- Ukuthuthukiswa okuphephile kuhlanganisa izilawuli zokuphepha kuzo zonke izigaba zomjikelezo wokuphila kwesofthiwe, kusukela ezidingweni kuya ekusebenzeni.
- Izinhlaka ezifana ne-OWASP SAMM, i-Microsoft SDL, i-DevSecOps, kanye ne-NIST SSDF ziqondisa ukusetshenziswa kanye nokuvuthwa kwemikhuba yokuphepha.
- Imikhuba emihle kakhulu yezobuchwepheshe ye-OWASP (ukuqinisekisa, ukulawula ukufinyelela, ukubethela, amaphutha kanye nokuphathwa kokuthembela) kunciphisa indawo yokuhlasela.
- Isiko, ukuqeqeshwa okuqhubekayo, kanye nokubambisana phakathi kwentuthuko, imisebenzi, kanye nokuphepha kubalulekile ukuze imodeli isebenze ngokuqhubekayo.
El ukuthuthukiswa okuphephile Akuseyona "into eyengeziwe" kumaphrojekthi abalulekile, kodwa kuyimfuneko yansuku zonke yanoma yiliphi isofthiwe yokwakha iqembu elibalulekile. izinsongo ze-cyber kanye nezingozi Bahamba phambili ngesinyathelo esisodwa, futhi uma ikhodi ingaklanywanga ngokuphephile kusukela ekuqaleni, ngokushesha noma kamuva kufika ukwesaba: ukuvuza, ukukhwabanisa, ukungasebenzi kwezinsizakalo, kanye nokulahlekelwa ukwethenjwa okukhulu.
Izindaba ezinhle ukuthi namuhla sinazo izindlela, izinhlaka kanye nemikhuba emihle kakhulu Izinhlaka ezisungulwe kahle (i-OWASP, i-Microsoft SDL, i-NIST SSDF, amamodeli okuvuthwa, i-DevSecOps, njll.) zivumela ukuhlanganiswa kokuphepha kulo lonke umjikelezo wokuthuthukiswa ngaphandle kokuphazamisa ibhange. Icebo akusikho "ukwengeza ukuphepha ekugcineni," kodwa ukukuhlanganisa kuzo zonke izigaba, kusukela ekuchazeni izidingo kuze kube yilapho uhlelo lokusebenza lukhiqizwa futhi lugcinwa iminyaka.
Kusho ukuthini ngempela intuthuko ephephile?
Uma sikhuluma ngakho ukuthuthukiswa kwesofthiwe okuphephile Sibhekisela ekusebenziseni isethi yemikhuba, izilawuli, kanye nezinqumo zokuklama ezivimbela izinhlelo zokusebenza ukuthi zisetshenziswe ekwenzeni ubugebengu, ukweba ulwazi, noma ukwenza izenzo ezingahlosiwe. Akukhona nje "ukulungisa ubuthakathaka," kodwa mayelana vimbela izinkinga zokuphepha isikhathi eside ngaphambi kokuba zifike kumsebenzisi wokugcina.
Sekungamashumi eminyaka, okubaluleke kakhulu emaqenjini amaningi kube ukusebenza nokusebenzaUkuletha ngokushesha nokushiya ukuphepha kuhlaka, i-firewall, noma "ithimba lezokuphepha" kuphumela emphumeleni owaziwayo: ubuthakathaka kukhodi yomthombo yezinhlelo zokusebenza ezivezwe ku-inthanethi buba yindawo efanele yokungena yabahlaseli, naphezu kokuba nezingqimba zangaphandle zokuvikela.
Indlela yokuthuthukisa ephephile icabanga ukuthi umthwalo wemfanelo wokusebenzisa amathuluzi ngendlela efanele Futhi umthwalo wemfanelo wokulungiselela ngokuphephile izinhlaka, imitapo yolwazi, kanye namapulatifomu uwela kubathuthukisi. Amapulatifomu ahlinzeka ngebhokisi lamathuluzi, kodwa ukusetshenziswa okuphephile kuncike eqenjini lomkhiqizo. Yingakho izinhlelo eziningi ze-AppSec zigcizelela kakhulu ukuqeqeshwa, isiko, kanye nokusekelwa kobuchwepheshe kwethimba lokuthuthukisa.
