Today, some form of virtualization or containerization can be found in almost all large IT solutions. Containers provide a host of benefits during system development, installation, maintenance, and use. They promote faster development, cost savings, and conservation of other resources. At the same time, many security solutions that work on physical and virtual servers are not directly applicable to containers. What risks should companies consider when implementing containerization, and what measures are needed to protect container infrastructure?

Benefits of containerization in development and operation

A container is an isolated environment for running a single application created by OS kernel-level tools. The container image includes both the application and required settings and auxiliary components, making it very convenient for developers to pack everything they need into the container. Those using such a container find it much easier to operate than old-fashioned infrastructure. What’s more, isolation greatly reduces the influence of containerized applications on each other. In a container infrastructure, therefore, there are fewer causes for failures, while at the same there’s more controllability for administrators.

Containerization is a lighter technology than virtualization: containers don’t emulate hardware, and there’s no need to supply the entire contents of the virtual machine — in particular the guest OS. In many cases, containerized workloads are easier to scale.

Without a doubt, the most common tool for creating and storing container images is Docker, while container workload orchestration is most often implemented with Kubernetes, Docker Swarm, or Red Hat OpenShift.

Containerization has become a key part of modern IT development approaches. Many applications are developed in a microservice architecture: individual features of a large application are allocated to microservices that communicate with other parts of the application through APIs. An example is a video player within a social network or an online store’s payment process. These microservices are often delivered as containers, allowing developers to have their own development and delivery cycle.

Containers dovetail perfectly with the CI/CD (continuous integration/continuous delivery) modern methodology, so application updates get released more quickly and with reduced quantities of bugs. This approach envisages a short development cycle, teams working in parallel on the same code, and automation of routine actions. Containerization in a CI/CD pipeline also improves the efficiency of the pipeline: the CI/CD system uses container images as templates and delivers the build as a ready-to-deploy image. The key point is that updates are delivered in the form of new images — rather than deployed inside an existing and operational container. This speeds up the preparation and debugging of the release, lessens the requirements for the infrastructure of both the developer and customer, improves operational stability, and makes the application easier to scale.

By properly integrating container security requirements into development and build processes, a company takes a big stride toward full implementation of DevSecOps.

Core threats in container infrastructure

The host system, containerization environments, and containerized applications are all susceptible to most of the typical information security risks, such as vulnerabilities in components, insecure settings and the like.

Malicious actors are already actively exploiting all of the above. For example, 1650 container images with malware were found in the public Docker Hub repository. In a similar case, malicious images went undetected for around a year. There are known malicious campaigns that use the Docker API to create malicious containers on targeted systems, disable monitoring systems, and engage in mining. In another attack, threat actors went after Kubernetes clusters with misconfigured PostgreSQL. Another common problem is that outdated container images harboring known vulnerabilities like Log4shell can be stored in repositories for quite some time. Also, developers regularly leave behind API keys and other secrets in containers.

Systematizing the threats to each element in the containerization system, we get this somewhat simplified scheme:

Images Image registry Orchestrator Containers Host OS
Use of untrusted images Unsecured connection Unrestricted administrative access Runtime environment vulnerabilities Shared OS kernel for all containers
Software vulnerabilities Outdated images with vulnerabilities Unauthorized access Unrestricted network access OS component vulnerabilities
Configuration errors Insufficient authentication and authorization Lack of isolation and inspection of inter-container traffic Insecure runtime configuration Incorrect user permissions
Malware   No separation of containers with different levels of data sensitivity across hosts Application vulnerabilities in containers File system accessible from containers
Secrets in plaintext   Orchestrator configuration errors Rogue containers in the runtime environment  

Containers and protection using traditional security tools

Many defenses that have worked well for virtual machines cannot be applied to container security. It’s usually not possible to run an EDR agent inside a container, as in a virtual machine. Moreover, what happens in the container is not fully available for analysis by conventional security systems on the host system. Therefore, detecting, for example, vulnerable and malicious software inside the container is problematic, as is applying protection tools such as WAF in containerized applications. Traffic between containers is often carried over a virtual network at the orchestrator level and might not be accessible to network security tools.

Even on the host OS, an unadapted protection agent can lead to degradation of the performance or stability of deployed containerized applications. Cluster security must be provided at the host level in line with the particular orchestration environment and the nature of the container workloads.

There are also specific issues that must be addressed for container environments — like preventing untrusted containers from running, searching for secrets in containers, and restricting network traffic for each specific container based on its functions. All this is only available in specialized solutions such as Kaspersky Container Security.

What about protection with native tools?

All key containerization vendors appear to be working hard to improve the security of their products. Native Kubernetes tools, for example, can be used to configure resource quotas and logging policies, as well as implement RBAC (role-based access control) with the least-privilege principle. All the same, there are entire classes of information security tasks that cannot be solved with native tools — such as monitoring processes inside a running container, vulnerability analysis, checking compliance with information security policies and best practices, and much more.

But above all, a mature and full-fledged container security system needs to ensure protection at the early stages of containerization: development, delivery, and storage. To achieve this, containerization security has to be built into the development process and integrated with developer tools.

How container protection becomes part of DevSecOps

The DevOps approach has evolved into DevSecOps due to the ever-increasing demands for application reliability and security. To make security an organic part of development, core information security requirements are automatically checked at all phases of application preparation and delivery wherever possible. Container environments facilitate this.

Planning phase: securing VCS and registry operations. Early in the development cycle, software developers select the components, including containerized ones, to be deployed in the application. The security system must scan registry images for up-to-dateness, and analyze configuration files (IaC — in particular, Dockerfile) for errors and insecure settings. Base images used in development need to be scanned for vulnerabilities, malware, secrets, and the like. By doing so, developers significantly reduce the risks of supply-chain compromise.

Build and test phase: securing continuous integration operations. In this phase, it’s necessary to ensure that no secrets, vulnerable versions of libraries, or malware have gotten into the image, and that all information security aspects that can be analyzed comply with the requirements of regulators and the company itself. An application build cannot be completed successfully if there are violated policies. This is done by integrating the container security system with a CI/CD platform, be it Jenkins, Gitlab, or CircleCI. Along with static and dynamic testing of application security (AppSec), this measure is what distinguishes DevSecOps from other development approaches.

