{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着數字化發展,安全變得越來越重要,尤其是對企業來說,安全風險幾乎無處不在。作爲全球第一款開源的 IAST產品,洞態 IAST 支持 SaaS 訪問及本地化部署,基於“值匹配算法”和“污點跟蹤算法”,幫助企業在應用上線前發現應用安全風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近日,InfoQ 記者在 QCon 2021 全球軟件開發大會·上海站上,採訪了"},{"type":"text","marks":[{"type":"strong"}],"text":"火線安全聯合創始人盧中陽"},{"type":"text","text":",和他聊了聊企業應用安全的話題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/71\/710b65ee23b8dab9ef4be9084bbb1379.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"火線安全聯合創始人盧中陽"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:您好,盧老師,請您先簡要介紹一下自己和火線安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":大家好,我是盧中陽,火線安全的聯合創始人。火線安全是一家基於社區的雲安全公司,主要運營火線安全平臺和洞態IAST,通過自研的自動化測試工具和海量的網絡安全專家,幫助企業保障應用生命全週期的安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2018 年,我們開始聚焦於網絡安全漏洞領域,研發了黑盒掃描器。之後,開始籌備火線安全平臺,於2020 年 4 月正式上線。我們對火線安全平臺的定義是白帽子開發者社區,通過給白帽們提供火線自研工具,提高其挖洞效率,爲企業提供更好的安全衆測服務。基於平臺數據,不斷迭代產品。後來,IAST技術與市場前景進入我們的目光,因此,在去年便開始研發可用於 DevSecOps 的IAST工具,於今年9月1日開源發佈。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020 年 6 月,我們拿到陸奇博士的天使投資,後續又獲得經緯中國、五源資本投資。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:您覺得企業爲什麼會越來越重視應用安全?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":我覺得有幾點原因:第一,法律層面上,《網絡安全法》、《數據安全法》和《個人信息保護法》發佈並施行。以前,企業的應用和數據發生泄露,大家覺得企業也是受害者。現在,國家從法律層面明確規定:企業有義務保護其應用和應用上的用戶數據安全。如果因安全事故導致數據泄露,企業負責人要承擔法律責任,這是一個比較大的變化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二,應用的開發和部署方式發生了比較大的變化。以前,一個應用單獨跑在一臺機器上,只做好對它的防護就行。但是現在,應用和應用間以及服務器與服務器間的調用與連接變得越來越多。比如,有些 App 會用到第三方登錄系統,如果接入的第三方登錄系統本身存在安全問題,那麼應用的安全基本不可能得到任何保障。因此,安全不再是一個認證或一個證書的問題,而應該是應用本身的一個產品屬性,也是評價應用價值的一個非常重要的指標。同樣,對一些服務提供者來說,如果提供的服務導致甲方發生安全事故,這個責任怎麼認定,在後續合作過程中,如何讓甲方認可供應商產品和服務的安全性,這也是企業需要思考的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第三,信息化。信息化發展到今天,整個信息化程度已經很高,企業內部的應用和系統越來越多,接入的第三方系統也越來越多,應用所承載的數據價值變得非常大。可能一個很小的漏洞,就會導致非常大的安全事故,這也是企業越來越重視應用安全一個非常重要的原因。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:針對應用安全風險,火線開發了洞態IAST這款產品,希望幫助企業在應用上線前便發現安全風險,當初爲什麼會考慮開發這款產品?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":最初,我們公司內部owefsad同學分享了 IAST 的應用場景。我們覺得IAST 應用的場景,不管從檢測準確度上,還是檢測效率上,它都是一個非常優秀的技術方案,一個非常酷的產品方向,所以很快決定進行產品化,把它做出來。現在owefsad是洞態IAST產品線的負責人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:洞態是全球首個開源 IAST 產品,火線爲什麼會選擇開源發佈?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":其實我們內部也討論過這個問題,也和一些行業專家探討過。最開始,大家覺得這是一個非常新的技術,還可以做成產品,爲什麼不直接拿來賺錢?爲什麼要開源?畢竟,我們是一家商業公司。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是,從產品角度而言,好的產品不再是工程師和產品經理一起思考需求,然後開發出來的,特別是 to B 產品,一個非常優秀的產品應該是在真實場景中,一點一滴打磨出來的。我們希望通過開源的方式,把甲方客戶、安全的從業者連接在一起,在諸多的安全場景下,做出更好的產品,並通過開源的方式回饋給行業。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現有的一些安全掃描工具,其效率和準確性還不夠好,我們希望通過開源的方式,讓國內更多廠商和企業通過使用洞態 IAST 這款產品提升公司內部的安全能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:洞態 IAST 作爲一款交互式應用程序安全測試工具,其典型應用場景有哪些?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":洞態IAST提供了非常專業的漏洞檢測能力,可以用於開發過程中,對應用進行上線前的安全檢查。