{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程旅行是最先部署洞態 IAST 的企業之一。在未部署 IAST 前,同程旅行的漏洞檢測修復速度一定程度上拖慢了應用更新迭代的進度,急需一款高效的自動化漏洞檢測工具來提升安全能力。經過一系列的調研與考察,我們感嘆於洞態 IAST 強大的檢測能力和優越的兼容性,最終選定洞態 IAST 作爲自動化漏洞檢測的主力工具,整個部署調優的過程也得到了洞態團隊的全力支持。以下爲同程旅行的 IAST落地實踐:","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"一、","attrs":{}},{"type":"text","text":"安全困境","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着敏捷開發和 DevOps 在同程軟件開發上的應用,軟件開發明顯提效增速,但也給安全部門帶來了較大壓力。在這一背景下,同程面臨着以下問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• SAST、DAST、人工滲透測試、人工代碼審計無法跟上軟件開發的速度與規模","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 針對框架結構複雜的接口,一般測試無法完全復現過程中的交互流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這一困境下,安全如何更好地嵌入應用開發流程?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程給出的答案是:安全需要具備 “簡單、快捷、持續” 的特性,主動去適應敏捷開發和DevOps。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"二、","attrs":{}},{"type":"text","text":"自動化漏洞檢測工具調研","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在自動化漏洞檢測工具調研過程中,我們首先對 SAST、DAST 和 IAST 進行了對比。綜合比較來看,IAST 明顯優於 SAST 和 DAST。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6d/6d3831bd4e97e0d9f5fbd8e78f6ff8d7.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對 IAST 的專項調研,其實我們率先考慮的是採用商用型還是開源型。促使我們選擇開源型 IAST 的主要原因在於開源型工具可針對自身業務場景進行二次開發,此時,洞態 IAST 已進入我們的考察視野中,並最終決定採用。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞態 IAST 調研結果:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.領先的技術架構","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1b/1b3ebb69ee2e2ee5eb8e475ca050d3de.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.強大的檢測能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• API 檢測全面覆蓋","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6e/6e454d8949ad8312e1e65f1d30741e86.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"自動化漏洞驗證","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/356e24fe434c7f21d6dbe85483188030.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.開源項目","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 活躍的開源社區,可持續貢獻安全策略","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 企業可進行二次開發,效率更高,且更貼合自身業務場景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 部署使用成本低","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"三、","attrs":{}},{"type":"text","text":"同程 IAST 落地推廣","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.部署架構","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 是基於同程內部的自動化構建平臺進行的部署,這種部署不同於 K8s、CI/CD 集成部署。在容器平臺上,對 Web、WebAPI、Engine、OpenAPI 四部分進行分開部署。而 OpenAPI 作爲 Agent 的 Server,可在流量較大時,啓動自適應功能,從而使容器自動擴容。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/19/194b9e0f2e8eccdddeb167930225583c.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.Agent 安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 自動化部署平臺:構建 dockerfile 中添加 Agent 部署的邏輯","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 非自動化部署平臺:用戶(測試人員)下載 Agent,根據 pid 主動安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.IAST 測試","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• 調研公司內部環境兼容性","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3b/3bcdc5e0cacf09ab782680f306e87aea.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"4.IAST 推廣","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當IAST 的部署和測試的流程完畢後,安全部門的動作應是讓業務接受並樂於使用 IAST,讓 IAST 真正運行起來。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅰ. 發揮安全的主動性,主動貼合業務流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 培訓和文章推廣:在公司內部開展週期性的安全培訓和安全發文,介紹 IAST","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 根據發現的安全事件,主動推動和提供給業務線安全能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 與測試團隊合作,推動 SDL 安全能力融入測試流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅱ. IAST 場景應用探索——產品上線前的測試流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 測試接入 IAST,測試結果反饋安全對接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 安全部門複測檢出漏洞,報告反饋測試對接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 測試提交漏洞至 bug 平臺","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• bug 修復後,測試反饋安全複測,複測通過,IAST 平臺漏洞閉環","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/954f9ed8f4448f1af2d458d23c512ae0.