Ngaphezu kwalokho, ukuphepha akuseyona nje into yokuhlola okukodwa: kubonakala ezinhlelweni ezifana nokuthi ukuskena okuzenzakalelayoAmapayipi e-DevSecOps, ukuhlaziywa okungaguquki nokuguquguqukayo, ukuhlolwa kokungena, izinhlelo zokubonga amaphutha, kanye nezinqubo ezisemthethweni zokuphendula ubuthakathaka. Konke lokhu kuhlelwe ngaphakathi komjikelezo wokuphila wokuthuthukiswa kwesofthiwe ovikelekile (i-Secure SDLC noma i-SSDLC).
Izindlela zokuthuthukiswa ezivikelekile kanye nezinhlaka
Kuneziningana izindlela kanye nezinhlaka Lokhu kusiza ukuhlanganisa ukuphepha emjikelezweni wokuphila kokuthuthukiswa kwesofthiwe (i-SDLC). Azihlukani; empeleni, kuvamile ukuhlanganisa eziningana kuye ngomongo wenhlangano, uhlobo lomkhiqizo, kanye nezinga lokuvuthwa kwethimba.
Ukuthuthukiswa Kwesofthiwe Evikelekile (i-SSD) kanye ne-SSDLC
Indlela ye ukuthuthukiswa kwesofthiwe okuphephile Ngakho-ke, ibeka ukuphepha njengesidingo sezinga eliphezulu, ngokuhambisana nokusebenziseka noma ukusebenza. Ku-Secure Software Development Life Cycle (SSDLC), ukuphepha kuhlanganiswe kuzo zonke izigaba: izidingo, ukuklama, ukusetshenziswa, ukuhlolwa, ukuthunyelwa, kanye nokugcinwa.
Lokhu kuhunyushwa kube imisebenzi ethile kakhulu: ukumodela okusongelayo ekwakhiweniUhlu lokuhlola ukuphepha ezindabeni zomsebenzisi, ukubuyekezwa kwekhodi okugxile ekubuthakathakeni, ukuhlolwa okuthile (i-SAST, i-DAST, i-IAST), izidingo zokuqinisekisa nokugunyazwa ezichazwe kahle, kanye nezilawuli zokuphepha ezingasebenzi kahle eziphathwa njengengxenye yobubanzi, hhayi njengezinto ezengeziwe.
I-SecDevOps / i-DevSecOps
Ngokukhula kwe-DevOps, izinhlangano eziningi ziye zenza ngokuzenzakalelayo umjikelezo wokuhlanganiswa okuqhubekayo kanye nokulethwa okuqhubekayo (i-CI/CD). Isinyathelo esilandelayo esinengqondo kube ukufaka ukuphepha kulezi ziteshi ezifanayo, okuholele ekutheni I-DevSecOps noma i-SecDevOps.
Ngendlela ye-DevSecOps, ukuphepha kuncike ku- ukuzenzekela okuhlanganisiwe epayipini: ukuhlaziywa kwekhodi engaguquki ku-commit ngayinye, ukuskena kokuxhomekeka, ukubuyekezwa kwesitsha, ukuhlaziywa okuguquguqukayo ezindaweni zokuhlola, izilawuli zokuphepha engqalasizinda njengekhodi, kanye nokuhlolwa okusebenzisanayo (IAST) ngenkathi uhlelo lokusebenza lusebenza endaweni yokuhlola.
Lo modeli uphinde ubhekane nokuphepha kwe- ukuphepha kwe-supply chainAmabhili wesofthiwe yezinto zokwakha (ama-SBOM) asebenzisa amazinga afana ne-CycloneDX, amapulatifomu okulandelela ukuxhomekeka okuqhubekayo, kanye nezilawuli ukuvimbela ipayipi uqobo ukuthi lingaphazamiseki. I-OWASP inikeza izinsiza eziwusizo kakhulu njenge-“CI/CD Security Cheat Sheet” kanye ne-DevSecOps Guide, ezichaza izilawuli eziza kuqala kule ndawo.
