I-Retrospective
Izinga, ukwakheka, kanye nokwakheka kwezinsongo ze-inthanethi ezinhlelweni zokusebenza kuvela ngokushesha. Iminyaka eminingi, abasebenzisi bafinyelele izinhlelo zokusebenza nge-inthanethi besebenzisa iziphequluli zewebhu ezidumile. Bekudingeka ukusekela iziphequluli zewebhu ezingu-2-5 nganoma isiphi isikhathi, futhi isethi yamazinga okuthuthukisa nokuhlola izinhlelo zokusebenza zewebhu yayilinganiselwe. Isibonelo, cishe yonke imininingwane yolwazi yakhiwe kusetshenziswa i-SQL. Ngeshwa, ngemuva kwesikhashana, abagebengu bafunde ukusebenzisa izinhlelo zokusebenza zewebhu ukuze bantshontshe, basuse noma baguqule idatha. Bathole ukufinyelela okungekho emthethweni kanye nokusebenzisa kabi amandla ohlelo lokusebenza besebenzisa amasu ahlukahlukene, okuhlanganisa ukukhohlisa kwabasebenzisi bohlelo lokusebenza, umjovo, kanye nokwenziwa kwekhodi yesilawuli kude. Ngokushesha, amathuluzi okuphepha ohlelo lwewebhu lwezohwebo abizwa ngokuthi I-Web Application Firewalls (WAFs) afika emakethe, futhi umphakathi wasabela ngokwenza iphrojekthi yokuphepha yesicelo sewebhu evulekile, i-Open Web Application Security Project (OWASP), ukuchaza nokugcina amazinga okuthuthukiswa kanye nezindlela. izinhlelo zokusebenza ezivikelekile.
Ukuvikelwa kohlelo lokusebenza okuyisisekelo
iyindawo yokuqala yokuvikela izinhlelo zokusebenza futhi iqukethe uhlu lwezinsongo eziyingozi kakhulu nokungalungiswa kahle okungaholela ekubeni sengozini yohlelo lokusebenza, kanye namaqhinga okuthola nokunqoba ukuhlasela. I-OWASP Top 10 iwuphawu oluqashelwayo embonini yesicelo se-cybersecurity emhlabeni wonke futhi ichaza uhlu oluyisisekelo lwamakhono isistimu yokuphepha yesicelo sewebhu (WAF) okufanele ibe nawo.
Ukwengeza, ukusebenza kwe-WAF kufanele kucabangele okunye ukuhlaselwa okuvamile kwezinhlelo zokusebenza zewebhu, okuhlanganisa ukukhohlisa kwezicelo ze-cross-site (CSRF), ukuchofoza, ukuklwebheka kwewebhu, nokufakwa kwefayela (RFI/LFI).
Izinsongo nezinselelo zokuqinisekisa ukuvikeleka kwezinhlelo zokusebenza zesimanje
Namuhla, akuzona zonke izinhlelo zokusebenza ezisetshenziswa enguqulweni yenethiwekhi. Kukhona izinhlelo zokusebenza zamafu, izinhlelo zokusebenza zeselula, ama-API, kanye nezakhiwo zakamuva, ngisho nemisebenzi yesofthiwe yangokwezifiso. Zonke lezi zinhlobo zezinhlelo zokusebenza zidinga ukuvumelanisa futhi zilawulwe njengoba zidala, zishintsha, futhi zicubungula idatha yethu. Ngokufika kobuchwepheshe obusha nama-paradigms, izinto eziyinkimbinkimbi nezinselele ezintsha zivela kuzo zonke izigaba zomjikelezo wokuphila wohlelo lokusebenza. Lokhu kufaka phakathi ukuthuthukiswa nokusebenza kokuhlanganiswa (i-DevOps), iziqukathi, i-inthanethi Yezinto (IoT), amathuluzi omthombo ovulekile, ama-API, nokuningi.