Delivery and deployment phase: security at the Continuous Delivery level. Images made operational need to be scanned for both integrity and full compliance with adopted policies. If the situation warrants an exception (for example, a vulnerability is published but not yet patched), it must always be documented and time-limited.

Operation phase: protecting the orchestrator and running containers. Startup and operation control of containers. This phase minimizes the risks associated with vulnerabilities in the runtime environment or its misconfiguration. More importantly, only here is it possible to detect various anomalies in application operation, such as excessive computational load or unexpected communications with other containers and the network as a whole. This step also monitors the secure customization of the orchestrator itself, and also access to it. For container security, native operation with the Kubernetes or OpenShift orchestrator is critical here. At the same time, the host OS itself must not be left unprotected.

To operate at these stages, the container security system itself must be multi-component. The illustration shows the core elements of Kaspersky Container Security and their relationship with the containerization platform and the CI/CD platform.

Kaspersky Container Security: Closed loop architecture

What protection measures to take for each container environment component?

Let’s look at a more detailed list of protection measures that must be applied to each component in the containerization system to describe its security as comprehensive.

Images Image registry Orchestrator Containers Host OS
Vulnerability assessment Registry integration and image scanning Detection of configuration errors and recommended fixes Startup and operation control of trusted containers only Detection of configuration errors and recommended fixes
Scanning for image configuration errors “Closed list” — usage of only approved and up-to-date images Visualization of resources in the cluster Container integrity monitoring Security risk mitigation through container startup control
Scanning for malware Search for incorrect configurations and access settings Detection and scanning of images in the cluster (search for unaccounted containers) Startup control of applications and services inside containers Adapted OS version to minimize attack surface
Search for secrets     Container traffic monitoring  
Risk assessment and identification of potentially dangerous images     Minimization of container privileges  
      Grouping of containers on hosts by risk/importance level  

The central element of the security system is the in-depth scanning of images. The security system needs to integrate with key registries (such as DockerHub, GitLab Registry, or JFrog Artifactory), both public and corporate, and regularly scan used images in accordance with company policies. Each scan on the list is important in itself, but the risk profile and specifics of applications vary from company to company, so it may be possible, for example, to allow the use of images with low-criticality vulnerabilities. Also, depending on the security policies in place, CIS Kubernetes recommendations or various vulnerability databases, for instance, may be key.

Container images that fail scanning are either simply flagged for administrators, or blocked in later development and deployment phases.

Kaspersky Container Security: Registry images

Kaspersky Container Security: Discovered vulnerability

The second, equally important and specific, group of protection tools operates at the container deployment and startup stage. First of all, containers that do not comply with policies and are not included in the trusted lists are prevented from running.

Runtime environment protection is incomplete without inspecting the orchestrator itself. This helps identify configuration errors, non-compliance with security policies, and unauthorized attempts to modify the configuration. Once the containers are running, monitoring orchestrator activity makes it possible to detect and halt suspicious activity both within and between clusters.

Kaspersky Container Security: Runtime policies

Kaspersky Container Security: Runtime policies settings

Some tasks from the matrix cannot be delegated to a security solution of any kind at all. These include the initial choice of a secure and minimalist OS build specially adapted for running container workloads, plus the crucial task of container grouping. For proper layered protection and convenient management, running containers need to be grouped on hosts so that information with certain security requirements is processed separately from information with lower security requirements. The implementation here depends on the orchestrator in use, but in any case, it’s primarily an exercise in risk assessment and threat modeling.

Generally, there are numerous container protection tasks, and trying to solve each of them in isolation, with one’s own tools or a manual configuration, would cause costs to soar. Hence, medium and large container environments require holistic security solutions that are deeply integrated with the containerization platform, the CI/CD pipeline, and the information security tools used in the company.

The job of information security experts is simplified by: integration with SIEM and channels for notifying about issues detected; regular automatic scanning of all images against an updated vulnerability database (such as NVD); functionality for temporary acceptance of information security risks; and detailed logging of administrative events in the containerization environment-protection system.

How Kaspersky Container Security implements protection

Our comprehensive solution protects container infrastructure by design: its components secure the entire lifecycle of containerized applications — from development to day-to-day operation. The dedicated scanner works with container images and provides static protection; the KCS agent running as a separate container under orchestrator control protects hosts in the runtime environment and the orchestration environment as a whole. Concurrently, the central component of Kaspersky Container Security integrates these parts and provides a management interface.

The high-performance platform offers robust protection for K8s clusters with hundreds of nodes.

Kaspersky Container Security: Dashboard

The first version of Kaspersky Container Security, which implements core protection for container environments, is already available. And we are committed to developing the product and extending its functionality going forward.


#Full #list #containerization #defenses

Syarat bisnis pikeun tim IT sareng infosec rupa-rupa sareng sering konflik. Tugasna kalebet pangurangan biaya, pamakean data anu efisien, otomatisasi, migrasi awan sareng timbangan sadaya résiko kaamanan inpormasi. Kumaha tren konci sareng parobihan dina IT mangaruhan profil infosec perusahaan, sareng naon anu kedah dipertimbangkeun réspon anjeun kana kabutuhan bisnis? Kami nganalisis tren IT anu paling penting sareng praktis (nurutkeun sababaraha kelompok ahli bebas sareng analis pasar cybersecurity), fokus kana aspék masing-masing infosec.

optimasi IT

Usaha di sakumna dunya ngagaduhan alesan anu hadé pikeun ngencangkeun sabukna – naha éta kusabab parobahan geopolitik, inflasi atanapi resesi ékonomi. Pikeun tim IT, ieu hartosna tinjauan utama biaya operasional. Departemen keuangan dinten ieu ngagaduhan biaya awan dina mikroskop, sabab 60% data perusahaan ayeuna disimpen dina méga. Pikeun seueur perusahaan, migrasi ka awan ngadadak sareng teu sistematis, nyababkeun tunggakan langganan SaaS anu teu dianggo, ogé mesin virtual anu dikonpigurasi sacara suboptimal sareng lingkungan awan anu sanés. Biasana aya seueur poténsi pikeun optimasi di dieu, tapi éta henteu kedah janten prosés sakali. Perusahaan kedah nyiptakeun budaya dimana biaya awan mangrupikeun perhatian sanés ngan ukur jalma IT, tapi ogé para pangguna awan sorangan.

sudut Infosec. Salila optimasi sareng konsolidasi, jasa awan dikonfigurasi deui sareng data dipindahkeun antara lingkungan awan anu béda. Penting pikeun ngalokasikeun waktos sareng sumber pikeun audit sistem pasca migrasi pikeun mastikeun, antara séjén, yén setélan kaamanan leres sareng sadaya akun jasa anu diperyogikeun pikeun migrasi palabuhan parantos ditutup. Salila migrasi, éta mangrupakeun ide nu sae pikeun ngamutahirkeun rusiah (token aksés, konci API, jsb) jeung ngalaksanakeun enkripsi prakték pangalusna sarta kawijakan cipher.

