I-ProHoster > Ukuskena kokuba sengozini nokuthuthukiswa okuvikelekile. Ingxenye 1

Ukuskena kokuba sengozini nokuthuthukiswa okuvikelekile. Ingxenye 1

Ukuskena kokuba sengozini nokuthuthukiswa okuvikelekile. Ingxenye 1

Njengengxenye yemisebenzi yabo yobungcweti, onjiniyela, ama-pentester, nochwepheshe bezokuphepha kufanele babhekane nezinqubo ezifana ne-Vulnerability Management (VM), (Secure) SDLC.
Ngaphansi kwale mishwana kukhona amasethi ahlukene wemikhuba namathuluzi asetshenziswayo axhumene, nakuba abasebenzisi bawo behluka.

Inqubekelaphambili yobuchwepheshe ayikafinyeleli ezingeni lapho ithuluzi elilodwa lingangena esikhundleni somuntu ukuze lihlaziye ukuphepha kwengqalasizinda nesofthiwe.
Kuyathakazelisa ukuqonda ukuthi kungani lokhu kunjalo nokuthi yiziphi izinkinga umuntu abhekana nazo.

Izinqubo

Inqubo Yokulawulwa Kobungozi iklanyelwe ukuqapha okuqhubekayo kokuphepha kwengqalasizinda kanye nokuphathwa kwezichibi.
Inqubo evikelekile ye-SDLC (“umjikelezo wokuthuthukiswa okuvikelekile”) yakhelwe ukugcina ukuphepha kohlelo lokusebenza ngesikhathi sokuthuthukiswa nokusebenza.

Ingxenye efanayo yalezi zinqubo inqubo Yokuhlola Ubungozi - ukuhlola ubungozi, ukuskena kokuba sengozini.
Umehluko omkhulu phakathi kokuskena kwe-VM ne-SDLC ukuthi esimweni sokuqala umgomo uwukuthola ubungozi obaziwayo kusofthiwe yomuntu wesithathu noma ukulungiselelwa. Isibonelo, inguqulo ephelelwe yisikhathi ye-Windows noma iyunithi yezinhlamvu yomphakathi ezenzakalelayo ye-SNMP.
Esimeni sesibili, umgomo uwukuthola ubungozi hhayi kuphela ezingxenyeni zezinkampani zangaphandle (okuncikile), kodwa ngokuyinhloko kukhodi yomkhiqizo omusha.

Lokhu kudala umehluko kumathuluzi nezindlela. Ngokubona kwami, umsebenzi wokuthola ubungozi obusha kuhlelo lokusebenza uthakazelisa kakhulu, ngoba awehli ezinguqulweni zokuphrinta iminwe, ukuqoqa amabhanela, amaphasiwedi aphoqa ngesihluku, njll.
Ukuze uthole ukuskena okuzenzakalelayo kwekhwalithi ephezulu kobungozi bohlelo lokusebenza, ama-algorithms ayadingeka acabangela i-semantics yohlelo lokusebenza, injongo yalo, nezinsongo ezithile.

Isithwebuli sengqalasizinda ngokuvamile singashintshwa ngesibali sikhathi, njengoba ngikubeka avleonov. Iphuzu liwukuthi, ngokwezibalo kuphela, ungabheka ingqalasizinda yakho ibe sengozini uma ungazange uyibuyekeze, ake sithi, isikhathi esingangenyanga.

Amathuluzi

Ukuskena, njengokuhlaziya ukuphepha, kungenziwa kusetshenziswa ibhokisi elimnyama noma ibhokisi elimhlophe.

Ibhokisi Lomnyama

Uma kuskena ibhokisi elimnyama, ithuluzi kufanele likwazi ukusebenza nesevisi ngokusebenzisa izixhumanisi ezifanayo abasebenzisi abasebenza ngakho.

Izikena zengqalasizinda (Tenable Nessus, Qualys, MaxPatrol, Rapid7 Nexpose, njll.) zicinga izimbobo zenethiwekhi ezivulekile, ziqoqa “izibhengezo,” zinquma izinguqulo zesofthiwe efakiwe, futhi ziseshe isisekelo sazo solwazi ukuze uthole ulwazi olumayelana nokuba sengozini kulezi zinguqulo. Baphinde bazame ukuthola amaphutha okumisa njengamaphasiwedi azenzakalelayo noma ukufinyelela idatha evulekile, ama-cipher e-SSL abuthakathaka, njll.