Amamodeli okuvuthwa: i-OWASP, i-SAMM, namanye afanayo
Imodeli I-OWASP SAMM (Imodeli Yokuvuthwa Kwesiqinisekiso Sesofthiwe) Ichaza indlela imikhuba yokuthuthukisa evikelekile esetshenziswa ngayo emisebenzini ehlukene yebhizinisi: ukuklama, ukusebenzisa, ukuqinisekisa, imisebenzi, ukuphathwa kwamasiko, njll. Ayisho nje ukuthi "okufanele ukwenze," kodwa futhi Inhlangano ivuthwe kangakanani? nokuthi yiziphi izinyathelo ezingathathwa ukuze kuthuthukiswe.
Ukusebenzisa imodeli yokuvuthwa kunikeza umbono ocacile wobuthakathaka: mhlawumbe ukuhlolwa okuhle kokungena kodwa ukuqeqeshwa okwanele konjiniyela, noma amapayipi azenzakalelayo kodwa akukho nqubomgomo ecacile yokuphendula ubuthakathaka. I-SAMM isiza ekubekeni phambili ukutshalwa kwezimali lapho kuzoba nomthelela omkhulu khona.
Uhlaka lwe-Microsoft SDL kanye nemvelo ye-Azure
El Umjikelezo Wokuphila Wokuthuthukiswa Kokuphepha kweMicrosoft (SDL) Kungenye inqubo yokubhekisela, esetshenziswa kabanzi ikakhulukazi kumaphrojekthi asetshenziswa ku-Azure. Lo modeli uchaza imisebenzi yokuphepha yesigaba ngasinye sokuthuthukiswa futhi uyixhumanise ne izinsizakalo ezithile ze-Azure (isibonelo, amathuluzi okukhomba, ukuqapha ukuphepha, izilawuli zenethiwekhi, ukubethela, njll.).
Omunye wemibono ebalulekile ye-SDL ukuthi uma inkinga isanda kulungiswa, kubiza kakhulu futhi kuyinkimbinkimbi Kuvela ukuthi uma ubuthakathaka bungatholakali ezigabeni zokuqala, zonke izigaba ezilandelayo zizuza njengefa, futhi izindleko zokukulungisa ziyanda kakhulu. Yingakho i-SDL iphikelela ekufakeni izilawuli ezivela ezidingweni kanye nezigaba zokuklama.
Le ndlela incike ezinsizeni ezengeziwe ezifana Izindlela ezinhle kakhulu zokuphepha ze-AzureIzinhlelo zokuthobela imithetho yobuchwepheshe, ipulatifomu yobunikazi be-Microsoft, noma iziqondiso zokwakhiwa kwamafu ezivikelekile, ezisebenza njengereferensi kubathuthukisi, abakhi bezakhiwo, kanye namaqembu okusebenza.
Uhlaka lwe-NIST SSDF
El Uhlaka Lokuthuthukiswa Kwesofthiwe Evikelekile ye-NIST (SSDF) Imikhuba yokuthuthukisa evikelekile ihlukaniswe ngamabhulokhi amane ayinhloko: ukulungiselela inhlangano, ukuvikela isofthiwe, ukukhiqiza isofthiwe evikelekile, kanye nokusabela ezifweni.
Empeleni, lokhu kuhilela izinto ezifana nokusungula izinqubomgomo nokuqeqeshwa, izindawo zokugcina izinto nezinto zobuciko ezivikelekile Ukuze kugwenywe ukukhohlisa, ukuklama kanye nekhodi, kugxilwe kakhulu ezingozini ezaziwayo (kuncike ezinhlakeni ezifana ne-OWASP) futhi kudalwe izinqubo ezicacile zokuthola, ukuhlaziya kanye nokunciphisa ubuthakathaka uma umkhiqizo ususezandleni zabasebenzisi.
Hlanganisa ukuphepha emjikelezweni wokuphila kwentuthuko
I-SDLC evikelekile akuyona "umjikelezo ohlukile," kodwa inqubo yokuthuthukiswa efanayo njengenjwayelo, kodwa nge izinyathelo zokuphepha ezihlanganiswe esigabeni ngasinyeUma ezokuphepha ziphathwa njengenqubo efanayo, kuyindaba yesikhathi nje ngaphambi kokuba zigcine zinganakwa ngenxa yezinsuku zokugcina.
