低代碼開發會帶來安全問題和數據泄露隱患嗎?

原創 The Hosk 2021-11-24 10:03
{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發的缺陷在於缺乏經驗的開發者並不掌握安全性的相關知識。要重視軟件安全性問題,不要等它變成災難後再亡羊補牢。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發方法有可能比傳統開發方法更快、更便宜地創建軟件。但很少人會提到,用低代碼方法開發出來的軟件所包含的安全風險是和傳統上基於代碼開發的軟件一樣多的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全性被構建進了低代碼開發工具中,但這種安全性必須由開發人員理解和配置才能發揮作用。非專業開發人員可能很難意識到安全隱患的存在,或者不具備配置軟件安全性的經驗。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"能擊倒你的往往是你看不到的風險。非專業開發人員的注意力都集中在了軟件創建上,並不會小心謹慎地應用那些最佳安全實踐。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果低代碼開發流程沒有同IT部門緊密結合,沒有充分應用最佳實踐,那麼前者的開發指引就不會是由經驗豐富的開發人員來定義。這就會引入安全漏洞和數據泄露的風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這不是非專業開發人員獨有的問題,而是普遍存在的開發問題。區別在於有經驗的開發人員(並非總是)會檢查安全性是否到位,而沒有經驗的初級\/非專業開發人員甚至不會意識到安全性是他們的責任和應該做的事情。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"微軟Power App Portal暴露了3800萬條記錄"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"微軟的低代碼開發工具Power Apps之前登上了頭條新聞,因爲一款配置錯誤的Power App將3800萬條記錄暴露在了互聯網上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"重點摘要:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“包括微軟在內的47家政府實體和隱私公司錯誤配置了微軟的Power Apps,將3800萬條敏感數據記錄暴露在了互聯網上。Power Apps是一種低代碼服務,承諾以一種簡單的方式構建專業應用程序。”"}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"是什麼導致了這個問題?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UpGuard公司的一名分析師發現Power Apps portal的OData API可以允許匿名訪問數據庫記錄。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Power Apps portal是面向互聯網的門戶。該門戶由微軟託管,並與微軟Dataverse集成。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"簡單來說,通過某種特定配置,面向互聯網的Power Apps Portal可以允許存儲在多個數據源(SharePoint、Microsoft 365、Dynamics 365、SQLServer等)中的數據通過匿名(也就是非用戶)的OData查詢來訪問。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你不希望數據可見,你需要檢查一個布爾字段——啓用表權限(Enable Table Permissions)布爾值爲真纔行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於這種煩人的配置值,大多數人都會採用默認值,也就是與世界分享數據。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分析師看到許多公司都在使用Power Apps portal,但許多公司沒有設置過這一字段。結果是,他們可能會在面向公共\/互聯網的門戶上提供大量個人和其他數據,任由別人查詢。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"真是糟糕啊。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"設計如此"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這不是什麼錯誤或安全漏洞,而是一項按設計意圖運作的配置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"UpGuard的報告清楚地表明瞭這一點——"},{"type":"link","attrs":{"href":"https:\/\/www.upguard.com\/breaches\/power-apps","title":"","type":null},"content":[{"type":"text","text":"設計理念:微軟Power Apps的默認權限如何暴露數百萬人的數據。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想知道如何解決這個問題(我敢肯定有很多開發人員和非專業開發人員都會冒冷汗),請閱讀這一說明:"},{"type":"link","attrs":{"href":"https:\/\/thehosk.medium.com\/Tip%20#1407:%20How%20to%20secure%20Power%20Apps%20portal%20from%20making%20the%20news","title":"","type":null},"content":[{"type":"text","text":"提示#1407:如何保護Power Apps portal"}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"低代碼警告"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發方法允許非專業開發人員或任何開發人員使用一系列組件來創建軟件,並使用更容易理解的查詢對軟件進行配置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"像微軟的Power Platform這樣的低代碼開發工具,其重點都放在了應用程序創建上——但開發人員所要做的工作並不只有創建軟件而已。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發人員(非專業開發人員)同樣是開發人員,他們也需要完成開發流程中的其他一些任務。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"收集需求(提煉、理解)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"維護軟件"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲軟件編寫文檔"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"部署"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全性(數據安全、個人數據、安全角色等)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數據源(數據庫、文件、保留、備份等)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與其他系統集成"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更廣泛的環境和其他軟件"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"營銷活動不僅僅是發送電子郵件,開發工作也不僅僅是創建代碼或構建應用程序。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非專業開發人員和開發人員並非安全專家,所以IT部門需要參與進來,並對軟件運行滲透測試。IT部門需要確保開發人員應用了最佳實踐,並找出軟件中存在的設計缺陷或軟件錯誤來保證安全性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非專業開發人員欠缺很多專業知識,這就是爲什麼他們應該在專業人員指導下創建應用程序並將其部署到生產環境中。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果公司組建自己的低代碼開發團隊時沒有讓經驗豐富的開發人員或IT部門參與,由後者來創建相關標準和最佳實踐,就會出現問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳統開發方法同樣會出現很多安全性缺陷,但它着重強調了安全性這個領域,而非專業開發人員需要學習很多知識才能理解其中的要害。低代碼開發工具也都很複雜,所以人們只能精通一兩種低代碼工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"公司將需要單獨的團隊來監督和維護低代碼工具,因爲沒有人能一接觸到它們就理解其中的細節。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這不是低代碼問題,而是開發問題。低代碼開發工具不會取代開發人員,它們會創造新的開發人員羣體,催生一支創建和維護生產級應用程序的缺乏經驗的開發團隊。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"低代碼革命需要資深開發人員領導"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由缺乏經驗的開發人員創建大量應用程序有可能導致很多安全漏洞,這就是爲什麼不可逆轉的低代碼革命必須由經驗豐富的開發人員和IT部門全力領導。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發是一種強大的工具。與其他工具一樣,它們需要被當作長期戰略的一部分,人們還要爲軟件創建後發生的各種事情制定計劃。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低代碼開發不會取代開發人員,它會造就更多缺乏經驗的開發人員。非專業開發人員需要高級開發人員的指導和領導,因爲與所有初級開發人員一樣,他們也會犯錯誤。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"軟件是如何創建的並不重要;重要的是它需要安全、維護和支持。低代碼軟件需要的是與傳統軟件相同的清單、團隊和流程。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/thehosk.medium.com\/will-low-code-development-lead-to-security-problems-and-data-breaches-83a9375d4087","title":"","type":null},"content":[{"type":"text","text":"https:\/\/thehosk.medium.com\/will-low-code-development-lead-to-security-problems-and-data-breaches-83a9375d4087"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