Izikena zohlelo lwewebhu (i-Acunetix WVS, i-Netsparker, i-Burp Suite, i-OWASP ZAP, njll.) nazo zingahlonza izingxenye ezaziwayo nezinguqulo zazo (isibonelo, i-CMS, izinhlaka, imitapo yolwazi ye-JS). Izinyathelo eziyinhloko zeskena ziyakhasa futhi ziyafuqa.
Ngesikhathi sokucaca, iskena siqoqa ulwazi mayelana nezixhumi ezibonakalayo zohlelo lokusebenza kanye namapharamitha e-HTTP. Ngesikhathi sokuhlanganisa, idatha eguquliwe noma ekhiqiziwe ifakwa kuwo wonke amapharamitha atholiwe ukuze kuvuswe iphutha futhi kutholwe ubungozi.

Izikena ezinjalo zohlelo lokusebenza zingezakilasi le-DAST ne-IAST - Ukuhlolwa Kokuphepha Kokusebenza Kwe-Dynamic ne-Interactive, ngokulandelana.

Ibhokisi elimhlophe

Kunomehluko owengeziwe ngokuskena kwebhokisi elimhlophe.
Njengengxenye yenqubo ye-VM, izikena (Ama-Vulners, Incsecurity Couch, Vuls, Tenable Nessus, njll.) ngokuvamile zinikezwa ukufinyelela kumasistimu ngokwenza ukuskena okuqinisekisiwe. Ngakho-ke, isithwebuli singalanda izinguqulo zephakheji ezifakiwe kanye nemingcele yokumisa ngokuqondile ohlelweni, ngaphandle kokuqagela kusuka kuzibhengezo zesevisi yenethiwekhi.
Ukuskena kunembe kakhulu futhi kuphelele.

Uma sikhuluma ngokuskena kwebhokisi elimhlophe (CheckMarx, HP Fortify, Coverity, RIPS, FindSecBugs, njll.) kwezinhlelo zokusebenza, lapho-ke sivame ukukhuluma ngokuhlaziywa kwekhodi emile kanye nokusetshenziswa kwamathuluzi afanele ekilasi le-SAST - Ukuhlolwa Kokuphepha Kohlelo Lokusebenza Okumile.

Izinkinga

Kunezinkinga eziningi ngokuskena! Kufanele ngibhekane neningi lawo mathupha njengengxenye yokuhlinzeka ngesevisi yokwakha ukuskena kanye nezinqubo zokuthuthukisa ezivikelekile, kanye nalapho ngenza umsebenzi wokuhlaziya ukuphepha.

Ngizogqamisa amaqembu amakhulu ezinkinga ezi-3, aqinisekiswa izingxoxo nonjiniyela nezinhloko zezinsizakalo zokuphepha kolwazi ezinkampanini ezahlukahlukene.

Izinkinga Zokuskena Isicelo Sewebhu

  1. Ubunzima bokusebenzisa. Izikena zidinga ukutshalwa, zimiswe, zenziwe ngendlela oyifisayo kuhlelo ngalunye, zinikezwe indawo yokuhlola yokuskena futhi zisetshenziswe kunqubo ye-CI/CD ukuze lokhu kusebenze ngempumelelo. Uma kungenjalo, kuyoba inqubo ehlelekile engenamsebenzi ezoveza kuphela amanga angamanga
  2. Ubude beskena. Ngisho nangonyaka ka-2019, izikena zenza umsebenzi ongemuhle wokuphindaphinda izixhumanisi futhi zingachitha izinsuku zithwebula amakhasi ayinkulungwane anamapharamitha ayi-10 kulelo nalelo, ziwabheke ahlukile, yize ikhodi efanayo ibhekene nawo. Ngesikhathi esifanayo, isinqumo sokusatshalaliswa ekukhiqizeni ngaphakathi komjikelezo wokuthuthukiswa kufanele senziwe ngokushesha
  3. Izincomo ezimbi. Izikena zinikeza izincomo ezijwayelekile, futhi unjiniyela akakwazi ngaso sonke isikhathi ukuqonda ngokushesha kuzo ukuthi angalehlisa kanjani izinga lobungozi, futhi okubaluleke kakhulu, ukuthi kumele kwenziwe yini njengamanje, noma akusasabi okwamanje.
  4. Umthelela olimazayo kuhlelo lokusebenza. Izikena zingase zenze kahle ukuhlasela kwe-DoS kuhlelo lokusebenza, futhi zingakha inqwaba yezinhlangano noma ziguqule ezikhona (ngokwesibonelo, dala amashumi ezinkulungwane zamazwana kubhulogi), ngakho-ke akufanele wethule ngokungacabangi ukuskena ekukhiqizeni.
  5. Ikhwalithi ephansi yokutholwa kokuba sengozini. Izikena ngokuvamile zisebenzisa inqwaba engashintshi yemithwalo ekhokhelwayo futhi zingaphuthelwa kalula ukuba sengozini okungangeni esimweni sokuziphatha sohlelo lokusebenza esaziwayo.
  6. Iskena asiyiqondi imisebenzi yohlelo lokusebenza. Izikena ngokwazo azikwazi ukuthi "ibhange le-inthanethi", "inkokhelo", "amazwana" ayini. Kubo, kukhona izixhumanisi namapharamitha kuphela, ngakho-ke ungqimba olukhulu lobungozi bengqondo yebhizinisi obungenzeka luhlala ludalulwa ngokuphelele; ngeke bacabange ukwenza ukubhala kabili, ukuhlola idatha yomunye umuntu nge-ID, noma ukukhulisa ibhalansi ngokusondeza.
  7. Iskena asiyiqondi i-semantics yamakhasi. Izikena azikwazi ukufunda ama-FAQ, azikwazi ukubona ama-captcha, futhi ngokwazo ngeke zithole ukuthi zibhaliswa kanjani bese zingena kabusha, ongeke uchofoze okuthi “phuma ngemvume,” kanye nendlela yokusayina izicelo lapho ushintsha ipharamitha. amanani. Ngenxa yalokho, iningi lohlelo lokusebenza lingase lingaskenwa nhlobo.

