软件和安全 - 您是否遵循特定准则?
作为 PCI-DSS 审核的一部分,我们正在研究改进我们的编码标准安全领域,以确保所有开发人员了解该领域的重要性。
您在您的组织内如何处理这个主题?
顺便说一句,我们正在 .NET 3.5 中编写面向公众的 Web 应用程序,接受信用卡/借记卡付款。
As part of a PCI-DSS audit we are looking into our improving our coding standards in the area of security, with a view to ensuring that all developers understand the importance of this area.
How do you approach this topic within your organisation?
As an aside we are writing public-facing web apps in .NET 3.5 that accept payment by credit/debit card.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
破坏安全的方法有很多种。你可以期待无限的攻击者。你必须阻止它们全部 - 甚至是尚未发明的攻击。这很难。一些想法:
开发人员需要了解众所周知的安全软件开发指南。霍华德Le Blanc“编写安全代码”是一个良好的开端。
但是成为良好的规则遵循者只是问题的一半。能够像攻击者一样思考也同样重要。在任何情况下(不仅与软件相关),请考虑漏洞是什么。您需要了解人们攻击系统的一些奇怪方式 - 监控功耗、计算速度、随机数弱点、协议弱点、人类系统弱点等。为开发人员提供探索这些的自由和创造性机会非常重要。
使用清单方法,例如 OWASP (http://www.owasp.org/index.php /Main_Page)。
使用独立评估(例如http://www.commoncriteriaportal.org/thecc.html)。即使这样的评估成本太高,设计和设计也需要考虑。文档就像您要使用它一样。
确保清楚地表达您的安全论点。通用标准“安全目标”是一种良好的格式。对于严肃的系统,正式的描述也很有用。明确您所依赖的任何假设或秘密。监控安全趋势,并经常重新检查威胁和对策,以确保它们是最新的。
检查软件开发人员和流程的激励措施。确保奖励位于正确的位置。不要让开发人员隐藏问题。
There are so many different ways to break security. You can expect infinite attackers. You have to stop them all - even attacks that haven't been invented yet. It's hard. Some ideas:
Developers need to understand well known secure software development guidelines. Howard & Le Blanc "Writing Secure Code" is a good start.
But being good rule-followers is only half the point. It's just as important to be able to think like an attacker. In any situation (not only software-related), think about what the vulnerabilities are. You need to understand some of those weird ways that people can attack systems - monitoring power consumption, speed of calculation, random number weaknesses, protocol weaknesses, human system weaknesses, etc. Giving developers freedom and creative opportunities to explore these is important.
Use checklist approaches such as OWASP (http://www.owasp.org/index.php/Main_Page).
Use independent evaluation (eg. http://www.commoncriteriaportal.org/thecc.html). Even if such evaluation is too expensive, design & document as though you were going to use it.
Make sure your security argument is expressed clearly. The common criteria Security Target is a good format. For serious systems, a formal description can also be useful. Be clear about any assumptions or secrets you rely on. Monitor security trends, and frequently re-examine threats and countermeasures to make sure that they're up to date.
Examine the incentives around your software development people and processes. Make sure that the rewards are in the right place. Don't make it tempting for developers to hide problems.
考虑要求您的 QSA 或 ASV 为您的开发人员提供一些培训。
Consider asking your QSA or ASV to provide some training to your developers.