同時我們也提供了相應插件,可以讓開發人員在編寫代碼過程中完成代碼漏洞檢測。另外,合作廠商也可以基於開源版本,搭建自己內部的 DevSecOps 流程,將洞態IAST作爲裏面某一環的工具。或者基於 IAST 和一些沉澱的調用鏈數據,做有特色的邏輯漏洞檢測,這也是一種比較好的應用場景。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:對企業來說,洞態 IAST 如何做到在應用開發階段實現低成本、高產出的代碼漏洞檢測?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":安全掃描工具一般有白盒和黑盒,基於原代碼的白盒檢測工具在某些情況下可能有誤報,一般會配合安全工程師一起來使用白盒產品,使用成本相對較高。黑盒會發各種包測試,這個接口是不是有漏洞,不斷髮出各種請求,這會帶來一些髒數據,測試過程比較長。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 通過在服務端部署 Agent 探針的方式,收集應用程序運行時函數執行、數據傳輸,並與掃描器端進行實時交互,高效、準確的識別安全缺陷及漏洞,同時可準確確定漏洞所在的代碼文件、行數、函數及參數。IAST 會檢測執行時的每一行代碼,以及應用程序響應每個 HTTP(S) 請求時的堆棧跟蹤、內存值和實際數據流。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 在企業應用測試過程中,可以直接拿到最真實代碼的調用鏈,從最開始參數的請求到最後執行的一些代碼。因此,IAST 的檢測效率比較高,準確度也比較高,無髒數據、支持數據包加密\/一次性簽名\/驗證碼等不支持重放的場景下的漏洞檢測,非常適合用於 DevOps 流程中,以無侵入的方式對應用進行安全掃描。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:據悉,洞態 IAST 目前支持 Java、Python 兩種編程語言的漏洞檢測,未來會考慮加入對其他編程語言的支持嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":我們未來會支持所有主流的編程語言,比如 PHP、Go、C#等語言。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:DevSecOps 的落地,除了使用 IAST 這樣的工具外,還有哪些方面對企業很重要?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":一是文化和認知,DevSecOps的安全開發理念 讓開發、安全和運維一起對安全負責,儘可能讓安全問題在開發和測試階段就暴露出來,不像之前責任劃分那麼明確。二是流程,原來的一些安全工具對開發和測試工作造成比較大的阻礙,影響其工作,侵入性比較強,這也是比較大的問題,而洞態 IAST 以一種比較柔和的方式輔助整個 DevSecOps 更好的落地,因此選擇合適的工具也比較重要。"}]}]}
火線安全盧中陽:通過開源,可以做出一款極致的安全產品 | QCon
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着數字化發展,安全變得越來越重要,尤其是對企業來說,安全風險幾乎無處不在。作爲全球第一款開源的 IAST產品,洞態 IAST 支持 SaaS 訪問及本地化部署,基於“值匹配算法”和“污點跟蹤算法”,幫助企業在應用上線前發現應用安全風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近日,InfoQ 記者在 QCon 2021 全球軟件開發大會·上海站上,採訪了"},{"type":"text","marks":[{"type":"strong"}],"text":"火線安全聯合創始人盧中陽"},{"type":"text","text":",和他聊了聊企業應用安全的話題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/71\/710b65ee23b8dab9ef4be9084bbb1379.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":"center","origin":null},"content":[{"type":"text","text":"火線安全聯合創始人盧中陽"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:您好,盧老師,請您先簡要介紹一下自己和火線安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":大家好,我是盧中陽,火線安全的聯合創始人。火線安全是一家基於社區的雲安全公司,主要運營火線安全平臺和洞態IAST,通過自研的自動化測試工具和海量的網絡安全專家,幫助企業保障應用生命全週期的安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在2018 年,我們開始聚焦於網絡安全漏洞領域,研發了黑盒掃描器。之後,開始籌備火線安全平臺,於2020 年 4 月正式上線。我們對火線安全平臺的定義是白帽子開發者社區,通過給白帽們提供火線自研工具,提高其挖洞效率,爲企業提供更好的安全衆測服務。基於平臺數據,不斷迭代產品。後來,IAST技術與市場前景進入我們的目光,因此,在去年便開始研發可用於 DevSecOps 的IAST工具,於今年9月1日開源發佈。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020 年 6 月,我們拿到陸奇博士的天使投資,後續又獲得經緯中國、五源資本投資。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:您覺得企業爲什麼會越來越重視應用安全?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":我覺得有幾點原因:第一,法律層面上,《網絡安全法》、《數據安全法》和《個人信息保護法》發佈並施行。以前,企業的應用和數據發生泄露,大家覺得企業也是受害者。現在,國家從法律層面明確規定:企業有義務保護其應用和應用上的用戶數據安全。如果因安全事故導致數據泄露,企業負責人要承擔法律責任,這是一個比較大的變化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二,應用的開發和部署方式發生了比較大的變化。