Upami aya alat atanapi jasa awan anu ditumpurkeun saatos migrasi, ieu kedah dipiceun tina sadaya data rahasia sareng inpormasi jasa (debugging sareng file samentawis, data uji, jsb.).

Open source

Mangpaat ékonomi tina aplikasi open source rupa-rupa: contona, pausahaan ngembangkeun software ngurangan waragad sarta waktu ka pasar ngaliwatan pamakéan kode siap-dijieun, sedengkeun nu sejenna acquire sistem nu maranéhna bisa ngaropéa tur ngajaga internal, lamun diperlukeun.

sudut Infosec. Résiko utama open source nyaéta aya kerentanan sareng backdoors dina kode pihak katilu – utamina kusabab éta henteu salawasna jelas saha anu kedah ngalereskeun kodeu sareng kumaha carana. Seringna perusahaan bakal ngagunakeun sababaraha perpustakaan atanapi parangkat lunak tanpa terang. Ngaleungitkeun resiko open source merlukeun inventaris kode jeung sistem scanning. Pikeun tampilan anu langkung jero ngeunaan résiko sareng ukuran mitigasi, tingali tulisan kami anu misah.

Manajemén data

Pausahaan badag di ampir unggal industri geus ngumpulkeun jumlah badag data operasional salila kira dua dekade ayeuna. Dina tiori, éta mantuan ngaoptimalkeun jeung ngajadikeun otomatis prosés bisnis jeung ngamekarkeun produk fundamentally anyar (kadangkala data sorangan jadi komoditi ditéang-sanggeus). Dina prakna, kumaha oge, hal anu leuwih pajeulit: loba data dikumpulkeun, tapi mindeng struktur na, recency, sarta formulir gudang sapertos nu hese atawa malah teu mungkin pikeun manggihan informasi sarta ngagunakeun éta.

Pikeun pertumbuhan anu didorong ku data nyata, usaha peryogi prosedur anu jelas pikeun ngumpulkeun, ngakatalogkeun, nyimpen, sareng ngagunakeunana. Strategi anu kapaké di dieu nyaéta manajemén data sareng pamaréntahan data. Strategi ieu ngajelaskeun struktur sareng sifat inpormasi anu disimpen sareng siklus kahirupan data lengkep, sareng ngamungkinkeun anjeun pikeun ngatur panyimpenan sareng pamakeanna.

sudut Infosec. Tata kelola data dilaksanakeun pikeun alesan ékonomi, tapi mangpaat jaminan pikeun kaamanan informasi téh loba pisan. Barina ogé, ku terang dimana sareng naon data anu disimpen, perusahaan langkung saé pikeun meunteun résiko, nyayogikeun panyalindungan anu nyukupan pikeun sadaya set data, sareng patuh kana hukum data pribadi. Tim infosec kedah maénkeun peran anu aktip dina ngamekarkeun sareng ngalaksanakeun strategi manajemén data, kalebet: kabijakan aksés sareng enkripsi, kontrol patuh, ukuran pelindung pikeun data nalika istirahat sareng transit, sareng prosedur pikeun kéngingkeun aksés. Strategi ogé kedah nutupan jinis data “tambahan” sapertos inpormasi téknis cadangan sareng proprietary dina méga (utamana SaaS).

Kode low & euweuh kode

Pendekatan low-code ngamungkinkeun sistem bisnis dirobih sareng diperpanjang tanpa programer. Modifikasi umum kaasup ngarobah interfaces aplikasi jeung ramatloka, nyieun analisis data anyar jeung skenario kontrol, sarta robotic prosés automation (RPA). Éta ngabantosan ngembangkeun solusi CRM, manajemén e-dokumen, nyiptakeun halaman wéb pamasaran, jsb. Usaha kauntungan tina pendekatan ieu kusabab biaya pangropéa IT anu aub sacara signifikan langkung handap tina mitra anu peryogi programer “nyata”. Sababaraha sistem no-code/low-code populér nyaéta Microsoft Power Apps, Salesforce, Uipath, komo WordPress.

sudut Infosec. Sistem kode rendah nyababkeun résiko anu signifikan, sabab ku harti aranjeunna gaduh aksés lega kana data sareng sistem IT perusahaan anu sanés. Éta ogé ngonpigurasi sarta dipaké ku jalma tanpa IT / latihan infosec jero. Sadaya ieu tiasa nyababkeun kabocoran data, sagala rupa bentuk eskalasi hak husus, logging teu cekap, sareng aksés anu henteu sah kana inpormasi.

Sajaba ti éta, pamaké sistem sapertos rutin ninggalkeun rusiah, kayaning konci API, langsung dina kode. Sareng anu paling penting, ampir sadaya sistem tanpa kode aktip ngagunakeun arsitektur plug-in sareng gaduh gudang komponén khusus sorangan pikeun proyék-proyék pangguna. Kerentanan dina komponén ieu sering pisan serius sareng sesah pisan dilacak sareng gancang ngalereskeun nganggo alat infosec standar.

Tim infosec kudu ngamekarkeun kawijakan jeung prosedur husus pikeun tiap aplikasi low-kode dipaké di pausahaan. Administrator sareng pamilik aplikasi kedah nampi pelatihan anu jero dina prosedur infosec ieu, sedengkeun pangguna biasa aplikasi kode-rendah peryogi pelatihan khusus dasar. Salaku bagian tina palatihan pamaké ieu, hal anu penting pikeun ngajarkeun prakték programming aman tur kumaha carana make sistem. Sahenteuna, latihan kedah ngawengku syarat teu nyimpen kecap akses dina kode software, pariksa data input, sarta ngaleutikan operasi modifikasi data.