安全性基本上属于三个领域中的一个或多个:
1) 内部用户
2) 网络基础设施
3) 客户端脚本
该列表按严重性顺序编写,与违规概率的顺序相反。以下是从非常广泛的角度来看的正确管理解决方案:
防止内部用户违规的唯一解决方案是教育用户、加强对公司政策的认识、限制用户自由并监控用户活动。这非常重要,因为无论是恶意还是无意,最严重的安全违规行为总是发生在此处。
网络基础设施是信息安全的传统领域。两年前,安全专家不会考虑到其他地方寻求安全管理。一些基本策略是对所有内部 IP 地址使用 NAT、在网络交换机中启用端口安全、在物理上将服务分离到单独的硬件上,并在所有内容都隐藏在防火墙后面后仔细保护对这些服务的访问。保护您的数据库免遭代码注入。使用 IPSEC 访问防火墙后面的所有自动化服务,并限制对 IDS 或 IPS 后面已知点的访问点。基本上,限制对所有内容的访问,加密该访问,并本质上相信每个访问请求都可能是恶意的。
超过 95% 的报告安全漏洞与网络客户端脚本相关,其中大约 70% 的目标是内存损坏,例如缓冲区溢出。禁用 ActiveX 并需要管理员权限才能激活 ActiveX。在供应商发布补丁后 48 小时内,对测试实验室中执行任何类型客户端脚本的所有软件进行补丁。如果测试未显示对公司授权软件配置的干扰,则立即部署补丁。内存损坏漏洞的唯一解决方案是修补软件。该软件可能包括:Java 客户端软件、Flash、Acrobat、所有网络浏览器、所有电子邮件客户端等。
至于确保您的开发人员符合 PCI 认证,请确保他们及其管理层接受教育以了解安全性的重要性。大多数网络服务器,甚至是面向大型企业客户的网络服务器,都从未打过补丁。那些已打补丁的系统在被发现存在漏洞后可能需要数月时间才能修复。这是一个技术问题,但更重要的是这是一个严重的管理失败。必须让 Web 开发人员了解客户端脚本本质上是容易被利用的,甚至是 JavaScript。随着AJAX的进步,这个问题很容易实现,因为信息可以动态注入到违反同源策略的匿名第三方,并完全绕过SSL提供的加密。 最重要的是,Web 2.0 技术本质上是不安全的,如果不破坏该技术的优势,就无法解决这些基本问题。
当所有其他方法都失败时,聘请一些具有管理经验的 CISSP 认证安全经理有胆量直接与公司高管交谈。如果您的领导层不愿意认真对待安全性,那么您的公司将永远无法满足 PCI 合规性。
Security basically falls into one or more of three domains:
1) Inside users
2) Network infrastructure
3) Client side scripting
That list is written in order of severity, which opposite the order to violation probability. Here are the proper management solutions form a very broad perspective:
The only solution to prevent violations from the inside user is to educate the user, enforce awareness of company policies, limit user freedoms, and monitor user activities. This is extremely important as this is where the most severe security violations always occur whether malicious or unintentional.
Network infrastructure is the traditional domain of information security. Two years ago security experts would not consider looking anywhere else for security management. Some basic strategies are to use NAT for all internal IP addresses, enable port security in your network switches, physically separate services onto separate hardware and carefully protect access to those services ever after everything is buried behind the firewall. Protect your database from code injection. Use IPSEC to reach all automation services behind the firewall and limit points of access to known points behind an IDS or IPS. Basically, limit access to everything, encrypt that access, and inherently trust every access request is potentially malicious.
Over 95% of reported security vulnerabilities are related to client side scripting from the web and about 70% of those target memory corruption, such as buffer overflows. Disable ActiveX and require administrator privileges to activate ActiveX. Patch all software that executes any sort of client side scripting in a test lab no later than 48 hours after the patches are released from the vendor. If the tests do not show interference to the companies authorized software configuration then deploy the patches immediately. The only solution for memory corruption vulnerabilities is to patch your software. This software may include: Java client software, Flash, Acrobat, all web browsers, all email clients, and so forth.
As far as ensuring your developers are compliant with PCI accreditation ensure they and their management are educated to understand the importance security. Most web servers, even large corporate client facing web servers, are never patched. Those that are patched may take months to be patched after they are discovered to be vulnerable. That is a technology problem, but even more important is that is a gross management failure. Web developers must be made to understand that client side scripting is inherently open to exploitation, even JavaScript. This problem is easily realized with the advance of AJAX since information can by dynamically injected to an anonymous third party in violation of the same origin policy and completely bypass the encryption provided by SSL. The bottom line is that Web 2.0 technologies are inherently insecure and those fundamental problems cannot be solved without defeating the benefits of the technology.
When all else fails hire some CISSP certified security managers who have the management experience to have the balls to speak directly to your company executives. If your leadership is not willing to take security seriously then your company will never meet PCI compliance.