Ukwesaba Nokuzondwa kwe-DevSecOps

Sibe nabahlaziyi bekhodi abangu-2, amathuluzi okuhlola angu-4 ashukumisayo, ubuciko bethu kanye nemibhalo engama-250. Akukhona ukuthi konke lokhu kuyadingeka enqubweni yamanje, kodwa uma uqala ukusebenzisa i-DevSecOps, kufanele uye ekugcineni.

Umthombo. Abadali bezinhlamvu: u-Justin Roiland no-Dan Harmon.

Iyini i-SecDevOps? Kuthiwani nge-DevSecOps? Uyini umehluko? Ukuphepha Kohlelo Lokusebenza - kumayelana nani? Kungani indlela yakudala ingasasebenzi? Uyazazi izimpendulo zayo yonke le mibuzo Yuri Shabalin kusuka ku I-Swordfish Security. U-Yuri uzophendula yonke into ngokuningiliziwe futhi ahlaziye izinkinga zokuguquka kusuka kumodeli ye-Application Security yakudala kuya kunqubo ye-DevSecOps: indlela yokusondela kahle ekuhlanganisweni kwenqubo yokuthuthukisa evikelekile kunqubo ye-DevOps futhi ungaphuli lutho, ukuthi ungadlula kanjani ezigabeni ezinkulu. kokuhlolwa kokuvikeleka, yimaphi amathuluzi angasetshenziswa, nokuthi ahluke ngani nokuthi angawamisa kanjani ngendlela efanele ukuze agweme izingibe.

Mayelana nesipikha: Yuri Shabalin - I-Chief Security Architect enkampanini I-Swordfish Security. Ibophezelekile ekusetshenzisweni kwe-SSDL, ekuhlanganisweni sekukonke kwamathuluzi okuhlaziya uhlelo lokusebenza ibe intuthuko ebumbene kanye ne-ecosystem yokuhlola. Iminyaka engu-7 yesipiliyoni ekuvikelekeni kolwazi. Usebenze e-Alfa-Bank, Sberbank and Positive Technologies, ethuthukisa isoftware futhi inikeze nezinsizakalo. Isikhulumi ezingqungqutheleni zamazwe ngamazwe ZerONights, PHDays, RISSPA, OWASP.

Ukuphepha Kwesicelo: kumayelana nani?

Ukuphepha Kohlelo Lokusebenza - Lesi yisigaba sokuphepha esibhekele ukuphepha kohlelo lokusebenza. Lokhu akusebenzi kungqalasizinda noma ukuphepha kwenethiwekhi, kodwa kunalokho kulokho esikubhalayo nalokho onjiniyela abasebenza kukho - lokhu kungukushiyeka nokuba sengozini kohlelo lokusebenza ngokwalo.

Isiqondiso I-SDL noma i-SDLC - Umjikelezo wokuphila wokuthuthukisa ukuphepha - ithuthukiswe yi-Microsoft. Umdwebo ubonisa imodeli ye-canonical SDLC, umsebenzi oyinhloko wokubamba iqhaza kwezokuphepha kuzo zonke izigaba zentuthuko, kusukela ezidingweni kuye ekukhululweni nasekukhiqizweni. I-Microsoft yabona ukuthi kunezimbungulu eziningi kakhulu embonini, beziningi zazo futhi kufanele kwenziwe okuthile ngakho, futhi bahlongoza le ndlela, esiye yaba yi-canonical.

Ukuphepha Kohlelo lokusebenza kanye ne-SSDL akuhloselwe ukuthola ubungozi, njengoba kuvame ukukholelwa, kodwa ukuvimbela ukwenzeka kwazo. Ngokuhamba kwesikhathi, indlela ye-Microsoft ye-canonical iye yathuthukiswa, yathuthukiswa, futhi yafakwa ekujuleni okujulile, okunemininingwane eyengeziwe.

I-canonical SDLC inemininingwane eminingi ngezindlela ezahlukahlukene - i-OpenSAMM, i-BSIMM, i-OWASP. Izindlela zokwenziwa zihlukile, kodwa ngokuvamile ziyefana.

Ukwakha Ukuphepha Kumodeli Yokukhula

Ngiyithanda kakhulu BSIMM - Ukwakha Ukuphepha Kumodeli Yokukhula. Isisekelo sendlela yokusebenza ukuhlukaniswa kwenqubo Yokuphepha Kwesicelo kuzizinda ezi-4: Ukuphatha, Ubuhlakani, Izindawo Zokuthinta ze-SSDL kanye Nokuthunyelwa. Isizinda ngasinye sinemikhuba eyi-12, emelelwa njengemisebenzi eyi-112.

Umsebenzi ngamunye we-112 unawo 3 amazinga okuvuthwa: oqalayo, ophakathi nendawo futhi othuthukile. Ungafunda zonke izinqubo ezingu-12 isigaba nesigaba, ukhethe izinto ezibalulekile kuwe, uthole ukuthi ungazisebenzisa kanjani futhi kancane kancane wengeze izici, isibonelo, ukuhlaziywa kwekhodi emile futhi eguquguqukayo noma ukubuyekezwa kwekhodi. Ubhala phansi uhlelo bese usebenza ngokuthula ngokuvumelana nalo njengengxenye yokuqaliswa kwemisebenzi ekhethiwe.

Kungani i-DevSecOps

I-DevOps iyinqubo evamile, enkulu lapho ukuphepha kufanele kucatshangelwe.

Ekuqaleni I-DevOps okubandakanya ukuhlolwa kokuphepha. Empeleni, inani lamaqembu okuvikela lalincane kakhulu kunamanje, futhi abenzi njengabahlanganyeli kule nqubo, kodwa njengenhlangano yokulawula neyokuqondisa ebeka izidingo kuyo futhi ihlola ikhwalithi yomkhiqizo ekupheleni kokukhishwa. Lena indlela yakudala lapho amaqembu ezokuphepha ayengemuva kodonga kusukela ekuthuthukisweni futhi awazange abambe iqhaza kunqubo.