Ukusabalalisa okusatshalaliswa kwezinhlelo zokusebenza kanye nokwehlukahlukana kobuchwepheshe kudala izinselele eziyinkimbinkimbi neziyinkimbinkimbi hhayi kuphela kuchwepheshe bezokuphepha bolwazi, kodwa nakubathengisi bezixazululo zokuphepha abangasakwazi ukuthembela endleleni ebumbene. Izinyathelo zokuphepha zohlelo lokusebenza kufanele zicabangele imininingwane yebhizinisi labo ukuze kuvinjelwe amanga kanye nokuphazamiseka kwekhwalithi yezinsizakalo zabasebenzisi.
Umgomo omkhulu wabageli ngokuvamile uwukuntshontsha idatha noma ukuphazamisa ukutholakala kwezinsizakalo. Abahlaseli nabo bayazuza ekuziphendukeleni kwemvelo kwezobuchwepheshe. Okokuqala, ukuthuthukiswa kobuchwepheshe obusha kudala izikhala ezingaba khona kanye nokuba sengozini. Okwesibili, banamathuluzi amaningi nolwazi kuzikhali zabo ukuze badlule izindlela zokuphepha zendabuko. Lokhu kukhulisa kakhulu lokho okubizwa ngokuthi “indawo yokuhlasela” kanye nokuchayeka kwezinhlangano ezingozini ezintsha. Izinqubomgomo zokuphepha kufanele zihlale zishintsha ekuphenduleni izinguquko kubuchwepheshe nezinhlelo zokusebenza.
Ngakho-ke, izinhlelo zokusebenza kufanele zivikelwe ezinhlobonhlobo ezihlala zikhula njalo zezindlela zokuhlasela nemithombo, futhi ukuhlasela okuzenzakalelayo kufanele kubalwe ngesikhathi sangempela ngokusekelwe ezinqumweni ezinolwazi. Umphumela uba ukwanda kwezindleko zokwenziwa komsebenzi kanye nomsebenzi wezandla, okuhambisana nokuma kokuphepha okubuthakathaka.
Umsebenzi #1: Ukuphatha ama-bots
Ngaphezu kwe-60% yethrafikhi ye-inthanethi ikhiqizwa ama-bots, ingxenye yawo “okubi” ithrafikhi (ngokusho ). Izinhlangano zitshala imali ekwandiseni umthamo wenethiwekhi, empeleni zinikeza umthwalo oqanjiwe. Ukwehlukanisa ngokunembile phakathi kwethrafikhi yomsebenzisi wangempela nethrafikhi ye-bot, kanye nama-bot “okuhle” (isibonelo, izinjini zokusesha namasevisi okuqhathanisa amanani) kanye nama-bot “amabi” kungaholela ekongeni kwezindleko okubalulekile kanye nekhwalithi yesevisi ethuthukisiwe kubasebenzisi.
Amabhothi ngeke enze lo msebenzi ube lula, futhi angakwazi ukulingisa ukuziphatha kwabasebenzisi bangempela, adlule ama-CAPTCHA nezinye izithiyo. Ngaphezu kwalokho, esimweni sokuhlaselwa kusetshenziswa amakheli e-IP ashukumisayo, ukuvikela okusekelwe ekuhlungeni ikheli le-IP kuba kungasebenzi. Imvamisa, amathuluzi okuthuthukisa umthombo ovulekile (isibonelo, i-Phantom JS) akwazi ukuphatha i-JavaScript yohlangothi lweklayenti asetshenziselwa ukuqalisa ukuhlasela kwe-brute-force, ukuhlasela kokuqinisekisa, ukuhlasela kwe-DDoS, nokuhlasela kwe-bot okuzenzakalelayo. .