Cishe yonke isofthiwe yesimanje ithuthukiswa ngokuphindaphindiwe: izidingo ziyaqoqwa, isofthiwe iyaklanywa, isetshenziswe, ihlolwe, isetshenziswe, futhi inakekelwe, iqala kabusha. Ukuphindaphinda ngakunye komjikelezo kunikeza amathuba acacile okufaka imikhuba ethile yokuphepha.
1. Izidingo: cabanga ngokuphepha kusukela ku-minute zero
Phakathi nesigaba se izidingo Izidingo zokusebenza, ezingasebenzi, kanye nezokuphepha zohlelo lokusebenza zichaziwe. Lokhu kufanele kufake izinto ezifana namazinga obumfihlo, izidingo zokuthobela imithetho, izinqubomgomo zokuqinisekisa, imikhawulo yokufinyelela, kanye nezidingo zokulandelela (amalogi, ukuhlolwa kwezimali, njll.).
Lesi yisikhathi esifanele sokuthembela ezinsizeni ezifana Izinga Lokuqinisekisa Ukuphepha Kwesicelo se-OWASP (ASVS), enikeza ikhathalogi yezimfuneko zokuphepha ngamazinga, noma kumathuluzi afana ne-SecurityRAT asiza ukukhiqiza amasethi okuqala ezimfuneko zokuphepha zephrojekthi ngayinye.
Ukubandakanya ithimba lezokuphepha (uma likhona) ekuchazeni izidingo kuvumela beka imisebenzi phambili ngendlela efanele futhi uqonde umthelela wesici ngasinye ngokombono wengozi. Uma ukuphepha kushiywa kamuva, izindleko zoshintsho zizoba phezulu kakhulu.
2. Ukuhlela nokuklama: ukumodela okusongelayo kanye nezinqumo ezibalulekile
Uma sekucacile ukuthi yini okudingeka yakhiwe, sekuyisikhathi sokunquma. ukuthi izokwakhiwa kanjaniYilapho ukuhlela kanye nomklamo wezakhiwo kungena khona: yiziphi izingxenye ezizokwakhiwa, ukuthi zizoxhumana kanjani, ukuthi yiluphi ulwazi ezizoluphatha, nokuthi zizovezwa kanjani kubasebenzisi kanye nezinhlelo zangaphandle.
Kulesi sigaba, ukumodela usongo kubalulekile. Amathuluzi anjenge I-OWASP Usongo Dragon Noma, izindlela zokumodela izinsongo "ezifana ne-Python" zikuvumela ukuthi ubone ngeso lengqondo ukwakheka, ukhombe izimpahla ezibalulekile, izindawo zokungena, abahlaseli abangaba khona, kanye nezimo zokuxhashazwa. Lokhu kusiza ekunqumeni ukuthi yiziphi izilawuli ezibalulekile kungqimba ngayinye.
Ngaphezu kwalokho, yisikhathi esihle sokusebenzisa izimiso zakudala ezifana nokuthi ukuzivikela ekujuleni (hhayi ukuthembela esivimbelweni esisodwa), ukwakheka okuncane nokulula, kanye nokuhlukaniswa kwemithwalo yemfanelo. Ukwakheka okuyinkimbinkimbi kakhulu kuvame ukuhlobana namaphutha amaningi, ngakho-ke, nobuthakathaka obuningi.
3. Ukuqaliswa: ikhodi evikelekile kanye nezilawuli ezisebenzayo
Esigabeni se ukuqaliswa Umklamo uhunyushwa ube ikhodi. Yilapho imikhuba emihle yokubhala ikhodi evikelekile yenza khona umehluko omkhulu. I-OWASP ihlanganisa le mikhuba kumhlahlandlela wayo othi “Secure Coding Practices,” ehlelwe ezindaweni ezingu-14 ezihlanganisa konke kusukela ekuqinisekisweni kokufakwayo kuya ekuphathweni kwememori.
Phakathi kwezilawuli ezibaluleke kakhulu yilezi ezilandelayo: Izilawuli Eziyi-10 Ezisebenzayo Eziphezulu ze-OWASPLokhu kubhekwa ngumphakathi ngokwawo njengezidingo ezincane okufanele wonke umakhi kanye nonjiniyela azifake kunoma yimuphi umsebenzi. Ukuzisebenzisa kunciphisa kakhulu indawo yokuhlasela yohlelo lokusebenza.