Inkinga enkulu ukuthi ukuphepha kolwazi kuhlukile ekuthuthukisweni. Ngokuvamile lolu uhlobo oluthile lwesekhethi yokuvikela ulwazi futhi luqukethe amathuluzi amakhulu nabizayo angu-2-3. Kanye njalo ezinyangeni eziyisithupha, ikhodi yomthombo noma isicelo esidinga ukuhlolwa siyafika, futhi kanye ngonyaka ziyakhiqizwa amapentes. Konke lokhu kuholela eqinisweni lokuthi idethi yokukhishwa komkhakha ibambezelekile, futhi unjiniyela udalulwa kunombolo enkulu yokulimala okuvela kumathuluzi azenzakalelayo. Akunakwenzeka ukuhlakaza nokulungisa konke lokhu, ngoba imiphumela yezinyanga eziyisithupha ezedlule ayizange ihlelwe, kodwa nansi iqoqo elisha.

Enqubweni yomsebenzi wenkampani yethu, sibona ukuthi ezokuphepha kuzo zonke izindawo nezimboni ziyakuqonda ukuthi sekuyisikhathi sokutholana phezulu futhi ujikeleze ngentuthuko esondweni elifanayo - Agile. I-paradigm ye-DevSecOps ihambisana kahle nendlela yokuthuthukisa eshesha kakhulu, ukuqaliswa, ukusekela nokubamba iqhaza kukho konke ukukhishwa nokuphindaphinda.

Ukushintshela ku-DevSecOps

Igama elibaluleke kakhulu ku-Security Development Lifecycle lithi "inqubo". Kufanele ukuqonde lokhu ngaphambi kokuthi ucabange ngokuthenga amathuluzi.

Ukufaka kalula amathuluzi kunqubo ye-DevOps akwanele—ukuxhumana nokuqonda phakathi kwabahlanganyeli benqubo kubalulekile.

Abantu babaluleke kakhulu, hhayi amathuluzi.

Ngokuvamile, ukuhlela inqubo yokuthuthukisa evikelekile kuqala ngokukhetha nokuthenga ithuluzi, futhi kuphetha ngemizamo yokuhlanganisa ithuluzi ohlelweni lwamanje, oluhlala luyimizamo. Lokhu kuholela emiphumeleni edabukisayo, ngoba wonke amathuluzi anezici zawo kanye nokulinganiselwa kwawo.

Indaba evamile yilapho umnyango wezokuphepha ukhetha ithuluzi elihle, elibizayo elinamakhono abanzi, futhi weza kubathuthukisi ukuze balihlanganise nenqubo. Kodwa akuphumeleli - inqubo ihlelwe ngendlela yokuthi ukulinganiselwa kwethuluzi elivele lithengiwe lingangeni ku-paradigm yamanje.

Okokuqala, chaza ukuthi yimuphi umphumela oyifunayo nokuthi inqubo izobukeka kanjani. Lokhu kuzosiza ukuqonda izindima zethuluzi nokuphepha kule nqubo.

Qala ngalokho osekuvele kusetshenziswa

Ngaphambi kokuthenga amathuluzi abizayo, bheka lokho osuvele unakho. Yonke inkampani inezidingo zokuphepha zentuthuko, kukhona amasheke, amapentest - kungani ungaguquleli konke lokhu kube yifomu eliqondakalayo nelilungele wonke umuntu?

Ngokuvamile izidingo ziyi-Talmud yephepha elele eshalofini. Kube necala lapho sifika enkampanini sizobheka izinqubo futhi sacela ukubona izidingo zokuphepha zesoftware. Uchwepheshe obhekane nalokhu uchithe isikhathi eside efuna:

- Manje, endaweni ethile kumanothi kwakukhona indlela lapho lo mbhalo ulele khona.

Ngenxa yalokho, sathola incwadi ngemva kwesonto.

Ngezidingo, amasheke nezinye izinto, yakha ikhasi ku-e.g. Ukukholisa - ilungele wonke umuntu.

Kulula ukufometha kabusha lokho osuvele unakho futhi ukusebenzise ukuze uqalise.

Sebenzisa Ompetha Bezokuphepha

Imvamisa, enkampanini emaphakathi enabathuthukisi abayi-100-200, kunochwepheshe oyedwa wezokuphepha owenza imisebenzi eminingana futhi akanaso isikhathi sokuhlola yonke into. Ngisho noma ezama konke okusemandleni akhe, yena yedwa ngeke ahlole yonke ikhodi ekhiqizwa ukuthuthukiswa. Ezimweni ezinjalo, kwakhiwe umqondo - Ompetha bezokuphepha.

Ompetha Bezokuphepha abantu abangaphakathi kwethimba labathuthukisi abanentshisekelo ekuvikelekeni komkhiqizo wakho.

I-Security Champion iyindawo yokungena ethimbeni labathuthukisi kanye nomvangeli wezokuvikela ongene kwelinye.

Ngokuvamile, lapho uchwepheshe wezokuvikela eza ethimbeni labathuthukisi futhi aveze iphutha kukhodi, uthola impendulo emangazayo:

- Futhi ungubani? Ngiyaqala ukukubona. Konke kuhamba kahle kimi - umngane wami omkhulu wanginika "isicelo" ekubuyekezweni kwekhodi, siyaqhubeka!

Lesi isimo esijwayelekile, ngoba kunokuthembela okwengeziwe kwabadala noma abalingani beqembu unjiniyela ahlala esebenzisana nabo emsebenzini nasekubuyekezweni kwekhodi. Uma, esikhundleni sesikhulu sezokuphepha, i-Security Champion ikhomba iphutha nemiphumela, khona-ke izwi lakhe liyoba nesisindo esengeziwe.