京東廣告研發——效率爲王:廣告統一檢索平臺實踐

1、系統概述 實踐證明,將互聯網流量變現的在線廣告是互聯網最成功的商業模式,而電商場景是在線廣告的核心場景。京東服務中國數億的用戶和大量的商家,商品池海量。平臺在兼顧用戶體驗、平臺、廣告主收益的前提推送商品具有挑戰性。京東廣告檢索平臺

原創 2024-04-25 23:17:47

RocketMQ 之 IoT 消息解析:物聯網需要什麼樣的消息技術?

前言: 從初代開源消息隊列崛起,到 PC 互聯網、移動互聯網爆發式發展,再到如今 IoT、雲計算、雲原生引領了新的技術趨勢,消息中間件的發展已經走過了 30 多個年頭。 目前,消息中間件在國內許多行業的關鍵應用中扮演着至關重要的角色。隨着數

原創 2024-04-24 23:40:04

“企業創新新引擎”數據庫專項賦能會,讓雲原生技術普惠千行百業!

本文分享自華爲雲社區《“企業創新新引擎”數據庫專項賦能會,讓雲原生技術普惠千行百業!》,作者: GaussDB 數據庫。 4月19日,由福州軟件園科技創新發展公司和華爲技術有限公司聯合主辦的HCDG城市行福州站——“企業創新新引擎”數據庫專

原創 2024-04-24 10:32:53

如何增強Java API 的導入和導出性能

前言 GrapeCity Documents for Excel (以下簡稱GcExcel) 是葡萄城公司的一款服務端表格組件,它提供了一組全面的 API 以編程方式生成 Excel (XLSX) 電子表格文檔的功能,支持爲多個平臺創建、操

原創 2024-04-23 10:23:02

SLS 查詢新範式:使用 SPL 對日誌進行交互式探索

作者:無哲 引言 在構建現代數據和業務系統的過程中,可觀測性已經變得至關重要,日誌服務(SLS)爲 Log/Trace/Metric 數據提供了大規模、低成本、高性能的一站式平臺服務,並提供數據採集、加工、投遞、分析、告警、可視化等功能,從

原創 2024-04-22 21:12:05

WhaleScheduler爲銀行業全信創環境打造統一調度管理平臺解決方案

項目背景 數字金融是數字經濟的重要支撐和驅動力。近年來,我國針對數字金融的發展政策頻頻出臺,《金融科技發展規劃 (2022-2025年)》、《“十四五”數字經濟發展規劃》、《關於銀行業保險業數字化轉型的指導意見》、《金融標準化“十 四五”

原創 2024-04-19 21:18:25

千帆杯AI原生應用創意挑戰賽-效率工具常規賽重磅上線!