Izinkinga zokuskena ikhodi yomthombo

  1. Okuhle okungamanga. Ukuhlaziya okungaguquki kuwumsebenzi onzima obandakanya ukuhwebelana okuningi. Ukunemba ngokuvamile kufanele kunikelwe, futhi izikena zebhizinisi ezibizayo zikhiqiza inani elikhulu lezinto ezingamanga
  2. Ubunzima bokusebenzisa. Ukwandisa ukunemba nokuphelela kokuhlaziywa kwe-static, kuyadingeka ukulungisa imithetho yokuskena, futhi ukubhala le mithetho kungase kube nzima kakhulu. Kwesinye isikhathi kulula ukuthola zonke izindawo kukhodi ezinohlobo oluthile lwesiphazamisi futhi uzilungise kunokubhala umthetho wokuthola izimo ezinjalo.
  3. Ukuntula ukwesekwa kokuncika. Amaphrojekthi amakhulu ancike enanini elikhulu lemitapo yolwazi kanye nezinhlaka ezinweba amakhono olimi lokuhlela. Uma isisekelo solwazi sesithwebuli singenalo ulwazi mayelana "nosinki" kulezi zinhlaka, kuzoba indawo eyimpumputhe futhi isithwebuli ngeke sivele siyiqonde ikhodi.
  4. Ubude beskena. Ukuthola ubungozi kwikhodi kuwumsebenzi onzima ngokuya ngama-algorithms. Ngakho-ke, inqubo ingase ithathe isikhathi eside futhi idinga izinsiza ezibalulekile zekhompyutha.
  5. Ukufakwa okuphansi. Ngaphandle kokusetshenziswa kwensiza kanye nesikhathi sokuskena, abathuthukisi bamathuluzi e-SAST kusafanele benze ukuvumelana futhi bahlaziye akuzona zonke izifunda lapho uhlelo lungaba khona.
  6. Ukuphindaphindeka kokutholakele. Ukukhomba umugqa othize nesitaki socingo esiholela ekubeni sengozini kuhle, kodwa empeleni, ngokuvamile isithwebuli asihlinzeki ngolwazi olwanele ukuze sihlole ukuba sengozini yini ngaphandle. Phela, iphutha lingase libe kukhodi efile, engafinyeleleki kumhlaseli

Izinkinga zokuskena ingqalasizinda

  1. I-inventory enganele. Ezingqalasizinda ezinkulu, ikakhulukazi lezo ezihlukene ngokwezindawo, kuvame ukuba nzima kakhulu ukwazi ukuthi yibaphi abasingathi okumelwe baskenwe. Ngamanye amazwi, umsebenzi wokuskena uhlobene eduze nomsebenzi wokuphatha impahla
  2. Ukubeka kuqala okungekuhle. Izikena zenethiwekhi zivame ukukhiqiza imiphumela eminingi enamaphutha angeke asetshenziswe ekusebenzeni, kodwa ngokusemthethweni izinga lawo lobungozi liphezulu. Umthengi uthola umbiko okunzima ukuwuhumusha, futhi akucaci ukuthi yini okufanele ilungiswe kuqala.
  3. Izincomo ezimbi. Isisekelo solwazi sesikena ngokuvamile siqukethe ulwazi olujwayelekile kuphela mayelana nokuba sengozini nokuthi kungalungiswa kanjani, ngakho-ke abalawuli kuzodingeka bazihlomise nge-Google. Isimo singcono kancane ngezikena ze-whitebox, ezingakhipha umyalo othize wokulungisa
  4. Ezenziwe ngezandla. Ingqalasizinda ingaba namanodi amaningi, okusho ukuthi kungenzeka kube namaphutha amaningi, imibiko okumele ihlungwe futhi ihlaziywe mathupha ekuphindaphindweni ngakunye.
  5. Ukungatholakali kahle. Izinga lokuskena kwengqalasizinda ngokuqondile lincike kusayizi wesisekelo solwazi mayelana nokuba sengozini kanye nezinguqulo zesofthiwe. Lapho, kwavela, ngisho nabaholi bemakethe abanaso isisekelo solwazi esiphelele, futhi imininingwane yolwazi lwezixazululo zamahhala iqukethe ulwazi oluningi abaholi abangenalo.
  6. Izinkinga zokuchibiyela. Ezikhathini eziningi, ukuba sengozini kwengqalasizinda yokuchibiyela kubandakanya ukubuyekeza iphakheji noma ukushintsha ifayela lokumisa. Inkinga enkulu lapha ukuthi uhlelo, ikakhulukazi oluyifa, lungaziphatha ngendlela engalindelekile ngenxa yokubuyekezwa. Empeleni, kuzodingeka wenze izivivinyo zokuhlanganisa kwingqalasizinda ebukhoma ekukhiqizeni.