Futhi, onjiniyela bazi ikhodi yabo kangcono kunanoma yimuphi uchwepheshe wezokuphepha. Kumuntu onamaphrojekthi okungenani ama-5 ethuluzini lokuhlaziya elimile, kuvame ukuba nzima ukukhumbula wonke ama-nuances. Ompetha bezokuphepha bayawazi umkhiqizo wabo: yini ehlanganyela nokuthi yini okufanele uyibuke kuqala - basebenza kahle kakhulu.

Ngakho-ke cabanga ukusebenzisa Ompetha Bezokuphepha nokwandisa umthelela wethimba lakho lezokuphepha. Lokhu kuyasiza futhi kungqwele ngokwakhe: ukuthuthukiswa kochwepheshe emkhakheni omusha, ukwandisa ama-horizons akhe ezobuchwepheshe, ukuthuthukisa amakhono obuchwepheshe, ukuphatha kanye nobuholi, ukwandisa inani lemakethe. Lena into ethile yobunjiniyela bezenhlalo, "amehlo" akho ethimbeni lokuthuthukisa.

Izigaba zokuhlola

I-Paradigm 20 kuya ku-80 uthi u-20% wemizamo ukhiqiza imiphumela engama-80%. Lokhu 20% kuyizinqubo zokuhlaziya uhlelo lokusebenza ezingakwazi futhi okufanele zenziwe ngokuzenzakalelayo. Izibonelo zemisebenzi enjalo ukuhlaziya okumile - SAST, ukuhlaziywa okuguquguqukayo - DAST и Open Source control. Ngizokutshela kabanzi mayelana nemisebenzi, kanye namathuluzi, iziphi izici esivame ukuhlangana nazo lapho sizethula ohlelweni, nokuthi sikwenza kanjani ngendlela efanele.

Izinkinga eziyinhloko zamathuluzi

Ngizogqamisa izinkinga ezifanele kuwo wonke amathuluzi futhi ezidinga ukunakwa. Ngizowahlaziya kabanzi ukuze ngingawaphindi.

Isikhathi eside sokuhlaziya. Uma kusuka ekuzinikeleni ekukhululeni kuthatha imizuzu engama-30 kukho konke ukuhlolwa nokuhlanganiswa, khona-ke ukuhlolwa kokuphepha kolwazi kuzothatha usuku. Ngakho akekho ozonciphisa inqubo. Cabangela lesi sici bese ufinyelela iziphetho.

Izinga eliphezulu Amanga Angalungile noma Amanga Amanga. Yonke imikhiqizo ihlukile, yonke isebenzisa izinhlaka ezahlukene kanye nesitayela sayo sokubhala amakhodi. Ezisekelweni ezihlukene zekhodi nobuchwepheshe, amathuluzi angase abonise amazinga ahlukene okuthi False Negative kanye ne-False Positive. Ngakho bheka ukuthi yini ngempela phakathi wakho izinkampani kanye ne eyakho izinhlelo zokusebenza zizobonisa imiphumela emihle nethembekile.

Akukho ukuhlanganiswa ngamathuluzi akhona. Bheka amathuluzi mayelana nokuhlanganiswa nalokho osuvele ukusebenzise. Isibonelo, uma une-Jenkins noma i-TeamCity, hlola ukuhlanganiswa kwamathuluzi nale software, hhayi nge-GitLab CI, ongayisebenzisi.

Ukuntuleka noma inkimbinkimbi eyeqile yokwenza ngokwezifiso. Uma ithuluzi lingenayo i-API, kungani-ke lidingeka? Konke okungenziwa kusixhumi esibonakalayo kufanele kutholakale nge-API. Ngokufanelekile, ithuluzi kufanele libe nekhono lokwenza amasheke ngendlela oyifisayo.

Awukho Umhlahlandlela Wokuthuthukisa Umkhiqizo. Intuthuko ayimile, sihlala sisebenzisa izinhlaka nemisebenzi emisha, sibhala kabusha ikhodi endala ezilimini ezintsha. Sifuna ukwenza isiqiniseko sokuthi ithuluzi esilithengayo lizosekela izinhlaka ezintsha nobuchwepheshe. Ngakho-ke, kubalulekile ukwazi ukuthi umkhiqizo uneqiniso futhi ulungile Umgwaqo wendlela ukuthuthukiswa.

Izici zokucubungula

Ngaphezu kwezici zamathuluzi, cabangela izici zenqubo yokuthuthukisa. Isibonelo, ukuvimbela intuthuko kuyiphutha elivamile. Ake sibheke ukuthi yiziphi ezinye izici okufanele zicatshangelwe nokuthi ithimba lezokuphepha kufanele likunake ini.

Ukuze ungaphuthelwa ukuthuthukiswa kanye nezinsuku zokugcina, dala imithetho ehlukene futhi ezahlukene khombisa izivimba - indlela yokumisa inqubo yokwakha lapho kukhona ubungozi - ezindaweni ezahlukene. Isibonelo, siyaqonda ukuthi igatsha lamanje liya endaweni yokuthuthukisa noma i-UAT, okusho ukuthi asimi bese sithi:

“Unobuthakathaka lapha, ngeke uye ndawo!”

Kuleli qophelo, kubalulekile ukutshela onjiniyela ukuthi kunezinkinga zokuphepha ezidinga ukunakwa.

Ukuba khona kobuthakathaka akusona isithiyo ekuqhubekeni nokuhlola: imanuwali, ukuhlanganisa noma imanuwali. Ngakolunye uhlangothi, sidinga ukuthi ngandlela thize sikhulise ukuvikeleka komkhiqizo, futhi ukuze abathuthukisi bangakunaki lokho abakuthola kuphephile. Ngakho-ke, ngezinye izikhathi senza lokhu: esitobhini, lapho sidluliselwa endaweni yokuthuthukiswa, sivele sazise intuthuko:

- Guys, unezinkinga, sicela unake kubo.

Esigabeni se-UAT siphinda sibonisa izexwayiso mayelana nokuba sengozini, futhi esigabeni sokukhishwa sithi:

- Bafo, sikuxwayise izikhathi ezimbalwa, awenzanga lutho - ngeke sikukhiphe ngalokhu.

