zophuhliso zinokuba neendibano ezininzi, nto leyo ethetha ukuba zininzi iziphene, iingxelo ekufuneka zicazululwe kwaye zihlalutywe ngesandla xa kuphinda-phindwa.
  5. Ukhuseleko olubi. Umgangatho wokuskena kweziseko zophuhliso ngokuthe ngqo kuxhomekeke kubungakanani besiseko solwazi malunga nobuthathaka kunye neenguqulelo zesoftware. Apho, iyacima, kunye neenkokheli zemarike azinayo isiseko solwazi olubanzi, kwaye kukho ulwazi oluninzi kwiinkcukacha zezisombululo zamahhala ezingenazo iinkokeli.
  6. Iingxaki zokuchwetheza. Ubukhulu becala, ukuchwetheza ubuthathaka beziseko ezingundoqo kukuhlaziya ipakethe okanye ukutshintsha ifayile yoqwalaselo. Ingxaki enkulu apha kukuba inkqubo, ngakumbi le yelifa, inokuziphatha ngokungalindelekanga ngenxa yohlaziyo. Ngapha koko, kuya kufuneka wenze iimvavanyo zokudityaniswa kwisiseko esiphilayo kwimveliso.

Iindlela

Njani ukuba?
Ndiza kungena kwiinkcukacha ezithe kratya malunga nemizekelo kunye nendlela yokujongana nezi ngxaki kwezi ndawo zilandelayo, kodwa okwangoku ndiza kubonisa ezona ndawo ziphambili onokusebenza kuzo:

  1. Ukudityaniswa kwezixhobo ezahlukeneyo zokuskena. Ngokusetyenziswa okuchanekileyo kweeskena ezininzi, ukwanda okubonakalayo kwisiseko solwazi kunye nomgangatho wokufumanisa kunokufezekiswa. Ungafumana ubuthathaka ngakumbi kunesixa sazo zonke iiskena eziqhutywa ngabanye, ngelixa unokuvavanya ngokuchanekileyo umgangatho womngcipheko kwaye wenze iingcebiso ezingaphezulu.
  2. Ukuhlanganiswa kwe-SAST kunye ne-DAST. Kuyenzeka ukwandisa ukhuseleko lwe-DAST kunye nokuchaneka kwe-SAST ngokwabelana ngolwazi phakathi kwabo. Ukusuka kumthombo ungafumana ulwazi malunga neendlela ezikhoyo, kwaye ngoncedo lwe-DAST ungajonga ukuba ubuthathaka buyabonakala na ngaphandle.
  3. Ukufunda ngoomatshiniβ„’. Ngo-2015 I uxelelwe (kunye ngaphezulu) malunga nokusebenzisa izibalo ukunika i-scanner intuition ye-hacker kwaye ikhawulezise. Oku kukutya ngokuqinisekileyo kuphuhliso lohlalutyo lokhuseleko oluzenzekelayo kwixesha elizayo.
  4. Ukudityaniswa kwe-IAST kunye ne-autotests kunye ne-OpenAPI. Ngaphakathi kwi-CI / CD-pipeline, kunokwenzeka ukwenza inkqubo yokuskena ngokusekelwe kwizixhobo ezisebenza njenge-HTTP proxies kunye neemvavanyo ezisebenzayo ezisebenza kwi-HTTP. Iimvavanyo ze-OpenAPI/Swagger kunye neekhontrakthi ziya kunika iskena ulwazi olulahlekileyo malunga nokuhamba kwedatha, yenza kube lula ukuskena isicelo kumazwe ahlukeneyo.
  5. Ubumbeko oluchanekileyo. Kwisicelo ngasinye kunye neziseko ezingundoqo, kufuneka wenze iprofayili yokuskena efanelekileyo, uthathela ingqalelo inani kunye nendalo yojongano, itekhnoloji esetyenziswayo.
  6. Ukwenza ngokwezifiso iskena. Rhoqo, inkqubo ayinakuskenwa ngaphandle kokuguqula iskena. Umzekelo lisango lentlawulo apho isicelo ngasinye kufuneka sisayinwe. Ngaphandle kokubhala isinxibelelanisi kwiprothokholi yesango, iiskena ziya kugqogqa ngokungenangqondo kwizicelo ngotyikityo olungachanekanga. Kukwayimfuneko ukuba kubhalwe izikena ezikhethekileyo zohlobo oluthile lweziphene, ezifana Ukhuseleko lweReferensi yeNjongo ngqo
  7. Ulawulo lwengozi. Ukusetyenziswa kweeskena ezahlukeneyo kunye nokudibanisa kunye neenkqubo zangaphandle ezifana noLawulo lwe-Asethi kunye noLawulo lwezoTsongo luya kuvumela iiparitha ezininzi ukuba zisetyenziswe ukuvavanya umgangatho womngcipheko, ukwenzela ukuba ulawulo lunokufumana umfanekiso owaneleyo wemeko yokhuseleko lwangoku lophuhliso okanye iziseko.

Hlala ubukele kwaye masiphazamise ukuskena komngcipheko!

umthombo: www.habr.com

Yongeza izimvo