Kunconywa futhi ukuthi kusetshenziswe kabusha imitapo yolwazi yokuphepha eqinisekisiwe Esikhundleni sokuvuselela isondo, izibonelo zifaka i-ESAPI (i-Enterprise Security API) noma amathuluzi athile afana ne-CSRFGuard okuvikela ekuhlaselweni kwesicelo sokukhwabanisa (i-CSRF). Lawa malabhulali ahlanganisa imikhuba emihle kakhulu yemisebenzi evamile njengokuphathwa kweseshini, ukufaka ikhodi kokukhipha, kanye nokuvikelwa kokujova.
Ngakolunye uhlangothi, ukusetshenziswa kokuhlaziywa kwe-static (SAST) okuhlanganiswe nokugeleza kwezicelo zokudonsa noma zokuvuma kusiza ukuthola amaphethini ekhodi angaphephile kusenesikhathi, ngaphambi kokuba ushintsho luhlanganiswe futhi lufinyelele ezindaweni ezabiwe.
4. Ukuqinisekiswa, ukuhlolwa kanye nokusetshenziswa
Isigaba se ukuqinisekiswa Kudlulela ngale kokuhlolwa okusebenzayo. Kuhlanganisa ukuhlolwa kokuphepha okuthile okwenziwa ngokuzenzakalelayo nangokwenziwa ngesandla. Lokhu kufaka phakathi i-SAST, i-DAST (ukuhlaziywa okuguquguqukayo), i-IAST, ukuskena kokuxhomekeka, ukuhlaziywa kwesitsha, kanye nokubuyekezwa okukhethekile kwesandla.
I-Las ukubuyekezwa kwekhodi Zihlala zibalulekile: yize ukuhlaziya okuzenzakalelayo kuthola izinkinga eziningi, ukubuyekezwa komuntu kwesibili, okuqeqeshwe kungaveza amaphutha anengqondo noma ubuthakathaka obungabonakali. Okungcono kakhulu, iqembu ngalinye kufanele libe "namaqhawe okuphepha" oyedwa noma ngaphezulu asebenza njengereferensi yangaphakathi.
Kumaphrojekthi anobungozi obukhulu, kunengqondo ukufaka ukuhlolwa kokungena Lezi zivivinyo zenziwa ochwepheshe bangaphandle abangalingisa abahlaseli bangempela besebenzisa amasu asukela ekuskenweni kobungozi kuya ekuxhashazweni okulawulwayo. Izinhlangano eziningi zigcwalisa le ndlela ngezinhlelo zokuthola amaphutha, zikhuthaza abacwaningi bezokuphepha ukuthi babike ubungozi kunokuba basebenzise kabi.
Ukufakwa kufanele kuhambisane nezilawuli ezengeziwe engqalasizinda: ukucushwa kweseva okuphephile, ukusetshenziswa kwe-TLS, ukuhlukaniswa kwenethiwekhi, izimfihlo eziphethwe yisikhungo, njll., kanye nokuqapha kanye nezindlela zokuxwayisa ukuze kutholakale ukuziphatha okungavamile ekukhiqizeni.
5. Ukusebenza nokugcinwa: umjikelezo awumi
Uma sekukhiqizwe, umsebenzi wokuphepha AyiqediIzinhlelo zokusebenza ziyashintsha, kuvela ubuthakathaka obusha (kufaka phakathi ukuxhashazwa kwezinsuku ezingenalutho), ushintsho lokuncika, futhi izidingo zebhizinisi ziyashintshwa.
Isigaba sokulungisa sihlanganisa ukusebenzisa ama-patches, ukuphatha ubuthakathaka obubikwe ngamakhasimende noma abacwaningi, kanye nokwenza ukuskena iphephandaba Ukuphathwa kohlelo lokusebenza kanye nokulawula ukuncika komuntu wesithathu kubalulekile. Amathuluzi afana ne-OWASP Dependency-Check noma amapulatifomu okuhlaziya aqhubekayo e-SBOM asiza ekuboneni ukuthi yimaphi amalabhulali asetshenziswayo nokuthi yiziphi izinkinga ezaziwayo ezingase zibangele.