Uma sikhuluma ngekhodi kanye ne-dynamics, ngakho-ke kuyadingeka ukukhombisa nokuxwayisa mayelana nobungozi kuphela kwalezo zici kanye nekhodi esanda kubhalwa kulesi sici. Uma unjiniyela ehambisa inkinobho ngamaphikseli angu-3 futhi simtshela ukuthi unomjovo we-SQL lapho ngakho-ke udinga ukulungiswa ngokushesha, lokhu akulungile. Bheka kuphela okubhaliwe manje kanye noshintsho oluza esicelweni.

Ake sithi sinesici esithile sokusebenza - indlela isicelo akufanele sisebenze ngayo: imali ayidluliswanga, uma uchofoza inkinobho akukho ukushintshela ekhasini elilandelayo, noma umkhiqizo awulayishi. Ukukhubazeka Kwezokuphepha - lezi ziyiziphambeko ezifanayo, kodwa hhayi ngokusebenza kwesicelo, kodwa ekuvikelekeni.

Akuzona zonke izinkinga zekhwalithi yesofthiwe eziyizinkinga zokuphepha. Kodwa zonke izinkinga zokuphepha zihlobene nekhwalithi yesofthiwe. USherif Mansour, Expedia.

Njengoba bonke ubungozi bungukukhubazeka okufanayo, kufanele bubekwe endaweni efanayo nazo zonke izinkinga zokuthuthuka. Ngakho-ke khohlwa ngemibiko nama-PDF athusayo okungekho muntu owawafundayo.

Ngenkathi ngisebenza enkampanini yokuthuthukisa, ngathola umbiko ovela kumathuluzi okuhlaziya amile. Ngayivula, ngathuka, ngenza ikhofi, ngaphenya amakhasi angu-350, ngayivala ngaqhubeka nokusebenza. Imibiko emikhulu yimibiko efile. Ngokuvamile aziyi ndawo, izincwadi ziyasuswa, ziyakhohlwa, zilahlekile, noma ibhizinisi lithi liyazamukela ubungozi.

Okufanele ngikwenze? Simane siguqule amaphutha aqinisekisiwe esiwathole abe yifomu elilungele ukuthuthukiswa, isibonelo, siwabeka ku-backlog ku-Jira. Sibeka okubalulekile kuqala futhi sikuqede ngendlela efanele, kanye nokukhubazeka kokusebenza nokulimala kokuhlolwa.

Ukuhlaziywa Okuqinile - SAST

Lokhu ukuhlaziya ikhodi yobungozi., kodwa ayifani ne-SonarQube. Asihloli nje amaphethini noma isitayela. Kusetshenziswa izindlela eziningi ekuhlaziyeni: ngokusho kwesihlahla esisengozini, ngokusho IdathaFlow, ngokuhlaziya amafayela okumisa. Yilokhu kuphela okuthinta ikhodi ngokwayo.

Izinzuzo zendlela: ukuhlonza ubungozi bekhodi ekuqaleni kokuthuthukalapho zingakabi khona izitendi noma amathuluzi enziwe ngomumo, futhi ikhono lokuskena elikhulayo: ukuskena ingxenye yekhodi eshintshile, futhi isici kuphela esisenzayo njengamanje, esinciphisa isikhathi sokuskena.

Минусы - lokhu ukuntuleka kokusekelwa kwezilimi ezidingekayo.

Ukuhlanganiswa okufanele, okufanele kube kumathuluzi, ngombono wami ozimele:

• Ithuluzi lokuhlanganisa: Jenkins, TeamCity kanye ne-Gitlab CI.
• Indawo yokuthuthukisa: Intellij IDEA, Visual Studio. Kulunge kakhulu ukuthi umthuthukisi angazulazuli esixhumi esibonakalayo esingaqondakali esadinga ukuba sibanjwe ngekhanda, kodwa abone konke ukuhlanganiswa okudingekayo nokuba sengozini akuthole khona kanye emsebenzini endaweni yakhe yokuthuthuka.
• Ukubuyekezwa kwekhodi: I-SonarQube nokubuyekezwa okwenziwa ngesandla.
• Abalandeleli bephutha: Jira noBugzilla.

Isithombe sibonisa abanye abameleli abangcono kakhulu bokuhlaziya okumile.

Akuwona amathuluzi abalulekile, kodwa inqubo, ngakho-ke kukhona izixazululo ze-Open Source nazo ezilungele ukuhlola inqubo.

Umthombo ovulekile we-SAST ngeke uthole inani elikhulu lobungozi noma i-DataFlows eyinkimbinkimbi, kodwa ingasetshenziswa futhi kufanele isetshenziswe lapho kwakhiwa inqubo. Basiza ukuqonda ukuthi uhlelo luzokwakhiwa kanjani, ubani ozophendula iziphazamisi, ubani ozobika, futhi ubani ozobika. Uma ufuna ukwenza isigaba sokuqala sokwakha ukuvikeleka kwekhodi yakho, sebenzisa izixazululo zomthombo ovulekile.

Lokhu kungahlanganiswa kanjani uma usekuqaleni kohambo lwakho futhi ungenalutho: akukho CI, akukho Jenkins, akukho TeamCity? Ake sicabangele ukuhlanganiswa kunqubo.

Ukuhlanganiswa kwezinga le-CVS

Uma une-Bitbucket noma i-GitLab, ungakwazi ukuhlanganisa ezingeni Isistimu Yezinguqulo Ezifanayo.

Ngomcimbi - donsa isicelo, zibophezele. Uskena ikhodi futhi isimo sokwakha sibonisa ukuthi ukuhlola kokuvikela kuphumelele noma kwehlulekile.

Impendulo. Yiqiniso, impendulo ihlale idingeka. Uma usanda kwenza ukuphepha eceleni, ubeke ebhokisini futhi ungatsheli muntu ngakho, bese ekupheleni kwenyanga ulahla izimbungulu - lokhu akulungile futhi akukuhle.