Administrator IT kedah nengetan caket kana ngaminimalkeun hak istimewa sareng ngadalikeun aksés ka data ngaliwatan aplikasi kode-rendah. Tim infosec kedah ngaevaluasi solusi khusus pikeun ngajagi aplikasi kode low tangtu; contona, aya hiji mini-industri cukup thriving sabudeureun WordPress. Langkung seueur ngeunaan topik anu cukup lega ieu tiasa dipendakan dina tulisan kami anu misah.

Kateguhan & ketahanan

Insiden IT utama dina dasawarsa katukang (henteu kedah serangan cyber) parantos ngajarkeun usaha yén investasi dina résiliensi IT boh biaya-éféktif sareng ganjaran. Investasi di dieu utamina ditujukeun pikeun ngaleungitkeun karugian bencana sareng mastikeun kasinambungan bisnis. Tapi sanajan kajadian utama teu diitung, daya tahan mayar kaluar ku ngaronjatkeun pangalaman pamaké pikeun konsumén jeung karyawan, ningkatkeun reputasi hiji parusahaan, sarta nyetir kasatiaan.

Aya sababaraha cara pikeun ngembangkeun ketahanan:

  • Uji jero sistem IT salami pamekaran (devops, devsecops);
  • Ngarancang sistem anu tiasa neruskeun fungsina upami aya kagagalan parsial (redundansi, duplikasi);
  • Nerapkeun sistem ngawaskeun pikeun ngalacak anomali IT / infosec sareng nyegah kajadian dina tahap awal (gagalna database, teu saimbangna beban, palaksanaan malware, jsb.);
  • Nerapkeun sistem infosec multi-layered di pausahaan;
  • Ngembangkeun skenario automation pikeun ngahemat waktos sareng ngaminimalkeun kasalahan manusa, kalebet skenario pikeun ngajadikeun otomatis masalah infrastruktur IT;
  • Diajar ranté suplai pikeun ngaleungitkeun kajadian anu aya hubunganana sareng kode supplier sareng kontraktor perusahaan, infrastruktur atanapi prosedur internal;
  • Laksanakeun réspon kajadian sareng prosedur pamulihan saatos kajadian sareng uji dina prakna.

sudut Infosec. Nalika usaha nungtut “daya tahan umum” tina sistem IT na, syarat IT sareng infosec di dieu dikaitkeun raket, janten ngalaksanakeun salah sahiji set di luhur bakal meryogikeun kolaborasi anu jero diantara departemén relevan. Anggaran terbatas, janten penting pikeun netepkeun prioritas sareng pembuat kaputusan bisnis sareng ngadistribusikaeun tugas sareng proyék antara “IT umum” sareng infosec, ngidentipikasi kasempetan pikeun optimasi sareng sinergi. Ideally, hiji solusi (sebutkeun, sistem cadangan) kedah ngadamel tugas IT / infosec concurrently, sarta nangtukeun syarat maranéhanana, latihan pamakéan maranéhanana, jsb, kudu dipigawé babarengan. Hasilna pikeun perusahaan bakal janten strategi ketahanan cyber holistik. Léngkah-léngkah munggaran pikeun katahan cyber dibahas sacara rinci di dieu.

Tulisan ieu henteu acan nyarios kecap ngeunaan AI generatif atanapi rupa-rupa tren IT perusahaan sanés anu masih aya dina fase “kami ékspérimén kumaha nerapkeun ieu”. Ngeunaan tren anu ngajangjikeun tapi tetep atah, kami ngarencanakeun ngaleupaskeun ulasan anu misah.


#Tren #konci #dina #sareng #résiko #cyber #anu #aya #hubunganana

Perusahaan IT mangrupikeun anu munggaran nganut open source, sareng seueur usaha ageung anu nuturkeun. Barina ogé, kamampuan ngagunakeun deui sareng ngarobih kode sacara mandiri sareng ngalereskeun bug nyababkeun inovasi gancang sareng ngirangan biaya.

Tapi open source ogé mibanda sababaraha ciri négatip alamiah – kusabab kabur tanggung jawab pikeun nyieun jeung ngajaga kode. Endor Labs, dibantuan ku leuwih ti 20 CISOs na CTOs ti pausahaan IT utama, undertook analisa sistematis pikeun datang nepi ka luhur 10 daptar résiko ieu.

vulnerabilities dipikawanoh

Résiko anu paling penting anu diidentipikasi nyaéta ayana kerentanan boh dina proyék open source sorangan sareng dina kagumantunganna – nyaéta, komponén open source éksternal anu dianggo dina proyék éta. Kerentanan dina dependensi tiasa nyababkeun masalah kritis pikeun puluhan suite software komérsial ageung, sapertos anu kajantenan ku perpustakaan Apache Log4j anu sederhana (CVE-2021-44228).

Kaamanan: Nyeken aplikasi anjeun sacara teratur pikeun kerentanan – kalebet kerentanan dina kagumantungan langsung sareng henteu langsung. Larapkeun perbaikan anu sayogi langsung. Pikeun ngaoptimalkeun sumber daya perusahaan, patch tiasa diprioritaskeun dumasar kana parah kerentanan anu tangtu sareng kamungkinan eksploitasi dina parangkat lunak anu anjeun anggo.

Bungkusan sah kompromi

Kusabab dugi ka 80% kodeu proyék open source diwariskeun tina proyék-proyék sanés dina bentuk katergantungan éta, sok aya kamungkinan yén komponén pihak katilu anu dianggo dina aplikasi anjeun parantos di-trojan. Ieu tiasa kajantenan nalika pamekar komponén ieu diretas, atanapi sistem distribusi komponénna (nyaéta manajer pakét) kapanggih ngandung kerentanan anu ngamungkinkeun bungkusan dipalsukan. Dina hal ieu, kode jahat pihak katilu dumadakan muncul di jero aplikasi anjeun, anu dina prakna sering dianggo pikeun maok inpormasi atanapi pikeun sagala rupa skéma pengayaan terlarang (spam, panipuan adware, pertambangan).

