40G Toothpaste,Pronamel Toothpaste,Natural Toothpaste,Toothpaste Without Fluoride Shenglong Co.,Ltd , https://www.sl-oralcleaning.com
With a vulnerability scanner, how to use it? a little immature summary
I dreamed last night, dreaming that I didn’t know which company I was in before or now, and I talked to my colleague, hc, that the biggest problem at present is that the manpower problem is not enough. Only the manpower is solved, this team can only run. I asked, what is your team doing? He said to do scanners and vulnerability operations. In my dreams, I began to think about the effective efficiency improvement and manpower saving measures of various methods in the previous company. I will return that the manpower is of course important, otherwise things can’t be done, and at the same time, with certain manpower, the method is more important. . Then, I began to talk about the use of the scanner.
What? Isn't the scanner a tool? How many people will not use it?
Here I will talk about the usage of the scanner in the specific practice of the Internet company, personally, and welcome to share and share... The first time I sent a message, I don’t know how bad it will be sprayed...
First, where is the scanner?
In the two companies that used to work, the black box scanners were all self-developed, and only one of the white box scanners was available. Until a certain M company to share, we know that their black and white box scanners are all purchased, and Party B provides products and after-sales support. At that time, I was wondering if it was provided by Party B, I would not be afraid to know the code at the time. Can I not meet the demand when adding rules? Experts from M Company explained that M was also a self-developed scanner, but the problem was that the target of the development and maintenance team of the scanner was often inconsistent with the security team of the specific operation. The efficiency of updating the rules was not good. And because of the provision of multiple services, Party B has more samples, more professional products, and better services. Recalling the two companies that were originally employed, unless the development and operation of the scanner and the security engineer are in a small team, it is really difficult to ensure the rapid iteration of the scanner.
In addition to the larger companies, if it is a startup or a fast-growing company, it is a good choice to buy a scanner with good quality and good after-sales service. Of course, if you can dig a professional scanner and come over for product development, it will be better not only to take a lot of detours, but also to facilitate internal product docking.
Second, who is using the scanner?
When I first entered the line, I found that the scanner periodically scanned the entire traffic, domain name or ip, and then pushed it to the SOC. The security engineer used the alarm operation and maintenance and the distribution of subsequent vulnerabilities. This is the understanding of the earliest users of the scanner.
As time went on, I met a group of special partners, and I saw that in addition to the regular safety engineer operation, employees outside the safety engineer can be mobilized. After all, safety is not just a safety team. It is a company, and even an outsider who builds the ecology together.
Third, how to use the scanner?
Regular black box scanning
Collect and maintain company traffic, ip and domain name information, and perform regular full and incremental scans of these assets.
The full volume of scanning, the focus is on collecting and maintaining the company's assets, and effective de-weighting strategies for assets. The cycle is longer than the incremental scan cycle, and the focus here is on the whole, not on the fast. De-duplication also requires a complete strategy, but there is not much expansion here.
Incremental scanning, comparing the original asset library, once you find new assets, scan immediately, the focus here is to be fast. Because if the historical vulnerability can be effectively repaired, the new asset is more likely to have new or high-risk vulnerabilities, so it needs to be discovered and processed as soon as possible.
2. Black box plugin scanning
According to Net Market Share's July data, the top browser in the global browser rankings is the Chrome browser with a total market share of 48.65%. In actual work, many programmers like to use the Chrome browser. Even many browsers use the Chrome kernel directly.
Under this premise, it is possible to develop a Chrome browser scanning plugin.
Since the black box scan can scan for the characteristics of the vulnerability based on the URL, the URL that has been browsed through Chrome or its kernel browser can be collected and crawled by the plug-in and further black-box scanned. As long as the security engineer develops the plug-in successfully and promotes it to the company's development and test installation and use, then the development and testing of the online environment can detect the vulnerability itself, as long as the security engineer prepares the corresponding vulnerability repair solution, the development can repair itself. online. No need to wait for the product to go online, expose the security risk to the outside, and the external or security engineer pushes back to the development fix. Not only reduces the security risk, but also saves the cost of the safety engineer's work.