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"測試 bug 的閉環流程,將安全加入測試中,在測試和安全部門之間建立溝通,既利於解決傳統測試過程中缺失安全報告的問題,也利於使安全更合理地融入開發流程,減少安全風險。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、對 IAST 的未來規劃","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebbac2a988f43e07feb2edded6656ccf.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"實際使用感受:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1. 部署洞態 IAST 產生的價值:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 檢測漏洞更高效,覆蓋的漏洞更全面","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 洞態 IAST 的漏洞詳情十分詳細,漏洞直接定位到代碼行數,並可完整的還原漏洞觸發流程,利於開發部門修復","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 誤報率相比白盒低很多,複測漏洞所消耗的人力更少","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 高效、誤報低的特點提高了安全部門的價值,其他部門對安全的認可度更高,也間接推動了安全部門與其他部門的溝通合作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2. 對原本服務的影響:","attrs":{}},{"type":"text","text":"在大規模推廣 IAST,安裝 Agent 後,對接口反應時長會有一定影響,但影響不大。(","attrs":{}},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=MzkwMjI3NDM5Mg==&mid=2247484788&idx=1&sn=6bc5d50a0867d99eb24f1be8ef6e8855&chksm=c0a94943f7dec0551bf1b673d6b400d9722675063ca76c62be1756a5ea8b4d44bbc4f216455a&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"性能測試 ▏DongTai IAST Java Agent","attrs":{}}]},{"type":"text","text":")","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3. 缺點:","attrs":{}},{"type":"text","text":"部分中低危漏洞存在誤報現象(洞態解釋說明:因爲同程目前部署的是 v1.0.3 版本,新版本對誤報現象已有很大改善了哦)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞態:","attrs":{}},{"type":"text","text":"同程旅行的 IAST 實踐突出亮點在於其安全理念。同程安全部門強調發揮安全的主動性,主動去適應業務的變化,主動培養同事的安全意識,讓整個企業內部達成 “安全不是流程的關卡而是齒輪,串聯起應用整個生命週期” 的安全共識,這對於 IAST 的推廣使用能達到事半功倍的效果。此外,同程安全部門還能貼合使用場景,挖掘 IAST 的潛力,對 IAST 進行自動化部署、自動化複測、結果產出更貼合業務的改造,相信洞態 IAST 在同程旅行內能發揮其最大的價值。","attrs":{}}]}]}
同程旅行 IAST 落地實踐
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程旅行是最先部署洞態 IAST 的企業之一。在未部署 IAST 前,同程旅行的漏洞檢測修復速度一定程度上拖慢了應用更新迭代的進度,急需一款高效的自動化漏洞檢測工具來提升安全能力。經過一系列的調研與考察,我們感嘆於洞態 IAST 強大的檢測能力和優越的兼容性,最終選定洞態 IAST 作爲自動化漏洞檢測的主力工具,整個部署調優的過程也得到了洞態團隊的全力支持。以下爲同程旅行的 IAST落地實踐:","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"一、","attrs":{}},{"type":"text","text":"安全困境","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着敏捷開發和 DevOps 在同程軟件開發上的應用,軟件開發明顯提效增速,但也給安全部門帶來了較大壓力。在這一背景下,同程面臨着以下問題:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• SAST、DAST、人工滲透測試、人工代碼審計無法跟上軟件開發的速度與規模","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 針對框架結構複雜的接口,一般測試無法完全復現過程中的交互流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這一困境下,安全如何更好地嵌入應用開發流程?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程給出的答案是:安全需要具備 “簡單、快捷、持續” 的特性,主動去適應敏捷開發和DevOps。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"二、","attrs":{}},{"type":"text","text":"自動化漏洞檢測工具調研","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在自動化漏洞檢測工具調研過程中,我們首先對 SAST、DAST 和 IAST 進行了對比。綜合比較來看,IAST 明顯優於 SAST 和 DAST。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6d/6d3831bd4e97e0d9f5fbd8e78f6ff8d7.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對 IAST 的專項調研,其實我們率先考慮的是採用商用型還是開源型。促使我們選擇開源型 IAST 的主要原因在於開源型工具可針對自身業務場景進行二次開發,此時,洞態 IAST 已進入我們的考察視野中,並最終決定採用。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞態 IAST 調研結果:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.領先的技術架構","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1b/1b3ebb69ee2e2ee5eb8e475ca050d3de.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.強大的檢測能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• API 檢測全面覆蓋","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6e/6e454d8949ad8312e1e65f1d30741e86.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"自動化漏洞驗證","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/356e24fe434c7f21d6dbe85483188030.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.