Kaamanan: Henteu aya metodologi anu dewasa ayeuna pikeun ngajagaan tina ancaman ieu, janten peryogi kombinasi ukuran: sistem manual sareng otomatis pikeun nganalisis kode sumber sareng ngawaskeun gudang; neundeun lokal versi dipercaya komponén; pamakéan Ancaman Intelijen pikeun ngadeteksi serangan misalna dina tahap awal maranéhanana (saméméh maranéhna boga waktu pikeun mangaruhan bungkusan dipaké dina aplikasi open source perusahaan).

Serangan tina “nameake”

Penyerang nyiptakeun bungkusan nganggo nami anu nyarupaan bungkusan anu sah, atanapi nyalin nami pakét anu sah anu ditulis dina basa pamrograman sanés atanapi dipasang dina platform distribusi anu sanés. Ieu nyiptakeun résiko yén pamekar open source anjeun tiasa ngahijikeun pakét “nami” anu jahat tibatan anu asli.

Kaamanan: Maréntahkeun pamekar pikeun waspada. Salaku bagian tina prosedur standar, sateuacan panyebaran, pamekar kedah pariksa kode sumber pakét pikeun kaanehan sapertos fragmen énkripsi dina kode, pangbajak fungsi, sareng anu sanésna. Sareng disarankeun pikeun pariksa tanda tangan digital bungkusan (upami aya).

Kodeu teu dirojong

Pamekar komponén open source, bungkusan sareng aplikasi tiasa mundur dukungan pikeun aranjeunna iraha waé sareng alesan naon waé. Ieu sering kasus sareng bungkusan leutik dikembangkeun ku 1-2 urang. Nalika ieu kajantenan, teu aya anu ngapdet bungkusan pikeun kasaluyuan sareng téknologi anyar atanapi ngaleungitkeun résiko kaamanan inpormasi.

Kaamanan: Assess tingkat kematangan proyék sarta prospek ngembangkeun / rojongan saméméh ngahijikeun kana kode jeung prosés bisnis Anjeun sorangan. Nengetan jumlah pamekar ngajaga proyék jeung frékuénsi release. Pariksa sékrési dukungan jangka panjang (LTS) sareng nalika dileupaskeun. Tapi, pikeun sababaraha proyék stabil, éta normal pikeun sékrési jarang sareng ngan ukur ngalereskeun bug.

software luntur

Ngagunakeun versi heubeul komponén dina proyék ngajadikeun patching leuwih hese. Masalah ieu utamana akut nalika résiko nomer hiji lumangsung: kerentanan dina komponén. Ilaharna, masalah sareng deprecated dependensi timbul nalika versi anyar komponén béda sacara signifikan ti iterasi saméméhna dina watesan sintaksis atawa semantik. Dina skenario ieu, versi heubeul bisa tetep dipaké pikeun taun tanpa apdet kaamanan.

Kaamanan: Pasihan waktos pamekar pikeun damel sareng katergantungan – kalebet refactoring kode anjeun pikeun ngapdet kana vérsi panganyarna tina komponén anu ayeuna dianggo.

kagumantungan untraceable

Kusabab ampir unggal aplikasi ngagunakeun komponén pihak-katilu – anu dina gilirannana ngagunakeun komponén pihak-katilu séjén – ngarah pamekar aplikasi mindeng teu sadar yen komponén tangtu aya dina kode maranéhna. Dina hal ieu, teu dipariksa pikeun sakabéh resiko sejenna dina daptar. Status update, kerentanan sareng seueur deui teu dipikanyaho.

Kaamanan: Ngajaga hiji rinci Software Bill of Bahan (SBOM) kalawan ngagunakeun alat scanning nu bisa ngadeteksi malah kagumantungan dipaké tanpa manajer pakét.

Résiko pangaturan sareng lisénsi

Sanaos open-source, unggal aplikasi sareng pakét open-source hadir sareng lisénsi pamakean sorangan. Résiko timbul upami lisénsina tétéla henteu cocog sareng panggunaan aplikasi pikeun tujuan anu dimaksud, atanapi lisénsi sababaraha komponén aplikasi henteu cocog sareng anu sanés. Ieu oge mungkin yen salah sahiji atawa leuwih komponén kagumantungan ngalanggar hukum lumaku atawa sarat pangaturan ditumpukeun dina pausahaan.

Kaamanan: SBOM sareng alat scanning kode anu disebatkeun kedah dianggo pikeun ngalacak lisénsi sareng istilah lisénsi anu lumaku pikeun aplikasi open source sareng komponén anu dianggo dina perusahaan. Sareng masuk akal pikeun damel sareng departemén hukum pikeun ngembangkeun daptar lisénsi standar anu ditampi ku perusahaan, ngadetailkeun kasaluyuanna sareng tujuan parangkat lunak dianggo. Parangkat lunak anu gaduh lisénsi anu teu cocog atanapi henteu aya lisénsi pisan kedah dipiceun.

software teu dewasa

Ngagunakeun komponén dikembangkeun ku tim immature nyiptakeun sajumlah inconveniences jeung resiko. Masalah anu aya hubunganana sareng parangkat lunak anu henteu dewasa dibasajankeun dokuméntasi kode anu henteu cekap atanapi henteu akurat dugi ka teu stabil sareng operasi anu rawan kasalahan sareng henteuna sakumpulan tés pikeun uji régrési. Naon deui, kode anu teu dewasa langkung dipikaresep pikeun ngalindungan kerentanan kritis. Sadaya ieu ngajadikeun parangkat lunak anu teu dewasa henteu praktis dianggo, sareng ningkatkeun biaya anu aub sareng résiko tina acara kritis sareng downtime.

Kaamanan: Sateuacan nyebarkeun aplikasi atanapi komponén, pastikeun pamekar ngagunakeun prakték pangsaéna ayeuna. Indikator kalebet gaduh dokuméntasi lengkep sareng up-to-date, CI / CD ngalir pikeun nguji régrési, kitu ogé inpormasi lengkep ngeunaan sinyalna tés sareng bahkan jumlah bungkusan anu parantos nganggo komponén anu dipasihkeun.

Parobahan teu disatujuan

Komponén anu dianggo ku aplikasi tiasa robih ku cara anu teu katingali ku pamekarna. Kaayaan ieu tiasa timbul upami komponén diunduh tina server tanpa kontrol versi anu ketat sareng / atanapi ngalangkungan saluran komunikasi anu teu énkripsi, sareng henteu diverifikasi nganggo hashes sareng tanda tangan digital. Dina hal ieu, rakitan aplikasi sacara téoritis tiasa ngahasilkeun hasil anu béda unggal waktos.