Ukuhlanganiswa nohlelo lokubuyekezwa kwekhodi

Sake sasebenza njengombuyekezi ozenzakalelayo kumsebenzisi we-AppSec wezobuchwepheshe kumaphrojekthi ambalwa abalulekile. Kuye ngokuthi amaphutha akhonjiwe kukhodi entsha noma awekho amaphutha, umbuyekezi usetha isimo esicelweni sokudonsa ukuze “samukele” noma “sidinga umsebenzi” - konke kuhamba kahle, noma izixhumanisi zokuthi yini ngempela edinga ukuthuthukiswa. zidinga ukuthuthukiswa. Ukuze kuhlanganiswe nenguqulo ezokhiqizwa, sivumele ukuvinjelwa kokuhlanganisa uma ukuhlolwa kokuphepha kolwazi kungaphasiswa. Sifake lokhu ekubuyekezweni kwekhodi mathupha, futhi abanye ababambiqhaza enqubweni babone izimo zokuphepha zale nqubo ethile.

Ukuhlanganiswa ne-SonarQube

Abaningi baye benza kanjalo isango izinga ngokwekhwalithi yekhodi. Kuyafana lapha - ungenza amasango afanayo kuphela kumathuluzi e-SAST. Kuzoba nesixhumi esibonakalayo esifanayo, isango elifanayo lekhwalithi, kuphela elizobizwa isango lokuphepha. Futhi, uma unenqubo usebenzisa i-SonarQube, ungakwazi ukuhlanganisa kalula yonke into lapho.

Ukuhlanganiswa ezingeni le-CI

Konke lapha nakho kulula kakhulu:

• Ngokuhambisana nokuhlola okuzenzakalelayo, ukuhlolwa kweyunithi.
• Hlukanisa ngezigaba zokuthuthuka: dev, test, prod. Izimiso ezihlukene zemithetho noma izimo ezihlukene zokuhluleka zingafakwa: misa umhlangano, ungawuvimbi umhlangano.
• Ukwethulwa Okuvumelanayo/okungavumelaniyo. Silinde ukuphela kokuhlolwa kokuphepha noma cha. Okusho ukuthi, sisanda kwethula futhi siqhubeke, bese sithola isimo sokuthi konke kuhle noma kubi.

Konke kusemhlabeni obomvana ophelele. Ayikho into enjalo empilweni yangempela, kodwa siyalwela. Umphumela wokuhlola ukuphepha kufanele ufane nemiphumela yokuhlolwa kwamayunithi.

Isibonelo, sithathe iphrojekthi enkulu futhi sanquma ukuthi manje sizoyiskena nge-SAST - OK. Siphushele le phrojekthi ku-SAST, yasinikeza ukukhubazeka okungu-20 futhi ngesinqumo esiqinile sanquma ukuthi konke kuhamba kahle. 000 ubungozi isikweletu sethu sobuchwepheshe. Sizofaka isikweletu ebhokisini, sizosisusa kancane kancane bese sengeza iziphazamisi kubalandeleli abakhubazekile. Masiqashe inkampani, senze yonke into ngokwethu, noma senze Ompetha Bezokuphepha basisize - futhi isikweletu sobuchwepheshe sizoncipha.

Futhi bonke ubungozi obusha obuvelayo kukhodi entsha kufanele buqedwe ngendlela efanayo namaphutha eyunithi noma ekuhlolweni okuzenzakalelayo. Uma kuqhathaniswa, umhlangano waqala, sawuqhuba, izivivinyo ezimbili kanye nezivivinyo ezimbili zokuphepha zehlulekile. KULUNGILE - sahamba, sabheka okwenzekile, salungisa into eyodwa, salungisa enye, sayiqhuba ngesikhathi esilandelayo - konke kwakuhamba kahle, akukho buthakathaka obusha obuvelayo, akukho ukuhlolwa okuhlulekile. Uma lo msebenzi ujulile futhi udinga ukuwuqonda kahle, noma ukulungisa ubungozi kuthinta izendlalelo ezinkulu zalokho okungaphansi kwe-hood: isiphazamisi sengezwe kusilandeleli sesici, sibekwa phambili futhi siyalungiswa. Ngeshwa, umhlaba awuphelele futhi izivivinyo kwesinye isikhathi ziyehluleka.

Isibonelo sesango lokuvikela i-analogue yesango lekhwalithi, ngokuya ngobukhona kanye nenani lobungozi kukhodi.

Sihlanganisa ne-SonarQube - i-plugin ifakiwe, konke kulula kakhulu futhi kupholile.

Ukuhlanganisa nendawo yokuthuthukisa

Izinketho zokuhlanganisa:

• Ukuqalisa ukuskena kusuka endaweni yokuthuthukisa ngaphambi kokuzibophezela.
• Buka imiphumela.
• Ukuhlaziywa kwemiphumela.
• Ukuvumelanisa neseva.

Yile ndlela okubukeka ngayo ukuthola imiphumela evela kuseva.

Endaweni yethu yentuthuko I-Intellij IDEA into eyengeziwe ivele ivele ekwazisa ukuthi ubungozi obunjalo butholwe ngesikhathi sokuskena. Ungakwazi ukuhlela ngokushesha ikhodi, ubheke izincomo kanye Igrafu yokugeleza. Konke lokhu kutholakala endaweni yokusebenza yonjiniyela, elula kakhulu - asikho isidingo sokulandela ezinye izixhumanisi futhi ubheke okuthile okwengeziwe.

Open Source

Lesi isihloko sami engisithandayo. Wonke umuntu usebenzisa imitapo yolwazi ye-Open Source - kungani ubhala inqwaba yezinduku namabhayisikili kuyilapho ungathatha umtapo wolwazi osuvele usuwenziwe lapho yonke into isivele yenziwe?

Yebo, lokhu kuyiqiniso, kodwa imitapo yolwazi nayo ibhalwa abantu, iphinde ihlanganise ubungozi obuthile futhi kukhona nobuthakathaka obubikwa ngezikhathi ezithile, noma njalo. Ngakho-ke, kunesinyathelo esilandelayo Ekuvikeleni Isicelo - lokhu ukuhlaziya izingxenye zomthombo ovulekile.