Ukuze ulawule ngempumelelo ithrafikhi ye-bot, ukuhlonza okuhlukile komthombo wayo (njengezigxivizo zeminwe) kuyadingeka. Njengoba ukuhlasela kwe-bot kukhiqiza amarekhodi amaningi, izigxivizo zeminwe zivumela ukuthi ibone umsebenzi osolisayo futhi yabele amaphuzu, ngokusekelwe lapho uhlelo lokuvikela uhlelo lwenza isinqumo esinolwazi - vimba / vumela - ngenani elincane lezinto ezingamanga.
Inselele #2: Ukuvikela i-API
Izinhlelo zokusebenza eziningi ziqoqa ulwazi nedatha kumasevisi ezisebenzisana nawo ngama-API. Lapho kuthunyelwa idatha ebucayi ngama-API, izinhlangano ezingaphezu kuka-50% aziwaqinisekisi futhi azivikeleki ama-API ukuze zithole ukuhlaselwa kwe-cyber.
Izibonelo zokusebenzisa i-API:
- Ukuhlanganiswa kwe-inthanethi Yezinto (IoT).
- Ukuxhumana ngomshini nomshini
- Izindawo Ezingenaseva
- Izinhlelo zokusebenza zeselula
- Izicelo Eziqhutshwa Umcimbi
Ukuba sengozini kwe-API kufana nokuba sengozini kohlelo lokusebenza futhi kufaka phakathi imijovo, ukuhlaselwa kwephrothokholi, ukukhohlisa kwepharamitha, ukuqondisa kabusha, nokuhlaselwa kwe-bot. Amasango e-API azinikele asiza ukuqinisekisa ukuhambisana phakathi kwezinsiza zohlelo lokusebenza ezisebenzisana ngama-API. Kodwa-ke, abahlinzeki ngokuphepha kwesicelo sokuphela-siya-ekupheleni njenge-WAF can ngamathuluzi okuvikela abalulekile njengokucozulula unhlokweni we-HTTP, Uhlu lokulawula ukufinyelela kwe-Layer 7 (ACL), ukuhlukaniswa nokuhlolwa kokulayisha okukhokhelwayo kwe-JSON/XML, kanye nokuvikelwa kubo bonke ubungozi. Uhlu lwe-OWASP Top 10. Lokhu kufinyelelwa ngokuhlola amanani abalulekile e-API kusetshenziswa amamodeli avumayo noma amabi.
Inselele #3: Ukunqatshelwa Kwesevisi
I-vector endala yokuhlasela, i-denial of service (DoS), iyaqhubeka nokufakazela ukusebenza kwayo ekuhlaseleni izinhlelo zokusebenza. Abahlaseli banebanga lamasu aphumelelayo okuphazamisa izinsiza zohlelo lokusebenza, okuhlanganisa izikhukhula ze-HTTP noma ze-HTTPS, ukuhlasela okuphansi nokunensa (isb. SlowLoris, LOIC, Torshammer), ukuhlasela kusetshenziswa amakheli e-IP ashukumisayo, ukuchichima kwebhafa, ukuhlasela kwe-brute force, nokunye okuningi. . Ngokuthuthukiswa kwe-inthanethi Yezinto kanye nokuvela okulandelayo kwe-IoT botnets, ukuhlaselwa kwezinhlelo zokusebenza sekugxilwe kakhulu ekuhlaselweni kwe-DDoS. Ama-WAF amaningi asezingeni angakwazi ukuphatha inani elilinganiselwe lomthwalo. Nokho, bangahlola ukugeleza kwethrafikhi ye-HTTP/S futhi basuse ithrafikhi yokuhlasela noxhumo olunonya. Uma sekukhonjiwe ukuhlasela, asikho isidingo sokuphinda sidlule lesi siminyaminya. Njengoba amandla e-WAF okuxosha ukuhlasela elinganiselwe, isixazululo esengeziwe siyadingeka kumjikelezo wenethiwekhi ukuze kuvinjwe ngokuzenzakalelayo amaphakethe "amabi" alandelayo. Kulesi simo sokuvikeleka, zombili izixazululo kumele zikwazi ukuxhumana ukuze zishintshisane ngolwazi mayelana nokuhlaselwa.