Kaamanan: Janten tegas dina ngalaksanakeun prakték pangwangunan anu aman. Salila pangwangunan, make identifiers sumberdaya nu jelas nunjukkeun versi komponén. Salaku tambahan, pariksa komponén anu diunduh nganggo tanda tangan digital. Salawasna nganggo protokol komunikasi aman.

kagumantunganana badag teuing atawa leutik teuing

Ayeuna, pamekar tiasa ngahijikeun komponén kalayan ngan ukur tilu baris kode. Dina waktos anu sami, éta win-win nalika sadaya komponén diwangun ku opat (leutik pisan) garis kode sareng nalika kode anu anjeun hoyong dianggo ngan ukur salah sahiji tina rébuan fitur komponén – sésana henteu dianggo dina perusahaan. aplikasi. Dina hal ieu, pamekar dibebankeun ku ngajaga kagumantungan anu sanés demi fungsionalitas anu sakedik.

Kaamanan: Hindarkeun katergantungan sareng fungsionalitas sakedik; ngamekarkeun fungsionalitas sapertos di jero aplikasi utama.


#Résiko #utama #aplikasi #open #source

Sababaraha sumber média ngalaporkeun serangan ranté suplai massal nargétkeun pamaké sistem telepon 3CX VoIP. Panyerang anu teu dipikanyaho parantos suksés ngainféksi aplikasi 3CX VoIP pikeun Windows sareng macOS. Ayeuna cybercriminals nyerang pamaké maranéhanana ngaliwatan aplikasi pakarang ditandatanganan ku sertipikat 3CX valid. Daptar pamaké cukup lega – diwangun ku leuwih ti 600.000 pausahaan, kaasup merek luhur ti sakuliah dunya (American Express, BMW, Air France, Toyota, IKEA). Sababaraha peneliti nyebat serangan jahat ieu SmoothOperator.

Tétéla, trojan nu nyumput dina sakabéh versi software dirilis sanggeus 3 Maret; éta, ngawangun 18.12.407 jeung 18.12.416 pikeun Windows, jeung 18.11.1213 sarta engké pikeun macOS. Numutkeun hiji wawakil 3CX, kodeu jahat asup kana program alatan sababaraha komponén open source trojan unnamed dipaké ku tim ngembangkeun.

Serangan via 3CX software trojanized

Ngutip panaliti ti sababaraha perusahaan, BleepingComputer ngajelaskeun mékanisme serangan via klien Windows anu ditrojan sapertos kieu:

  • Pamaké ngundeur pakét pamasangan tina situs wéb resmi perusahaan sareng ngajalankeunana, atanapi nampi apdet pikeun program anu parantos dipasang;
  • Sakali dipasang, program trojan nyiptakeun sababaraha perpustakaan jahat, anu dianggo pikeun tahap serangan salajengna;
  • Malware lajeng ngundeur file .ico hosted on GitHub kalawan garis tambahan data jero;
  • Garis-garis ieu teras dianggo pikeun ngaunduh muatan jahat anu terakhir – anu dianggo pikeun nyerang pangguna akhir.

Mékanisme pikeun nyerang pangguna macOS rada béda. Anjeun tiasa mendakan pedaran lengkep dina situs web yayasan nirlaba Objective-See.

Naon anu hacker sanggeus?

Malware anu diunduh tiasa ngumpulkeun inpormasi ngeunaan sistem, ogé maok data sareng nyimpen kredensial tina profil pangguna browser Chrome, Edge, Brave sareng Firefox. Salaku tambahan, panyerang tiasa nganggo cangkang paréntah interaktif, anu sacara téoritis ngamungkinkeun aranjeunna ngalakukeun ampir naon waé sareng komputer korban.

Ahli Kaspersky ngulik panto tukang anu dianggo ku panyerang salaku bagian tina muatan ahir. Numutkeun analisis maranéhanana, backdoor ieu, dubbed Gopuram, dipaké utamana dina serangan on cryptocurrency pausahaan nu patali. Para ahli ogé nyangka, dumasar kana sababaraha petunjuk, yén grup Lasarus aya di tukangeun serangan éta. Rincian ngeunaan backdoor Gopuram, sareng indikator kompromi, tiasa dipendakan dina tulisan dina blog Securelist.

Naha serangan ieu bahaya pisan?

Versi trojan program ieu ditandatanganan sareng sertipikat resmi 3CX Ltd. dikaluarkeun ku DigiCert – sertipikat anu sami anu dianggo dina vérsi saméméhna tina program 3CX.

Ogé, numutkeun Objective-See, versi macOS tina malware henteu ngan ukur ditandatanganan ku sertipikat anu sah, tapi ogé otorisasi ku Apple! Ieu ngandung harti yén aplikasi diidinan ngajalankeun dina versi macOS panganyarna.

Kumaha tetep aman

Pamekar aplikasi nyarankeun nyabut pamasangan versi trojan program langsung nganggo klien wéb VoIP dugi ka pembaruan dileupaskeun.

Éta ogé wijaksana pikeun ngalaksanakeun panyilidikan anu jero ngeunaan kajadian éta pikeun mastikeun yén panyerang teu gaduh waktos nyandak alih komputer perusahaan anjeun. Sacara umum, pikeun ngadalikeun naon anu lumangsung dina jaringan perusahaan sareng pikeun ngadeteksi kagiatan jahat dina waktosna, kami nyarankeun ngagunakeun kelas jasa Detect and Managed Response (MDR).


#serangan #ranté #suplai #konsumén #3CX

Sababaraha sumber média ngalaporkeun serangan ranté suplai massal nargétkeun pamaké sistem telepon 3CX VoIP. Panyerang anu teu dipikanyaho parantos suksés ngainféksi aplikasi 3CX VoIP pikeun Windows sareng macOS. Ayeuna cybercriminals nyerang pamaké maranéhanana ngaliwatan aplikasi pakarang ditandatanganan ku sertipikat 3CX valid. Daptar pamaké cukup lega – diwangun ku leuwih ti 600.000 pausahaan, kaasup merek luhur ti sakuliah dunya (American Express, BMW, Air France, Toyota, IKEA). Sababaraha peneliti nyebat serangan jahat ieu SmoothOperator.