3. Black box self-service scanning
Still based on the ability to get a URL to scan or crawl vulnerabilities, the scanner background function can be developed into a front-end product for the development of a vulnerability or a professional level of development or testing.
The product form can be a simple input box. The user enters the URL and clicks on the scan to scan the URL for the black box vulnerability.
For deeper users, we also develop functions such as regular, batch, crawler or interface scanning... The things that can be done are very rich.
4. Server scanning
The principle is to grab the logs on the development or test server, push it to the scanner, and perform regular automated scans. The advantage is that once configured, you can accurately collect the logs of the latest changes, and do not need to manually perform more operations in the middle, just wait for the results.
It should be noted that it is necessary to develop the packaged agent as much as possible, not just the interface, because the packaged agent is cheaper to develop or test access, and it is easier to promote. If the type of webserver in the company is not uniform, you may need to develop multiple versions of Apache, Ngnix, lighttpd, etc. for access.
5. White box code scanning
White box code scanning, in theory, can also be used in method 3, input code path for self-scanning. Another option is to scan the white box code into a script or package and promote it to development. When developing regular development, run a script or package to show where the code may create a security hole.
There are two difficulties in this program. First, if the company develops and uses multiple languages, then the package adaptation and development may require more thoughts. Second, the false positives generated by the white-box scanning itself are difficult to control. This is a trade-off between false negatives and false positives. At least the rules of adding false positives to a certain baseline are selected. Guide instructions, otherwise it is easy to defeat RP.
6. Online platform scanning
If it is a more professional company, the code is online, and there will usually be a platform or system to support it.
If you access the black box white box scan before going online, and fix the vulnerability, you can do more with less.
A few things to note are:
First, it is necessary to get through the platform of the online platform, obtain the corresponding platform, and support the users of the platform. This part of the proposal is to take the pilot first and then gradually push it away.
Second, access the black and white box scan, do not wait until the final line to scan again, but try to advance the scanning step, pre-scan, speed up, improve user experience.
Third, for the results of the scan, which can be repaired without going online, and which must be repaired and then go online, it is necessary to formulate a corresponding strategy to clarify the risk confirmation method that does not fix the online.
Fourth, for the maintenance of scanner scanning rules, you need to be in your own system, not the online platform. Add rules in this way, set up a whitelist, and be able to control the initiative without being affected by the online platform.
Finally, any kind of scanner can't solve all the problems. If necessary, you can add manual tests to the key business by setting policies.
Fourth, how to maintain the scanner?
The easiest way to measure the quality of a scanner is the false negatives and false positives. How to minimize false negatives and false positives is the most important goal of scanner security. Of course, stability, efficiency, and speed cannot be ignored, but they are not explained in detail here.
Missing report
It is inevitable that underreporting is important. It is important to be able to handle and solve problems better after each report is found, and to make a balance between misreporting and false positives. Once the vulnerability is reported through various non-scanner channels, a special person should analyze and add the vulnerability. Among them, the notification rules and methods of vulnerabilities that are suspected to be underreported, the initial filtering and filtering according to the type of vulnerabilities, and the subsequent rule addition can all be used for policy formulation, which can improve the efficiency of work.
In addition, the collection and maintenance of basic assets, including but not limited to traffic, domain names, ip, code path information, is also an important way to reduce false negatives. However, the assets of large companies are more distributed, and the infrastructure of start-up companies may be incomplete. Collecting assets is a difficult task. According to the limited experience of the past, if the security team has manpower, the most quality plan is to organize the assets and asset data into various platforms and organize them for maintenance. If you rely on other platforms for operation and maintenance, there will be endless troubles in the subsequent work, whether it is work docking or data accuracy. Carding assets is indeed a job that requires patience, perseverance, perseverance and communication skills.
2. False positive
What is involved here is the addition of rules. If it's a self-developed scanner, it's very highly recommended that the rules be added through dynamic configuration rather than update code. Because the rules themselves are constantly changing, if every rule change depends on development, follow-up troubles, you know.
Finally, security is not a team thing, but an ecosystem built up by various forces inside and outside the company.
No scanner can scan all the vulnerabilities.
Pay tribute to the safety practitioners who struggled in the front line.