Lesi sigaba sihilela nokuphatha amalogi namaphutha ngendlela efanele. Uhlelo oluhle lokubhalisa luvumela thola imizamo yokungenaPhenya izehlakalo futhi uthuthukise njalo izindlela zokuzivikela. Ngesikhathi esifanayo, vimbela imiyalezo yamaphutha noma iminonjana ekuvuzeni ulwazi olubucayi olungasiza umhlaseli.
Ekugcineni, umjikelezo ubuyela ekuqaleni: isigameko ngasinye, ukuthuthukiswa, noma ubuthakathaka kuholela ezidingweni ezintsha, ezihlelwayo, eziklanywe, ezisetshenziswayo, futhi eziqinisekisiwe. Intuthuko evikelekile, ngokwencazelo, inqubo yokuthuthuka okuqhubekayo.
Imikhuba emihle ethile yentuthuko ephephile
Ngaphezu kwezinhlaka nezindlela, kubalulekile ekuphepheni komhlabathi imikhuba yobuchwepheshe ecacile kakhulu ukuthi amaqembu angafaka izicelo nsuku zonke. I-OWASP inikeza umhlahlandlela ophelele kakhulu ohlelwe ngezindawo ezibalulekile.
Ukuqinisekiswa kokufakwayo kanye nokubhalwa kwekhodi kokukhiphayo
Esinye sezimbangela ezivame kakhulu zobuthakathaka obukhulu ukuthembela kudatha yokufaka engaqinisekisiwe. Kubalulekile ukuhlonza zonke imithombo yedatha engathembekile (amafomu, ama-API, amafayela, izizindalwazi zangaphandle, izihloko ze-HTTP, njll.) futhi njalo ziqinisekisa ifomethi yazo, ubude, kanye nokuqukethwe.
Umthetho wegolide uwukuthi noma yiluphi ulwazi olungaphumeleli ukuqinisekiswa luzosuswa. ukwenqaba ngokusobalaUkuhlasela okuningi, njengokujova noma i-XSS, kuvela kulokhu kushiywa ngaphandle. Akuyona into engaqondakali ukuthi ubuthakathaka obuningana ku-OWASP Top 10 buhlobene nokuqinisekiswa okungekuhle kokufaka.
Ngokuphathelene nokufaka ikhodi kokukhiphayo, umgomo ukuqinisekisa ukuthi idatha eboniswa ku-HTML, JavaScript, SQL, amalogi, noma kwezinye izimo iyagcinwa. phunyuka ngokwanele Ukuze kugwenywe ukubulawa okungafunwa, kunconywa ukusebenzisa izindlela ezijwayelekile nezihlolwe ngqo kumongo ngamunye, hhayi izixazululo zesikhashana.
Ukuqinisekiswa kanye nokuphathwa kwephasiwedi
Amaphasiwedi ahlala eyindlela yokuqinisekisa ebanzi kakhulu, futhi futhi ingenye yezindawo ezibuthakathaka kakhulu. Uhlelo oluqinile ludinga ukuthi zonke izindawo ezingekho emphakathini zivikeleke. kudinga ukuqinisekiswa ukuqinisekisa ukuthi ukuphathwa kweziqinisekiso kulandela imikhuba emihle ecacile.
Phakathi kwalezi zindlela, okulandelayo kuvelele: ukugcina kuphela ama-hashe e-crypto anosawoti (ama-hashes anosawoti) amaphasiwedi, ungalokothi ubhale amaphasiwedi ngombhalo ocacile; phoqelela amaphasiwedi amade futhi ayinkimbinkimbi ngokwanele; vimba noma wehlise ijubane ngemva kokwehluleka kokungena ngemvume okuningana; futhi kudinga ukuqinisekiswa kabusha ngaphambi kwemisebenzi ebucayi (njengokushintsha i-imeyili, iphasiwedi noma imininingwane yasebhange).
Ngesikhathi esifanayo, kukhona ukuthambekela kokugcwalisa noma ukufaka esikhundleni iphasiwedi ngezindlela eziqinile njenge- ukuqinisekiswa kwezinto eziningi noma ubuchwepheshe be-passkey, obuhlanganisa okhiye be-cryptographic abagcinwe kudivayisi ne-biometrics yendawo noma ama-PIN, okunciphisa ukuchayeka ekugebeni i-phishing kanye nokwebiwa kweziqinisekiso.