Tétéla, trojan nu nyumput dina sakabéh versi software dirilis sanggeus 3 Maret; éta, ngawangun 18.12.407 jeung 18.12.416 pikeun Windows, jeung 18.11.1213 sarta engké pikeun macOS. Numutkeun hiji wawakil 3CX, kodeu jahat asup kana program alatan sababaraha komponén open source trojan unnamed dipaké ku tim ngembangkeun.

Serangan via software trojanized 3CX

Ngutip panaliti ti sababaraha perusahaan, BleepingComputer ngajelaskeun mékanisme serangan via klien Windows anu ditrojan sapertos kieu:

  • Pamaké ngundeur pakét pamasangan tina situs wéb resmi perusahaan sareng ngajalankeunana, atanapi nampi apdet pikeun program anu parantos dipasang;
  • Sakali dipasang, program trojan nyiptakeun sababaraha perpustakaan jahat, anu dianggo pikeun tahap serangan salajengna;
  • Malware lajeng ngundeur file .ico hosted on GitHub kalawan garis tambahan data jero;
  • Garis-garis ieu teras dianggo pikeun ngaunduh muatan jahat anu terakhir – anu dianggo pikeun nyerang pangguna akhir.

Mékanisme pikeun nyerang pangguna macOS rada béda. Anjeun tiasa mendakan pedaran lengkep dina situs web yayasan nirlaba Objective-See.

Naon anu hacker sanggeus?

Malware anu diunduh tiasa ngumpulkeun inpormasi ngeunaan sistem, ogé maok data sareng nyimpen kredensial tina profil pangguna browser Chrome, Edge, Brave sareng Firefox. Salaku tambahan, panyerang tiasa nganggo cangkang paréntah interaktif, anu sacara téoritis ngamungkinkeun aranjeunna ngalakukeun ampir naon waé sareng komputer korban.

Naha serangan ieu bahaya pisan?

Versi trojan program ieu ditandatanganan sareng sertipikat resmi 3CX Ltd. dikaluarkeun ku DigiCert – sertipikat anu sami anu dianggo dina vérsi saméméhna tina program 3CX.

Ogé, numutkeun Objective-See, versi macOS tina malware henteu ngan ukur ditandatanganan ku sertipikat anu sah, tapi ogé otorisasi ku Apple! Ieu ngandung harti yén aplikasi diidinan ngajalankeun dina versi macOS panganyarna.

Kumaha tetep aman

Pamekar aplikasi nyarankeun nyabut pamasangan versi trojan program langsung nganggo klien wéb VoIP dugi ka pembaruan dileupaskeun.

Éta ogé wijaksana pikeun ngalaksanakeun panyilidikan anu jero ngeunaan kajadian éta pikeun mastikeun yén panyerang teu gaduh waktos nyandak alih komputer perusahaan anjeun. Sacara umum, pikeun ngadalikeun naon anu lumangsung dina jaringan perusahaan sareng pikeun ngadeteksi kagiatan jahat dina waktosna, kami nyarankeun ngagunakeun kelas jasa Detect and Managed Response (MDR).


#serangan #ranté #suplai #konsumén #3CX

Aplikasi open-source parantos ngadegkeun sorangan dina sistem IT bisnis ageung sareng sedeng. Tina bagian anu ngadominasi sapertos pangladén wéb, pangkalan data, sareng analitik, solusi open source ayeuna ogé dianggo sacara lega pikeun wadahisasi, pembelajaran mesin, DevOps, sareng tangtosna, pamekaran parangkat lunak. Seueur usaha anu nuju ka open source pikeun tugas non-IT, sapertos CRM, produksi kontén visual, sareng penerbitan blog. Numutkeun ka Gartner, langkung ti 95% usaha dina sektor IT nganggo solusi open source, tapi bahkan diantara perusahaan non-IT angka na di luhur 40% sareng ngembang. Sareng éta henteu kaétang seueur kasus dimana perpustakaan open source dianggo di jero aplikasi proprietary.

Milih antara sumber kabuka sareng katutup jauh tina gampang: sanés ngan ukur masalah anu mayar sareng gratis, atanapi ngadukung sareng henteu ngadukung. Nalika mutuskeun naon waé solusi IT, usaha kedah mertimbangkeun sababaraha aspék penting.

Biaya sareng jadwal palaksanaan

Sanaos sering henteu aya biaya lisénsi pikeun solusi open source, ngalaksanakeunana henteu gratis. Gumantung kana pajeulitna solusi Anjeun, Anjeun bisa jadi kudu ngatur anggaran waktu tim IT Anjeun, mawa konsultan ahli, atawa komo nyewa pamekar nu bakal terus adaptasi aplikasi Anjeun pikeun kaperluan bisnis Anjeun.

Aya ogé modél lisénsi hibrid, anu ngamungkinkeun anjeun ngagunakeun édisi komunitas aplikasi gratis, tapi versi anu diperpanjang sareng fitur “perusahaan” masih peryogi lisénsi anu mayar.

Sajaba ti éta, loba produk open source teu datang jeung dokuméntasi lengkep jeung/atawa up-to-date atawa kursus latihan pikeun pamaké tungtung. Pikeun palaksanaan anu ageung, gap ieu kedah dieusi nyalira, nyéépkeun waktos sareng artos.

Kauntungannana open source dina fase palaksanaan nyaeta, tangtosna, kamungkinan nguji pinuh. Sanaos anjeun ngarencanakeun nyebarkeun solusi open source salaku junun hosting atanapi kalayan bantosan kontraktor khusus, ngajalankeun tés (bukti konsép) diri anjeun langkung efektif tibatan ningali demonstrasi pidéo ngeunaan solusi proprietary. Anjeun bakal gancang ningali kumaha fungsional sareng lumaku solusi pikeun bisnis khusus anjeun.