Ukuhlaziywa Komthombo Ovulekile - i-OSA

Ithuluzi lihlanganisa izigaba ezintathu ezinkulu.

Isesha ubungozi kulabhulali. Isibonelo, ithuluzi liyazi ukuthi sisebenzisa umtapo wolwazi othile, nokuthi ku I-CVE noma kukhona ukukhubazeka okuthile kuzilandeleli zeziphazamisi ezihlobene nale nguqulo yelabhulali. Uma uzama ukuyisebenzisa, ithuluzi lizokhipha isexwayiso sokuthi umtapo wolwazi usengozini futhi likweluleka ukuthi usebenzise enye inguqulo engenabo ubungozi.

Ukuhlaziywa kokuhlanzeka kwelayisensi. Lokhu akukadumi ikakhulukazi lapha, kodwa uma usebenza phesheya, khona-ke ngezikhathi ezithile ungathola intela lapho ngokusebenzisa ingxenye yomthombo ovulekile engakwazi ukusetshenziswa noma ukuguqulwa. Ngokwenqubomgomo yomtapo wolwazi onelayisensi, asikwazi ukwenza lokhu. Noma, uma siyishintshile futhi siyisebenzisa, kufanele sithumele ikhodi yethu. Yiqiniso, akekho ofuna ukushicilela ikhodi yemikhiqizo yabo, kodwa ungakwazi futhi ukuzivikela kulokhu.

Ukuhlaziywa kwezingxenye ezisetshenziswa endaweni yezimboni. Ake sicabange ngesimo sokucatshangelwa ukuthi ekugcineni sesiqedile ukuthuthukiswa futhi sakhulula ukukhishwa kwakamuva kwe-microservice yethu. Uhlala lapho ngokumangalisayo - isonto, inyanga, unyaka. Asikuqoqi, asikuhloli ukuphepha, yonke into ibonakala ihamba kahle. Kodwa kungazelelwe, emasontweni amabili ngemva kokukhishwa, kuvela ubungozi obubalulekile engxenyeni yomthombo ovulekile, esiyisebenzisa kulesi sakhiwo esithile, endaweni yezimboni. Uma singarekhodi ukuthi sisebenzisa ini futhi kuphi, ngeke sivele sibubone lobu bungozi. Amanye amathuluzi anekhono lokuqapha ubungozi emitatsheni yolwazi esetshenziswa embonini njengamanje. Iwusizo kakhulu.

Izici:

• Izinqubomgomo ezihlukene zezigaba ezahlukene zentuthuko.
• Izingxenye zokuqapha endaweni yezimboni.
• Ukulawulwa kwemitapo yolwazi ngaphakathi kwenhlangano.
• Ukusekelwa kwezinhlelo zokwakha ezahlukahlukene nezilimi.
• Ukuhlaziywa kwezithombe ze-Docker.

Izibonelo ezimbalwa zabaholi bemboni ababambe iqhaza ekuhlaziyeni komthombo ovulekile.

Okuwukuphela kwamahhala yilokhu Ukuncika-Hlola kusuka ku-OWASP. Ungayivula ezigabeni zokuqala, ubone ukuthi isebenza kanjani nokuthi isekela ini. Ngokuyisisekelo, lena yonke imikhiqizo yamafu, noma endaweni, kodwa ngemuva kwesisekelo sayo isathunyelwa ku-inthanethi. Abathumeli amalabhulali akho, kodwa ama-hashi noma amanani abo, abawabalayo, nezigxivizo zeminwe kuseva yabo ukuze bathole ulwazi mayelana nokuba khona kobungozi.

Ukuhlanganiswa kwenqubo

Ukulawulwa kwepherimitha kwemitapo yolwazi, ezilandwa emithonjeni yangaphandle. Sinezinqolobane zangaphandle nezangaphakathi. Isibonelo, i-Event Central isebenzisa i-Nexus, futhi sifuna ukuqinisekisa ukuthi abukho ubungozi ngaphakathi kwekhosombe lethu elinesimo "esibucayi" noma "esiphezulu". Ungakwazi ukumisa ukusebenza njengommeleli usebenzisa ithuluzi le-Nexus Firewall Lifecycle ukuze ubungozi obunjalo bunqanyulwe futhi bungagcini bugcinwe endaweni yokugcina yangaphakathi.

Ukuhlanganiswa ku-CI. Ezingeni elifanayo nokuhlola okuzenzakalelayo, ukuhlolwa kweyunithi nokuhlukaniswa ngezigaba zokuthuthukiswa: i-dev, isivivinyo, i-prod. Esigabeni ngasinye, ungalanda noma yimiphi imitapo yolwazi, usebenzise noma yini, kodwa uma kunokuthile okunzima ngesimo "esibucayi", mhlawumbe kufanelekile ukudonsa ukunaka konjiniyela kulokhu esigabeni sokukhishelwa ekukhiqizeni.

Ukuhlanganiswa nama-artifacts: I-Nexus ne-JFrog.

Ukuhlanganiswa endaweni yokuthuthukiswa. Amathuluzi owakhethayo kufanele abe nokuhlanganiswa nezimo zokuthuthukisa. Umthuthukisi kufanele abe nokufinyelela emiphumeleni yokuskena endaweni yakhe yokusebenza, noma ikhono lokuskena futhi ahlole ikhodi ngokwakhe ngobungozi ngaphambi kokuzibophezela ku-CVS.

Ukuhlanganiswa kwe-CD. Lesi isici esihle engisithanda kakhulu futhi esengikhulume ngaso - ukuqapha ukuvela kobungozi obusha endaweni yezimboni. Isebenza into efana nale.