Izindlela

Kanjani?
Ngizokutshela kabanzi mayelana nezibonelo nokuthi ungabhekana kanjani nezinkinga eziningi ezisohlwini ezingxenyeni ezilandelayo, kodwa okwamanje ngizobonisa izinkombandlela eziyinhloko ongasebenza kuzo:

  1. Ukuhlanganiswa kwamathuluzi wokuskena ahlukahlukene. Ngokusetshenziswa okulungile kwezikena ezimbalwa, ungafinyelela ukukhuphuka okukhulu kwesisekelo solwazi kanye nekhwalithi yokutholwa. Ungathola ngisho nokuba sengozini okukhulu ukwedlula isamba sazo zonke izikena eziqaliswe ngokuhlukene, kuyilapho ungakwazi ukuhlola ngokunembe kakhudlwana izinga lobungozi futhi wenze izincomo eziningi.
  2. Ukuhlanganiswa kwe-SAST ne-DAST. Kungenzeka ukwandisa ukufakwa kwe-DAST kanye nokunemba kwe-SAST ngokushintshisana ngolwazi phakathi kwakho. Kusuka emithonjeni ungathola ulwazi mayelana nemizila ekhona, futhi usebenzisa i-DAST ungabheka ukuthi ubungozi buyabonakala yini ngaphandle.
  3. Ukufunda ngomshini™. Ngo-2015 I utshele (futhi ngaphezulu) mayelana nokusebenzisa izibalo ukuze unikeze izikena umuzwa womdubuli we-inthanethi nokuzisheshisa. Lokhu ngokuqinisekile kuyifolishi yokuthuthukiswa kokuhlaziywa kokuphepha okuzenzakalelayo esikhathini esizayo.
  4. Ukuhlanganiswa kwe-IAST nama-autotests kanye ne-OpenAPI. Ngaphakathi kwepayipi le-CI/CD, kungenzeka ukudala inqubo yokuskena ngokusekelwe kumathuluzi asebenza njengommeleli we-HTTP nokuhlola okusebenzayo okusebenza phezu kwe-HTTP. Ukuhlolwa kwe-OpenAPI/Swagger nezinkontileka kuzonikeza isithwebuli ulwazi olulahlekile mayelana nokugeleza kwedatha futhi kwenze kube nokwenzeka ukuskena uhlelo lokusebenza ezifundeni ezihlukahlukene.
  5. Ukumisa okulungile. Kuhlelo lokusebenza ngalunye nengqalasizinda, udinga ukwakha iphrofayili yokuskena efanelekile, ucabangela inombolo kanye nemvelo yezindawo zokuhlangana kanye nobuchwepheshe obusetshenzisiwe.
  6. Ukwenza ngokwezifiso iskena. Ngokuvamile uhlelo lokusebenza alukwazi ukuskenwa ngaphandle kokushintsha isithwebuli. Isibonelo isango lokukhokha lapho isicelo ngasinye kufanele sisayinwe. Ngaphandle kokubhala isixhumi sephrothokholi yesango, izikena zizogcwala izicelo ngesiginesha engalungile. Kuyadingeka futhi ukubhala izikena ezikhethekile zohlobo oluthile lwesici, njenge Ireferensi Yento Eqondile Engavikelekile
  7. Ukulawulwa kobungozi. Ukusetshenziswa kwamaskena ahlukahlukene kanye nokuhlanganiswa nezinhlelo zangaphandle ezifana Nokuphathwa Kwempahla kanye Nokuphathwa Kwezisongo kuzovumela ukusetshenziswa kwemingcele eminingi ukuhlola izinga lobungozi, ukuze abaphathi bathole isithombe esanele sesimo sokuphepha samanje sentuthuko noma ingqalasizinda.

Hlala ubukele futhi masiphazamise ukuskena kokuba sengozini!

Source: www.habr.com

Engeza amazwana