賽題內容 本期比賽爲開放賽題,參賽者需要圍繞“效率工具”主題,結合自身的專業背景和創意想法,設計並開發出具有創新性和實用性的AI原生應用。 要求使用工具:AppBuilder。參賽者可用0代碼創建應用調試指令,也可自定義組件與workf

原創 2024-04-19 11:29:42

文檔圖像大模型

隨着信息技術的快速發展,文檔處理已經成爲日常生活和工作中不可或缺的一部分。傳統的文檔處理方法往往需要人工參與,效率低下且易出錯。近年來,隨着深度學習技術的突破,文檔圖像大模型在智能文檔處理領域嶄露頭角,爲提升文檔處理性能提供了新的解決方案。

原創 2024-04-18 11:29:52

GaussDB(DWS)基於Flink的實時數倉構建

本文分享自華爲雲社區《GaussDB(DWS)基於Flink的實時數倉構建》,作者:胡辣湯。 大數據時代,廠商對實時數據分析的訴求越來越強烈,數據分析時效從T+1時效趨向於T+0時效,爲了給客戶提供極速分析查詢能力,華爲雲數倉GaussDB

原創 2024-04-18 10:32:57

五一假期暢遊指南:Python技術構建的熱門景點分析系統解讀

導言 五一假期即將到來,作爲一名熱愛旅遊的技術達人,我總是希望能夠通過技術手段更好地規劃我的旅行路線。在這篇文章中,我將向大家介紹一款基於Python技術的熱門景點分析系統,幫助您在五一假期中游玩得更加盡興! 1. 系統概述 熱門景點

原創 2024-04-16 23:25:46

裁員了!別錯過2024年大數據工程師必備的10項技能

在當今快速發展的世界中,數據被視爲新的石油。隨着對數據驅動洞察的日益依賴,大數據工程師的角色比以往任何時候都更爲關鍵。 這些專業人員在管理和優化組織內的數據操作中扮演着至關重要的角色。在本文中,我們將探索2024年大數據工程師必須具備的十

原創 2024-04-16 11:00:53

還在擔心報表不好做?不用怕,試試這個方法(四)

系列文章: 《還在擔心報表不好做?不用怕,試試這個方法》(一) 《還在擔心報表不好做?不用怕,試試這個方法》(二) 《還在擔心報表不好做?不用怕,試試這個方法》(三) 概要 在上一篇文章《還在擔心報表不好做?不用怕,試試這個方法》(三)中,

原創 2024-04-16 10:23:03

MaxCompute 近實時增全量處理一體化新架構和使用場景介紹

隨着當前數據處理業務場景日趨複雜,對於大數據處理平臺基礎架構的能力要求也越來越高,既要求數據湖的大存儲能力,也要求具備海量數據高效批處理能力,同時還可能對延時敏感的近實時鏈路有強需求,本文主要介紹基於 MaxCompute 的離線近實時一體

原創 2024-04-15 23:41:52

普元信息顧偉:用更簡單的方式來建設數據中臺

近日,普元信息與鏡舟科技聯合舉辦“數據中臺新範式”雲端峯會,深入解析湖倉一體、批流一體、治理與運營一體的數據中臺新範式特徵,闡述以一站式聯合方案賦能企業提質增效的實踐經驗。 普元信息數智研究院院長顧偉發表主旨演講《基於湖倉一體,構建開發

原創 2024-04-12 11:43:03

Sql優化之回表

前言: MySQL的性能是大家在使用時十分關心的問題,比如在高併發訪問時,並且有慢sql存在的情況下,MySQL的性能會明顯下降,這會導致數據庫響應時間變慢,甚至導致數據庫宕機。那麼爲了避免Mysql性能問題,比較常用的方式創建適當的索引

原創 2024-04-08 23:16:30