Ukuphathwa kweseshini
Iseshini engaphathwanga kahle iyisipho kubahlaseli. Ubude beseshini kufanele bube kufushane ngangokunokwenzeka ngaphakathi kwalokho okufanelekile ebhizinisini, futhi amakhukhi eseshini kufanele amakwe njengaphephile, ngamafulegi afanele e-HttpOnly kanye ne-SameSite.
Ngemisebenzi ebalulekile, kungaba lula ukuyisebenzisa amathokheni engeziwe (isibonelo, amathokheni okulwa nokukhwabanisa noma amathokheni e-CSRF) aqinisa iziqinisekiso zokuthi isicelo senziwa ngumsebenzisi oqinisekisiwe hhayi umuntu wesithathu osebenzisa iseshini evulekile kusiphequluli.
Ukulawulwa kokufinyelela kanye nomgomo welungelo elincane kakhulu
Ukulawulwa kokufinyelela okuqinile kusekelwe ekunikezeni izimvume, hhayi ekudaleni uhlu lokukhipha. Ngamanye amazwi: ukuphika ngokuzenzakalelayo futhi uvumele kuphela lokho okugunyaziwe ngokusobala.
I-OWASP iphikelela ku- umgomo welungelo elincaneAkukho msebenzisi, isevisi, noma inqubo okufanele ibe nezimvume eziningi kunalokho ezidingekayo emisebenzini yabo. Lokhu kusho ukuklama izindima nezimvume ezicwengekile kakhulu, kokubili kuhlelo lokusebenza kanye nakusizindalwazi esiyisisekelo kanye nengqalasizinda.
I-Cryptography kanye nokuvikelwa kwedatha
Uma kwenzeka ukwephulwa komthetho, umehluko phakathi kokwethusa okukhulu kanye nenhlekelele uvame ukuba semkhawulweni wokuthi idatha ivikelwe kahle kangakanani. Kubalulekile ukuyisebenzisa ama-algorithms ajwayelekile e-cryptographic kanye nemitapo yolwazi eyaziwayo, gwema ama-algorithms enziwe ekhaya futhi uphathe kahle umjikelezo wokuphila oyinhloko (ukukhiqiza, ukugcina, ukushintshanisa, ukuhoxiswa).
Ukuvikelwa kwedatha kuhlanganisa ukusebenzisa ukubethela kokubili ngesikhathi sokuthutha (i-TLS yokuxhumana, imigudu evikelekile, njll.) kanye nokuphumula lapho kufanele khona, kanye nokunciphisa idatha egciniwe, ukuvikela i-cache equkethe ulwazi olubucayi, kanye nokusebenzisa izilawuli zokufinyelela ezihlanganisiwe ezinsizeni ezisingatha idatha enjalo.
Ukuphathwa kwamaphutha, amalogi kanye nekhwalithi
Okuhle ukuphathwa kwephutha Ikuvumela ukuthi uthole izinkinga ngaphambi kokuba zibe ukwehluleka okukhulu. Kubalulekile ukubamba okuhlukile, ubhale phansi izehlakalo ezifanele, futhi ubonise imiyalezo ejwayelekile yomsebenzisi engayivezi imininingwane yangaphakathi, kuyilapho amalogi angaphakathi eqoqa ulwazi olwanele lokuxilongwa.
Ukurekhoda kumele kulandele imigomo ecacile: ukuthi yini eqoshiwe, ukuthi igcinwa isikhathi esingakanani, nokuthi ubani ongafinyelela kulawo marekhodi. Ngaphezu kwalokho, kubalulekile ukugwema ukugcina idatha ebucayi kakhulu kuma-log (amaphasiwedi, izinombolo zamakhadi aphelele, njll.).
Ukuze kugcinwe ikhwalithi isikhathi eside, okulandelayo kuyanconywa: ukuhlolwa kwekhodi, ukuskena kwesicelo ngezikhathi ezithile kanye nokuhlolwa kokungena lapho kunezinguquko ezibalulekile. Futhi, inhloso iwukuba ukuphepha kube inqubo eqhubekayo, hhayi ukubuyekezwa okukodwa ngaphambi kokuqaliswa.
