同程旅行 IAST 落地实践

原創

2021-12-07 11:09

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程旅行是最先部署洞态 IAST 的企业之一。在未部署 IAST 前，同程旅行的漏洞检测修复速度一定程度上拖慢了应用更新迭代的进度，急需一款高效的自动化漏洞检测工具来提升安全能力。经过一系列的调研与考察，我们感叹于洞态 IAST 强大的检测能力和优越的兼容性，最终选定洞态 IAST 作为自动化漏洞检测的主力工具，整个部署调优的过程也得到了洞态团队的全力支持。以下为同程旅行的 IAST落地实践：","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"一、","attrs":{}},{"type":"text","text":"安全困境","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"随着敏捷开发和 DevOps 在同程软件开发上的应用，软件开发明显提效增速，但也给安全部门带来了较大压力。在这一背景下，同程面临着以下问题：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• SAST、DAST、人工渗透测试、人工代码审计无法跟上软件开发的速度与规模","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 针对框架结构复杂的接口，一般测试无法完全复现过程中的交互流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在这一困境下，安全如何更好地嵌入应用开发流程？","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同程给出的答案是：安全需要具备 “简单、快捷、持续” 的特性，主动去适应敏捷开发和DevOps。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"二、","attrs":{}},{"type":"text","text":"自动化漏洞检测工具调研","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在自动化漏洞检测工具调研过程中，我们首先对 SAST、DAST 和 IAST 进行了对比。综合比较来看，IAST 明显优于 SAST 和 DAST。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6d/6d3831bd4e97e0d9f5fbd8e78f6ff8d7.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"针对 IAST 的专项调研，其实我们率先考虑的是采用商用型还是开源型。促使我们选择开源型 IAST 的主要原因在于开源型工具可针对自身业务场景进行二次开发，此时，洞态 IAST 已进入我们的考察视野中，并最终决定采用。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞态 IAST 调研结果：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.领先的技术架构","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1b/1b3ebb69ee2e2ee5eb8e475ca050d3de.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.强大的检测能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• API 检测全面覆盖","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/6e/6e454d8949ad8312e1e65f1d30741e86.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"自动化漏洞验证","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/35/356e24fe434c7f21d6dbe85483188030.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.开源项目","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 活跃的开源社区，可持续贡献安全策略","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 企业可进行二次开发，效率更高，且更贴合自身业务场景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 部署使用成本低","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","marks":[{"type":"italic","attrs":{}}],"text":"三、","attrs":{}},{"type":"text","text":"同程 IAST 落地推广","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1.部署架构","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IAST 是基于同程内部的自动化构建平台进行的部署，这种部署不同于 K8s、CI/CD 集成部署。在容器平台上，对 Web、WebAPI、Engine、OpenAPI 四部分进行分开部署。而 OpenAPI 作为 Agent 的 Server，可在流量较大时，启动自适应功能，从而使容器自动扩容。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/19/194b9e0f2e8eccdddeb167930225583c.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2.Agent 安装","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 自动化部署平台：构建 dockerfile 中添加 Agent 部署的逻辑","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 非自动化部署平台：用户（测试人员）下载 Agent，根据 pid 主动安装","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3.IAST 测试","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"• 调研公司内部环境兼容性","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3b/3bcdc5e0cacf09ab782680f306e87aea.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"4.IAST 推广","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"当IAST 的部署和测试的流程完毕后，安全部门的动作应是让业务接受并乐于使用 IAST，让 IAST 真正运行起来。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅰ. 发挥安全的主动性，主动贴合业务流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 培训和文章推广：在公司内部开展周期性的安全培训和安全发文，介绍 IAST","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 根据发现的安全事件，主动推动和提供给业务线安全能力","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 与测试团队合作，推动 SDL 安全能力融入测试流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Ⅱ. IAST 场景应用探索——产品上线前的测试流程","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 测试接入 IAST，测试结果反馈安全对接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 安全部门复测检出漏洞，报告反馈测试对接人","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 测试提交漏洞至 bug 平台","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• bug 修复后，测试反馈安全复测，复测通过，IAST 平台漏洞闭环","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/954f9ed8f4448f1af2d458d23c512ae0.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"测试 bug 的闭环流程，将安全加入测试中，在测试和安全部门之间建立沟通，既利于解决传统测试过程中缺失安全报告的问题，也利于使安全更合理地融入开发流程，减少安全风险。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、对 IAST 的未来规划","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebbac2a988f43e07feb2edded6656ccf.webp","alt":"图片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"实际使用感受：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"1. 部署洞态 IAST 产生的价值：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 检测漏洞更高效，覆盖的漏洞更全面","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 洞态 IAST 的漏洞详情十分详细，漏洞直接定位到代码行数，并可完整的还原漏洞触发流程，利于开发部门修复","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 误报率相比白盒低很多，复测漏洞所消耗的人力更少","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"• 高效、误报低的特点提高了安全部门的价值，其他部门对安全的认可度更高，也间接推动了安全部门与其他部门的沟通合作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"2. 对原本服务的影响：","attrs":{}},{"type":"text","text":"在大规模推广 IAST，安装 Agent 后，对接口反应时长会有一定影响，但影响不大。（","attrs":{}},{"type":"link","attrs":{"href":"http://mp.weixin.qq.com/s?__biz=MzkwMjI3NDM5Mg==&mid=2247484788&idx=1&sn=6bc5d50a0867d99eb24f1be8ef6e8855&chksm=c0a94943f7dec0551bf1b673d6b400d9722675063ca76c62be1756a5ea8b4d44bbc4f216455a&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"性能测试 ▏DongTai IAST Java Agent","attrs":{}}]},{"type":"text","text":"）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"3. 缺点：","attrs":{}},{"type":"text","text":"部分中低危漏洞存在误报现象（洞态解释说明：因为同程目前部署的是 v1.0.3 版本，新版本对误报现象已有很大改善了哦）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"洞态：","attrs":{}},{"type":"text","text":"同程旅行的 IAST 实践突出亮点在于其安全理念。同程安全部门强调发挥安全的主动性，主动去适应业务的变化，主动培养同事的安全意识，让整个企业内部达成 “安全不是流程的关卡而是齿轮，串联起应用整个生命周期” 的安全共识，这对于 IAST 的推广使用能达到事半功倍的效果。此外，同程安全部门还能贴合使用场景，挖掘 IAST 的潜力，对 IAST 进行自动化部署、自动化复测、结果产出更贴合业务的改造，相信洞态 IAST 在同程旅行内能发挥其最大的价值。","attrs":{}}]}]}