Sine Amakhosombe Engxenye Yomphakathi - amanye amathuluzi ngaphandle, kanye nenqolobane yethu yangaphakathi. Sifuna ukuthi iqukathe izingxenye ezethembekile kuphela. Uma senza ummeleli wesicelo, sihlola ukuthi ilabhulali elandiwe ayinabo ubungozi. Uma iwela ngaphansi kwezinqubomgomo ezithile esizimisayo futhi esizixhumanisa nokuthuthukiswa, lapho-ke asiyilayishi futhi siyalwa ukuthi sisebenzise enye inguqulo. Ngokufanelekile, uma kunokuthile okubucayi nokubi ngempela kumtapo wolwazi, khona-ke umthuthukisi ngeke awuthole umtapo wolwazi esigabeni sokuwufaka - makasebenzise inguqulo ephakeme noma ephansi.

• Lapho sakha, sibheka ukuthi akekho yini oye washelela okubi, ukuthi zonke izingxenye ziphephile futhi akekho olethe noma yini eyingozi ku-flash drive.
• Sinezingxenye ezithenjwayo kuphela endaweni yokugcina.
• Lapho sisebenzisa, siyaphinda sihlole iphakheji ngokwalo: impi, imbiza, i-DL noma isithombe se-Docker ukuze siqinisekise ukuthi iyahambisana nenqubomgomo.
• Uma singena embonini, siqapha okwenzekayo endaweni yezimboni: ubungozi obubalulekile buvela noma abubonakali.

Ukuhlaziywa Okunamandla - DAST

Amathuluzi okuhlaziya anamandla ahluke kakhulu kukho konke osekushiwo ngaphambili. Lolu wuhlobo lokulingisa umsebenzi womsebenzisi ngohlelo lokusebenza. Uma lokhu kuwuhlelo lokusebenza lwewebhu, sithumela izicelo, silingisa umsebenzi weklayenti, chofoza izinkinobho ezingaphambili, thumela idatha yokwenziwa evela efomini: izingcaphuno, abakaki, abalingiswa ekufakweni kwekhodi okuhlukene, ukubona ukuthi uhlelo lokusebenza lusebenza kanjani kanye nezinqubo. idatha yangaphandle.

Isistimu efanayo ikuvumela ukuthi uhlole ubungozi besifanekiso Kumthombo Ovulekile. Njengoba i-DAST ingazi ukuthi yimuphi Umthombo Ovulekile esiwusebenzisayo, ivele ijikijele amaphethini “anonya” futhi ihlaziye izimpendulo zeseva:

- Yebo, kunenkinga ye-deserialization lapha, kodwa hhayi lapha.

Kunezingozi ezinkulu kulokhu, ngoba uma wenza lokhu kuhlolwa kokuphepha ebhentshini elifanayo abahloli abasebenza nalo, izinto ezingemnandi zingenzeka.

• Ukulayisha okuphezulu kunethiwekhi yeseva yohlelo lokusebenza.
• Akukho ukuhlanganiswa.
• Ikhono lokushintsha izilungiselelo zohlelo lokusebenza oluhlaziyiwe.
• Akukho ukusekelwa kobuchwepheshe obudingekayo.
• Ubunzima bokumisa.

Sibe nesimo lapho ekugcineni sethula i-AppScan: sichithe isikhathi eside sizama ukufinyelela kuhlelo lokusebenza, sathola ama-akhawunti angu-3 futhi sajabula - ekugcineni sizohlola yonke into! Sethule ukuskena, futhi into yokuqala eyenziwe yi-AppScan kwakuwukungena kuphaneli yokuphatha, ibhoboze zonke izinkinobho, iguqule uhhafu wedatha, bese ibulala iseva ngokuphelele ifomu lemeyili-izicelo. Ukuthuthukiswa ngokuhlolwa uthe:

- Guys, udlala ngami?! Sikunikeze ama-akhawunti, futhi usethe isitendi!

Cabangela izingozi ezingase zibe khona. Ngokufanelekile, lungiselela isitendi esihlukile sokuhlola ukuphepha kolwazi, esizohlukaniswa nendawo yonke okungenani ngandlela thile, futhi uhlole ngokunemibandela iphaneli yokulawula, okungcono kakhulu ngemodi eyenziwa ngesandla. Lena i-pentest - lawo maphesenti asele omzamo esingawacabangi manje.

Kuyafaneleka ukucabangela ukuthi ungasebenzisa lokhu njenge-analogue yokuhlolwa komthwalo. Esigabeni sokuqala, ungavula isithwebuli esiguqukayo esinezintambo eziyi-10-15 futhi ubone ukuthi kwenzekani, kodwa ngokuvamile, njengoba umkhuba ubonisa, akukho okuhle.

Izinsiza ezimbalwa esivame ukuzisebenzisa.

Okufanelekile ukugqamisa I-Burp Suite "Ummese wase-Swiss" wanoma yimuphi uchwepheshe wezokuphepha. Wonke umuntu uyayisebenzisa futhi kulula kakhulu. Inguqulo entsha yedemo yohlobo lwebhizinisi isikhishiwe. Uma ngaphambili bekuyinsizakalo yokuma yodwa enama-plugin, manje abathuthukisi ekugcineni benza iseva enkulu lapho kuzokwazi ukuphatha ama-ejenti amaningana. Lokhu kuhle, ngincoma ukuthi uzame.

Ukuhlanganiswa kwenqubo

Ukuhlanganiswa kwenzeka kahle futhi kalula: qala ukuskena ngemva kokufakwa ngempumelelo izicelo zokuma kanye ukuskena ngemva kokuhlolwa kokuhlanganiswa okuyimpumelelo.

Uma ukuhlanganiswa kungasebenzi noma kukhona ama-stubs nemisebenzi mbumbulu, akunangqondo futhi akusizi - kungakhathaliseki ukuthi iyiphi iphethini esiyithumelayo, iseva isazophendula ngendlela efanayo.

• Okufanelekile, isitendi sokuhlola esihlukile.
• Ngaphambi kokuhlola, bhala phansi ukulandelana kokungena ngemvume.
• Ukuhlolwa kwesistimu yokuphatha kwenziwa ngesandla kuphela.