Umdwebo 1. Ukuhlelwa kwenethiwekhi ebanzi nokuvikelwa kohlelo lokusebenza kusetshenziswa isibonelo sezixazululo zeRadware
Inselele #4: Ukuvikelwa Okuqhubekayo
Izicelo zishintsha njalo. Izindlela zokuthuthukisa nokusebenzisa ezifana nezibuyekezo zisho ukuthi ukuguqulwa kwenzeka ngaphandle kokungenelela komuntu noma ukulawula. Ezimweni ezinjalo eziguquguqukayo, kunzima ukugcina izinqubomgomo zokuphepha ezisebenza ngokwanele ngaphandle kwenombolo ephezulu yezinto ezingamanga. Izinhlelo zokusebenza zeselula zibuyekezwa kaningi kunezinhlelo zokusebenza zewebhu. Izicelo zezinkampani zangaphandle zingase zishintshe ngaphandle kokwazi kwakho. Ezinye izinhlangano zifuna ukulawula okukhulu nokubonakala ukuze zihlale phezu kwezingozi ezingaba khona. Nokho, lokhu akwenzeki kufezeke ngaso sonke isikhathi, futhi ukuvikelwa kohlelo lokusebenza okuthembekile kufanele kusebenzise amandla okufunda komshini ukuze kuphenduleke futhi kubone ngeso lengqondo izinsiza ezitholakalayo, ukuhlaziya izinsongo ezingaba khona, nokudala futhi kwandise izinqubomgomo zokuphepha uma kwenzeka izinguquko zohlelo lokusebenza.
okutholakele
Njengoba izinhlelo zokusebenza zidlala indima ebalulekile ekuphileni kwansuku zonke, ziba yizigebengu eziqondiwe kakhulu. Imivuzo engase ibe khona yezigebengu kanye nokulahlekelwa okungenzeka kwamabhizinisi mikhulu. Ubunkimbinkimbi bomsebenzi wokuvikela wohlelo lokusebenza abukwazi ukweqiwa ngokubheka inombolo nokuhluka kwezinhlelo zokusebenza nezinsongo.
Ngenhlanhla, sisesikhathini lapho ubuhlakani bokwenziwa bungasiza khona. Ama-algorithms asekelwe ekufundeni emshinini ahlinzeka ngesikhathi sangempela, isivikelo esiguquguqukayo ngokumelene nezinsongo ze-inthanethi ezithuthuke kakhulu eziqondiswe kuzinhlelo zokusebenza. Baphinde babuyekeze ngokuzenzakalela izinqubomgomo zokuphepha ukuze bavikele iwebhu, iselula, nezinhlelo zokusebenza zamafu—nama-API—ngaphandle kokuphozithisisa okungamanga.
Kunzima ukubikezela ngokuqiniseka ukuthi isizukulwane esilandelayo sezinhlelo zokusebenza ze-cyberthreats (okungenzeka futhi ngokusekelwe ekufundeni komshini) sizoba yini. Kodwa izinhlangano zingathatha izinyathelo zokuvikela idatha yekhasimende, zivikele impahla esunguliwe, futhi ziqinisekise ukutholakala kwesevisi ngezinzuzo ezinkulu zebhizinisi.
Izindlela ezisebenzayo nezindlela zokuqinisekisa ukuphepha kohlelo lokusebenza, izinhlobo eziyinhloko kanye nama-vectors okuhlaselwa, izindawo ezinobungozi kanye nezikhala ekuvikelweni kwe-inthanethi kwezinhlelo zokusebenza zewebhu, kanye nolwazi lomhlaba jikelele kanye nezindlela ezihamba phambili zivezwe ocwaningweni lwe-Radware kanye nokubika "".
Source: www.habr.com