以前,一個應用單獨跑在一臺機器上,只做好對它的防護就行。但是現在,應用和應用間以及服務器與服務器間的調用與連接變得越來越多。比如,有些 App 會用到第三方登錄系統,如果接入的第三方登錄系統本身存在安全問題,那麼應用的安全基本不可能得到任何保障。因此,安全不再是一個認證或一個證書的問題,而應該是應用本身的一個產品屬性,也是評價應用價值的一個非常重要的指標。同樣,對一些服務提供者來說,如果提供的服務導致甲方發生安全事故,這個責任怎麼認定,在後續合作過程中,如何讓甲方認可供應商產品和服務的安全性,這也是企業需要思考的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第三,信息化。信息化發展到今天,整個信息化程度已經很高,企業內部的應用和系統越來越多,接入的第三方系統也越來越多,應用所承載的數據價值變得非常大。可能一個很小的漏洞,就會導致非常大的安全事故,這也是企業越來越重視應用安全一個非常重要的原因。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:針對應用安全風險,火線開發了洞態IAST這款產品,希望幫助企業在應用上線前便發現安全風險,當初爲什麼會考慮開發這款產品?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":最初,我們公司內部owefsad同學分享了 IAST 的應用場景。我們覺得IAST 應用的場景,不管從檢測準確度上,還是檢測效率上,它都是一個非常優秀的技術方案,一個非常酷的產品方向,所以很快決定進行產品化,把它做出來。現在owefsad是洞態IAST產品線的負責人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:洞態是全球首個開源 IAST 產品,火線爲什麼會選擇開源發佈?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":其實我們內部也討論過這個問題,也和一些行業專家探討過。最開始,大家覺得這是一個非常新的技術,還可以做成產品,爲什麼不直接拿來賺錢?爲什麼要開源?畢竟,我們是一家商業公司。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是,從產品角度而言,好的產品不再是工程師和產品經理一起思考需求,然後開發出來的,特別是 to B 產品,一個非常優秀的產品應該是在真實場景中,一點一滴打磨出來的。我們希望通過開源的方式,把甲方客戶、安全的從業者連接在一起,在諸多的安全場景下,做出更好的產品,並通過開源的方式回饋給行業。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現有的一些安全掃描工具,其效率和準確性還不夠好,我們希望通過開源的方式,讓國內更多廠商和企業通過使用洞態 IAST 這款產品提升公司內部的安全能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:洞態 IAST 作爲一款交互式應用程序安全測試工具,其典型應用場景有哪些?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":洞態IAST提供了非常專業的漏洞檢測能力,可以用於開發過程中,對應用進行上線前的安全檢查。同時我們也提供了相應插件,可以讓開發人員在編寫代碼過程中完成代碼漏洞檢測。另外,合作廠商也可以基於開源版本,搭建自己內部的 DevSecOps 流程,將洞態IAST作爲裏面某一環的工具。或者基於 IAST 和一些沉澱的調用鏈數據,做有特色的邏輯漏洞檢測,這也是一種比較好的應用場景。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:對企業來說,洞態 IAST 如何做到在應用開發階段實現低成本、高產出的代碼漏洞檢測?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":安全掃描工具一般有白盒和黑盒,基於原代碼的白盒檢測工具在某些情況下可能有誤報,一般會配合安全工程師一起來使用白盒產品,使用成本相對較高。黑盒會發各種包測試,這個接口是不是有漏洞,不斷髮出各種請求,這會帶來一些髒數據,測試過程比較長。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 通過在服務端部署 Agent 探針的方式,收集應用程序運行時函數執行、數據傳輸,並與掃描器端進行實時交互,高效、準確的識別安全缺陷及漏洞,同時可準確確定漏洞所在的代碼文件、行數、函數及參數。IAST 會檢測執行時的每一行代碼,以及應用程序響應每個 HTTP(S) 請求時的堆棧跟蹤、內存值和實際數據流。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 在企業應用測試過程中,可以直接拿到最真實代碼的調用鏈,從最開始參數的請求到最後執行的一些代碼。因此,IAST 的檢測效率比較高,準確度也比較高,無髒數據、支持數據包加密\/一次性簽名\/驗證碼等不支持重放的場景下的漏洞檢測,非常適合用於 DevOps 流程中,以無侵入的方式對應用進行安全掃描。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:據悉,洞態 IAST 目前支持 Java、Python 兩種編程語言的漏洞檢測,未來會考慮加入對其他編程語言的支持嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":我們未來會支持所有主流的編程語言,比如 PHP、Go、C#等語言。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"InfoQ:DevSecOps 的落地,除了使用 IAST 這樣的工具外,還有哪些方面對企業很重要?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"盧中陽"},{"type":"text","text":":一是文化和認知,DevSecOps的安全開發理念 讓開發、安全和運維一起對安全負責,儘可能讓安全問題在開發和測試階段就暴露出來,不像之前責任劃分那麼明確。二是流程,原來的一些安全工具對開發和測試工作造成比較大的阻礙,影響其工作,侵入性比較強,這也是比較大的問題,而洞態 IAST 以一種比較柔和的方式輔助整個 DevSecOps 更好的落地,因此選擇合適的工具也比較重要。"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章