Inqubo

Okuncane okujwayelekile mayelana nenqubo ngokujwayelekile kanye nomsebenzi wethuluzi ngalinye ikakhulukazi. Zonke izinhlelo zokusebenza zihlukile - eyodwa isebenza kangcono ngokuhlaziywa okuguquguqukayo, enye inokuhlaziya okumile, okwesithathu ngokuhlaziywa kwe-OpenSource, amapentes, noma enye into ngokuphelele, ngokwesibonelo, imicimbi I-Waf.

Yonke inqubo idinga ukulawula.

Ukuze uqonde ukuthi inqubo isebenza kanjani nokuthi ingathuthukiswa kuphi, udinga ukuqoqa amamethrikhi asuka kukho konke ongakuthola, okuhlanganisa amamethrikhi okukhiqiza, amamethrikhi avela kumathuluzi, kanye nezilandeleli zokukhubazeka.

Noma yiluphi ulwazi luwusizo. Kudingekile ukubheka kusuka kuma-engeli ahlukene lapho lokhu noma lelo thuluzi lisetshenziswa kangcono, lapho inqubo iyancipha ngokuqondile. Kungase kudingeke ukuthi ubheke izikhathi zokuphendula zokuthuthukiswa ukuze ubone ukuthi ungayithuthukisa kuphi inqubo ngokusekelwe esikhathini. Uma idatha eyengeziwe, izigaba ezengeziwe zingakhiwa ukusuka ezingeni eliphezulu kuya emininingwaneni yenqubo ngayinye.

Njengoba bonke abahlaziyi be-static nabanamandla banama-API abo, izindlela zabo zokuqalisa, izimiso, abanye banabahleli, abanye abanalo - sibhala ithuluzi. I-AppSec Orchestrator, okuvumela ukuthi udale indawo eyodwa yokungena kuyo yonke inqubo kusuka kumkhiqizo futhi uyilawule usuka endaweni eyodwa.

Abaphathi, onjiniyela nonjiniyela bezokuphepha banendawo eyodwa yokungena lapho bengabona khona ukuthi yini esebenzayo, balungiselele futhi baqalise ukuskena, bathole imiphumela yokuskena, futhi balethe izidingo. Sizama ukuqhela kumaphepha, ukuhumusha yonke into ibe okomuntu, esetshenziswa ukuthuthukiswa - amakhasi ku-Confluence nesimo namamethrikhi, amaphutha ku-Jira noma kuma-tracker amaphutha ahlukahlukene, noma ukuhlanganiswa kunqubo evumelanayo/evumelanayo ku-CI. /CD.

Izitoreji Eziyinhloko

Amathuluzi akuyona into esemqoka. Qala ucabange ngenqubo - bese usebenzisa amathuluzi. Amathuluzi mahle kodwa ayabiza, ngakho ungaqala ngenqubo futhi wakhe ukuxhumana nokuqonda phakathi kwentuthuko nokuphepha. Ngokombono wokuphepha, asikho isidingo “sokumisa” yonke into.Ngokombono wokuthuthuka, uma kukhona okuthile okubaluleke kakhulu okuyi-mega super, kufanele kuqedwe, futhi ungayishayi indiva inkinga.

Ikhwalithi yomkhiqizo - umgomo ovamile kokubili ukuphepha nentuthuko. Senza into eyodwa, sizama ukuqinisekisa ukuthi yonke into isebenza kahle futhi azikho izingozi zegama noma ukulahlekelwa kwezimali. Yingakho sikhuthaza indlela ye-DevSecOps, SecDevOps yokuthuthukisa ukuxhumana nokuthuthukisa ikhwalithi yomkhiqizo.

Qala ngalokho osuvele unakho: izidingo, izakhiwo, ukuhlola ingxenye, ukuqeqeshwa, imihlahlandlela. Asikho isidingo sokusebenzisa ngokushesha yonke imikhuba kuwo wonke amaphrojekthi - hamba ngokuphindaphindiwe. Alikho izinga elilodwa - ukuhlola bese uzama izindlela nezixazululo ezahlukene.

Kunophawu olulinganayo phakathi kokushiyeka kokuphepha kolwazi kanye nezinkinga zokusebenza.

Yenza konke ngokuzenzakalelayolokho kuhamba. Noma yini enganyakazi, inyakaze futhi uyenze ngokuzenzakalelayo. Uma okuthile kwenziwa ngesandla, akuyona ingxenye enhle yenqubo. Mhlawumbe kufanelekile ukuyibuyekeza futhi uyenze ngokuzenzakalelayo futhi.

Uma ubukhulu beqembu le-IS buncane - sebenzisa Ompetha Bezokuphepha.

Mhlawumbe engikhulume ngakho ngeke kukuvumele futhi uzoqhamuka nento yakho - futhi lokho kuhle. Kodwa khetha amathuluzi asuselwa kuzimfuneko zenqubo yakho. Ungabheki ukuthi umphakathi uthini, ukuthi leli thuluzi libi kanti leli lihle. Mhlawumbe okuphambene kuzoba yiqiniso ngomkhiqizo wakho.

Izidingo zamathuluzi.

• Izinga eliphansi Lokuthi Amanga Okuhle.
• Isikhathi esanele sokuhlaziya.
• Ukusebenziseka kalula.
• Ukutholakala kokuhlanganiswa.
• Ukuqonda umgwaqo wokuthuthukiswa komkhiqizo.
• Amathuba okwenza ngokwezifiso amathuluzi.

Umbiko ka-Yuri ukhethwe njengomunye wemihle kakhulu ku-DevOpsConf 2018. Ukuze ujwayelane nemibono ethakazelisa nakakhulu namacala angokoqobo, woza e-Skolkovo ngoMeyi 27 no-28. I-DevOpsConf ngaphakathi umkhosi RIT++. Okungcono nakakhulu, uma usulungele ukwabelana ngomuzwa wakho faka isicelo ngombiko kuze kube ngu-Ephreli 21.

Source: www.habr.com