Ukuphepha kwezokuxhumana, izizindalwazi, amafayela, kanye nememori
Ekuxhumaneni, isiqondiso esiyisisekelo siwukusebenzisa ukubethela kwakho konke ukudluliselwa kwedatha ebucayi, kungaba nge-HTTPS (TLS) noma ezinye izinqubo ezivikelekile, bese uqinisa ukucushwa (izinguqulo zephrothokholi ezamukelekayo, ama-cipher suites, izitifiketi ezivumelekile, njll.).
Kuma-database, umkhuba omuhle oyisisekelo ukusetshenziswa imibuzo yepharamitha kanye nama-ORM ahlukanisa ngokucacile ikhodi nedatha, ngaleyo ndlela avimbele ukufakwa kwe-SQL. Kunconywa futhi ukuba nezindima ezithile zedathabheyisi ezinamalungelo afanele uhlobo ngalunye lokusebenza.
Ekuphathweni kwamafayela, izinhlobo zamafayela kumele ziqinisekiswe ngokusekelwe ku- izihloko zangempela kusuka kufayela, cela ukuqinisekiswa ngaphambi kokuvumela ukulayishwa okubucayi noma ukulanda bese ugcina lawa mafayela ezindaweni ezingasetshenziswa ngokuqondile yiseva yewebhu.
Ukuphathwa kwememori ephephile kusalokhu kubalulekile, ikakhulukazi ezilimini ezisezingeni eliphansi: ukulawula osayizi be-buffer, ukuvimbela ukufinyelela okungaphandle kwebanga, kanye nokuphatha noma yiluphi ulwazi oluvela emithonjeni engathembekile ngokunakekela okukhethekile ukuvimbela ukugcwala kanye nezimo zomjaho.
Abantu, isiko kanye nokubambisana mayelana nokuphepha
Ubuchwepheshe bodwa abwanele. Uhlelo oluqinile lokuthuthukisa oluphephile ludinga isiko lokuphepha ngaphakathi kwenhlangano. Lokhu kusho ukuthi abaphathi bayawasekela ngokusobala lawa macebo, ukuthi izinsiza ziyabiwa, nokuthi ukuphepha akusabhekwa njengesithiyo futhi kubhekwa njengengxenye yemvelo yomsebenzi wansuku zonke.
La ukuqeqeshwa okuqhubekayo Lokhu kubalulekile: lokho okwasebenza eminyakeni eyishumi edlule kungase kuphelelwe yisikhathi namuhla, futhi amasu okuhlasela ashintsha ngokushesha. I-OWASP inikeza izinsiza eziningi zemfundo kanye nezindawo zokuzijwayeza ukuze amaqembu okuthuthukisa afunde ngobuthakathaka obusha, amaphethini okuklama avikelekile, kanye nokusetshenziswa kwamathuluzi okufanele.
Kuwusizo kakhulu futhi ukusungula izinhlelo zokuvikela ezingompetha Ngaphakathi kwamaqembu, lapho umuntu oyedwa noma abaningi bebonisa isithakazelo esikhethekile kulezi zihloko, bathola ukuqeqeshwa okwengeziwe futhi basebenze njengesixhumanisi sethimba lezokuphepha eliphakathi, okusheshisa ukwamukelwa kwemikhuba emihle.
Ukubambisana okuseduze phakathi kwentuthuko, imisebenzi, kanye nokuphepha, okusekelwa ukuxhumana okuhle kanye nezinqubo ezicacile, kunciphisa ukungaqondani, kusiza ekuboneni izingozi kusenesikhathi, futhi kwenza kube lula ukuvumelanisa isu lokuphepha nezidingo zangempela zebhizinisi.
Ukwamukela indlela yokuthuthukisa ephephile kuhilela ukuhlanganisa izindlela ezisunguliwe (i-SDL, i-SAMM, i-DevSecOps, i-NIST SSDF), imikhuba emihle yobuchwepheshe enemininingwane (iziqondiso ze-OWASP zokuqinisekisa, i-cryptography, ukulawula ukufinyelela, njll.), kanye nesiko lenhlangano elibheka ukuphepha njengomzamo owabiwe, ophindaphindayo, noguquka njalo. Uma konke lokhu kuhambisana, izinhlelo zokusebenza azigcini nje ngokugcwalisa injongo yazo yokusebenza kodwa zenza kanjalo ngezinga eliqinile kakhulu lokuvikela ezinsongweni ze-cyber ezikhula njalo.