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

相關文章

欧洲英国德国法国TikTok与YouTube海外网红达人的完美合作策略

【本篇由言同數字科技有限公司原創】在當今數字營銷時代，TikTok已成爲一種受歡迎的社交媒體平臺，尤其在年輕人中頗具影響力。而其中的直播帶貨更是吸引了衆多品牌的注意，成爲推廣產品和增加銷售的重要途徑。下面言同數字將針對海外TikTok網紅直

2024-05-03 22:36:01

ollama使用

ollama 僅支持。gguf的格式其他格式需要llama.cpp 轉換 curl https://ollama.ai/install.sh | sh ollama --version ollama pull llama2-chin

2024-05-01 00:42:55

「Qt Widget中文示例指南」如何实现一个快捷编辑器（一）

Qt 是目前最先進、最完整的跨平臺C++開發工具。它不僅完全實現了一次編寫，所有平臺無差別運行，更提供了幾乎所有開發過程中需要用到的工具。如今，Qt已被運用於超過70個行業、數千家企業，支持數百萬設備及應用。快捷編輯器示例展示瞭如何創建一

2024-04-30 23:36:29

解锁HDC 2024之旅：从购票到报名，全程攻略

本文分享自華爲雲社區《解鎖HDC 2024之旅：從購票到報名，全程攻略》，作者：華爲雲社區精選。 Hi，代碼界的小夥伴們，集結號已經吹響了！華爲開發者大會（HDC 2024）——這場匯聚了HarmonyOS NEXT鴻蒙星河版、盤古大模型5

2024-04-30 22:34:35

银行核心背后的落地工程体系丨Oracle - TiDB 数据迁移详解

本文作者：張顯華，孟凡輝，莊培培系列導讀：徐戟（白鱔）數據庫技術專家，Oracle ACE，PostgreSQL ACE Director 當前，國內大量的關鍵行業的核心繫統正在實現國產化替代，而與此同時，這些行業的數字化轉型也正在進入

2024-04-30 22:24:59

30 秒出服装设计稿，森马用函数计算+AIGC 整“新活”!