Nalika ngabandingkeun solusi sumber kabuka sareng katutup sateuacan nyebarkeun, penting pikeun ngartos sabaraha waktos anu sayogi pikeun uji, sareng naha anjeun gaduh pilihan pikeun ngarobih produk dina tahap awal. Upami watesna henteu dipencet, sareng jawaban kana patarosan anu kadua nyaéta enya, maka uji lengkep ngeunaan produk open source asup akal.

waragad rojongan

Pangrojong dinten-dinten sareng konfigurasi seueur aplikasi open source skala industri, ogé adaptasina kana beban kerja anu luhur, peryogi pangaweruh anu khusus sareng jero ti tim IT. Upami éta henteu hasil, pangaweruh ieu kedah dipésér – boh ngalangkungan nyewa ahli atanapi outsourcing. Jenis outsourcing anu paling umum ngalibatkeun bantosan para ahli khusus aplikasi (format Red Hat), atanapi hosting anu dioptimalkeun pikeun solusi IT khusus (Kube Clusters, WP Engine, atanapi format anu sami).

Tangtosna, dukungan anu dibayar ogé standar pikeun solusi proprietary; Ieu mah sakadar open source nu peryogi eta. Biaya, Samentara éta, comparable. Salaku prakték nempokeun, rojongan teknis taunan pikeun aplikasi open source perusahaan umumna ngan 10-15% langkung mirah ti solusi proprietary.

Perbaikan bug, fitur anyar sareng skala

Sanaos solusi open-source anu dewasa sacara rutin diénggalan ku fitur anu diperpanjang sareng perbaikan bug, seringna para pangembang henteu masihan prioritas bug anu penting pikeun usaha khusus. Ieu malah leuwih umum dina kasus requests fitur. Di dieu, Anjeun kudu diuk jeung ngadagoan sabar, atawa méakkeun waktu adi pamekar urang (di-imah atawa hired) nulis kode perlu. Naon nice éta ieu mungkin sahenteuna téoritis; hal goréng éta bisa ngahurungkeun kana expense badag tur unpredictable.

Catet yén junun hosting ngaleungitkeun hariwang tina masang patch sareng ngapdet aplikasi, tapi henteu tiasa ngabantosan kustomisasi individu sapertos kitu. Pausahaan anu peryogi sapertos dasarna asup kana pasar ngembangkeun, sarta kudu milih format extension maranéhna nyieun: a garpu produk software utama atawa cabang ngembangkeun utama tambahan dina partnership jeung pamekar aslina tina aplikasi. Ieu dimana kaunggulan strategis open source dimaénkeun – nyaéta, kalenturan pamakean sareng laju inovasi.

Integrasi cross-platform jeung rojongan

Pikeun solusi multi-komponén skala ageung anu aktip tukeur data, integrasi sareng kasaluyuan sareng sababaraha platform tiasa maénkeun peran utama dina pilihan produk parangkat lunak. Prioritas di dieu nyaéta dukungan pikeun format industri pikeun neundeun sareng tukeur data, ditambah antarmuka program aplikasi (API) anu didokumentasikeun. Kadang-kadang solusi vendor tunggal sareng kode sumber katutup tiasa nyumponan sarat ieu langkung saé tibatan sakumpulan solusi open source – bahkan anu kualitasna luhur. Tapi éta salawasna mangpaat pikeun ngira-ngira biaya tweaking hiji solusi open-source lamun ngéléhkeun on kriteria sejen tur geus lulus fase bukti-of-konsép.

Résiko, kaamanan sareng patuh

Open source sering disebut-sebut langkung aman. Barina ogé, upami aya anu tiasa ningali kode sumber sareng ngalereskeun bug, éta kedah langkung aman tibatan panawaran kotak hideung proprietary, sanés?

Sakumaha biasa, kanyataanana langkung rumit. Kahiji, loba aplikasi open source boga jutaan garis kode, nu teu saurang ogé bisa pinuh audit. Ieu angka nu gede ngarupakeun apdet pikeun kode ngan complicates tugas salajengna. Kitu cenah, leutik henteu hartosna aman. Salaku conto, kerentanan Shellshock basis Bash henteu kapendak salami 20 taun!

Kadua, masalah kagumantungan pisan akut, sabab aplikasi jeung kode boga ranté suplai sorangan. Aplikasi open source tiasa nganggo pustaka open source pihak katilu, anu teras-terasan numbu ka perpustakaan pihak katilu anu sanés, sareng anu ditugaskeun pikeun mariksa aplikasi éta nyalira tiasa henteu mariksa sadaya perpustakaan. Résiko ranté ieu geus ditémbongkeun waktu jeung waktu deui: vulnerabilities dina bébas Log4j perpustakaan logging mangaruhan rébuan solusi open source badag, mangaruhan grandees kayaning Amazon, Cloudflare na elastis; serangan nu ngaganti perpustakaan npm kalawan ngaran jahat dianggo dina Apple sarta Microsoft; sareng kaputusan pamekar anu mandiri henteu ngadukung perpustakaan pad kénca alit di gudang npm lumpuh langkung ti sarébu aplikasi sareng situs populér (kalebet Facebook) salami sababaraha jam.

kagumantungan software.

Sumber: xkcd.com/2347

Masalah sanésna sareng katergantungan nyaéta lisénsi. Lisensi open source cukup khusus, sareng henteu aya pamayaran sanés hartosna teu aya anu gaduh hak cipta. Aplikasi sorangan sareng perpustakaanna tiasa nganggo sababaraha lisénsi, sareng ngalanggar anu langkung ketat (Copyleft) pinuh ku litigation. Sarupa sareng Inok kaamanan IT anu mapan sareng prosés mitigasi kerentanan, pangguna konci sareng pamekar parangkat lunak open source kedah gaduh prosés anu sami pikeun pariksa patuh lisénsi sacara rutin – idéalna semi-otomatis.

Sadaya di luhur henteu hartosna yén open source mangrupikeun pilihan anu paling awon tina sudut pandang kaamanan inpormasi. Anjeun ngan ukur kedah ngartos sadaya résiko: tim palaksanaan kedah ngira-ngira budaya pangembangan sareng frékuénsi apdet kaamanan dina aplikasi anu saingan sareng ngadalikeun dependensi sareng lisensi (contona, nganggo tagihan software bahan). Ogé, upami perusahaan anjeun damel dina widang pamekaran parangkat lunak, disarankeun pikeun nyeken sadaya bungkusan open source pikeun kerentanan sareng fungsionalitas anu ngabahayakeun.


#Naha #bisnis #anjeun #tiasa #ngalih #aplikasi #opensource #gratis