開源項目","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 活躍的開源社區,可持續貢獻安全策略","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 企業可進行二次開發,效率更高,且更貼合自身業務場景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 部署使用成本低","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"三、","attrs":{}},{"type":"text","text":"同程 IAST 落地推廣","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.部署架構","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 是基於同程內部的自動化構建平臺進行的部署,這種部署不同於 K8s、CI/CD 集成部署。在容器平臺上,對 Web、WebAPI、Engine、OpenAPI 四部分進行分開部署。而 OpenAPI 作爲 Agent 的 Server,可在流量較大時,啓動自適應功能,從而使容器自動擴容。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/19/194b9e0f2e8eccdddeb167930225583c.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.Agent 安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 自動化部署平臺:構建 dockerfile 中添加 Agent 部署的邏輯","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 非自動化部署平臺:用戶(測試人員)下載 Agent,根據 pid 主動安裝","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.IAST 測試","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• 調研公司內部環境兼容性","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3b/3bcdc5e0cacf09ab782680f306e87aea.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"4.IAST 推廣","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當IAST 的部署和測試的流程完畢後,安全部門的動作應是讓業務接受並樂於使用 IAST,讓 IAST 真正運行起來。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅰ. 發揮安全的主動性,主動貼合業務流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 培訓和文章推廣:在公司內部開展週期性的安全培訓和安全發文,介紹 IAST","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 根據發現的安全事件,主動推動和提供給業務線安全能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 與測試團隊合作,推動 SDL 安全能力融入測試流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅱ. IAST 場景應用探索——產品上線前的測試流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 測試接入 IAST,測試結果反饋安全對接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 安全部門複測檢出漏洞,報告反饋測試對接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 測試提交漏洞至 bug 平臺","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• bug 修復後,測試反饋安全複測,複測通過,IAST 平臺漏洞閉環","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/954f9ed8f4448f1af2d458d23c512ae0.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"測試 bug 的閉環流程,將安全加入測試中,在測試和安全部門之間建立溝通,既利於解決傳統測試過程中缺失安全報告的問題,也利於使安全更合理地融入開發流程,減少安全風險。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、對 IAST 的未來規劃","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebbac2a988f43e07feb2edded6656ccf.webp","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"實際使用感受:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1. 部署洞態 IAST 產生的價值:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 檢測漏洞更高效,覆蓋的漏洞更全面","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 洞態 IAST 的漏洞詳情十分詳細,漏洞直接定位到代碼行數,並可完整的還原漏洞觸發流程,利於開發部門修復","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 誤報率相比白盒低很多,複測漏洞所消耗的人力更少","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 高效、誤報低的特點提高了安全部門的價值,其他部門對安全的認可度更高,也間接推動了安全部門與其他部門的溝通合作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2. 對原本服務的影響:","attrs":{}},{"type":"text","text":"在大規模推廣 IAST,安裝 Agent 後,對接口反應時長會有一定影響,但影響不大。(","attrs":{}},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=MzkwMjI3NDM5Mg==&mid=2247484788&idx=1&sn=6bc5d50a0867d99eb24f1be8ef6e8855&chksm=c0a94943f7dec0551bf1b673d6b400d9722675063ca76c62be1756a5ea8b4d44bbc4f216455a&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"性能測試 ▏DongTai IAST Java Agent","attrs":{}}]},{"type":"text","text":")","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3. 缺點:","attrs":{}},{"type":"text","text":"部分中低危漏洞存在誤報現象(洞態解釋說明:因爲同程目前部署的是 v1.0.3 版本,新版本對誤報現象已有很大改善了哦)","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞態:","attrs":{}},{"type":"text","text":"同程旅行的 IAST 實踐突出亮點在於其安全理念。同程安全部門強調發揮安全的主動性,主動去適應業務的變化,主動培養同事的安全意識,讓整個企業內部達成 “安全不是流程的關卡而是齒輪,串聯起應用整個生命週期” 的安全共識,這對於 IAST 的推廣使用能達到事半功倍的效果。此外,同程安全部門還能貼合使用場景,挖掘 IAST 的潛力,對 IAST 進行自動化部署、自動化複測、結果產出更貼合業務的改造,相信洞態 IAST 在同程旅行內能發揮其最大的價值。","attrs":{}}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章