創新項目如何去賦能我們的業務，這件事情在森馬很重要。阿里雲函數計算幫我們屏蔽掉了想把AI落地到實際業務場景中 GPU 算力資源儲備、採購成本、技術門檻等很多難題，從而迅速做出決策，快人一步站在正確的起點，體驗新技術對整個服裝爆款設計、營銷

2024-04-30 21:12:14

消金公司2023财报解析：息差维持高位，信用成本攀升

來源 | 鐳射財經（leishecaijing） 2023年，是持牌消金行業承上啓下的關鍵一年，也是鍛造韌性、比拼內功最緊張的一年。一方面，住戶短期消費貸款餘額在2022年觸底後，伴隨經濟復甦、消費提振，於2023年重新回到上行軌道。短

2024-04-30 13:11:32

Linux下制作Nginx绿色免安装包

前言 linux下安裝nginx比較繁瑣，遇到內網部署環境更是麻煩，所以研究了下nginx綠色免安裝版的部署包製作，開箱即用，特此記錄分享，一下操作在centos8環境下安裝，如果需要其他內核系統的安裝（Debian/Ubuntu等），請在

2024-04-29 21:38:23

数字化转型新篇章：企业通往智能化的新范式

早在十多年前，一些具有前瞻視野的企業以實現“數字化”爲目標啓動轉型實踐。但時至今日，可以說尚無幾家企業能夠在真正意義上實現“數字化”。在實現“數字化”的征途上，人們發現，努力愈進，彷彿終點愈遠。究其原因，還在於轉型一直落後於技術邊界的拓展

2024-04-29 21:22:20

MindSpore强化学习：使用PPO配合环境HalfCheetah-v2进行训练

本文分享自華爲雲社區《MindSpore強化學習：使用PPO配合環境HalfCheetah-v2進行訓練》，作者： irrational。半獵豹（Half Cheetah）是一個基於MuJoCo的強化學習環境，由P. Wawrzyński

2024-04-29 10:33:13

图片旋转后保存到数据库

1、圖片通過canvas繪製 2、canvas旋轉 3、canvas 轉成blob 在實例化成文件 4、創建formData裏面append放入文件和其他的參數，再調上傳接口 <div style=" heig

2024-04-29 10:16:22

记一次北京某大学逻辑漏洞挖掘

0x01 信息收集個人覺得教育src的漏洞挖掘就不需要找真實IP了，我們直接進入正題，收集某大學的子域名，可以用oneforall，這裏給大家推薦一個在線查詢子域名的網站：https://www.virustotal.com/ 收集到的子

2024-04-28 22:47:25

1 名工程师轻松管理 20 个工作流，创业企业用 Serverless 让数据处理流程提效

作者：嶽洋、陳德全、劉靜娜北京語勢科技有限公司成立於 2023 年 6 月，語勢科技定位爲“智能投資時代的主題入口”，在資管行業從以機構爲核心轉向以用戶爲核心的變革時代，通過打造主題投資引擎，賦能普惠投資一體化，打造以投資者和資管機構爲主

2024-04-28 21:12:22

实用分享！用Axure RP构建交互的5个小技巧

Axure RP是一套專門爲網站或應用程序所設計的快速原型設計工具，可以讓應用網站策劃人員或網站功能界面設計師更加快速方便的建立Web AP和Website的線框圖、流程圖、原型和規格。在Axure RP中，交互是創建豐富而逼真的原型的

2024-04-28 11:35:53

LoRA微调语言大模型的实用技巧

一、引言隨着深度學習技術的快速發展，語言大模型在自然語言處理領域取得了顯著的進展。然而，傳統的微調方法通常需要大量的計算資源和時間，對於實際應用來說並不友好。爲了解決這個問題，LoRA微調技術應運而生。LoRA（Low-Rank Adap

2024-04-28 11:30:13

24小時熱門文章

最新文章

同程旅行 IAST 落地實踐

最新評論文章