1、刘沛旻,Imperva资深技术专家,具有十多年安全行业的工作经验,参与过多个重大信息安全项目的规划、建设和实施,行业涉及金融、电信、制造、能源等多个行业。对于企业的关键信息和应用保护有着丰富的经验和独到的见解。Web应用安全的发展和未来应用安全的发展和未来刘沛旻刘沛旻中国区技术经理中国区技术经理Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.Top 5 的Web应用攻击Imperva 2020年上半年分析了11.4亿客户请求,其中主要攻击类型分布如下从20
2、03版到2017版你想到的第一个关键字是什么?讲起Web应用安全您的Web应用 Web应用安全远不止OWASP TOP10 OWASP Top 10 AttacksOWASP Top 10 AttacksInjection Broken authentication Sensitive data exposure XML external entities(XXE)Broken access control Security misconfiguration Cross-site scripting(XSS)Insecure deserialization Using components w
3、ith known vulnerabilities Insufficient logging&monitoring OWASP Automated OWASP Automated ThreatsThreatsAccount Aggregation Account CreationAd FraudCAPTCHA Defeat Card Cracking CardingCashing Out Credential CrackingCredential Stuffing Denial of Inventory Denial of ServiceOWASP API Top 10 OWASP API T
4、op 10 AttacksAttacksBroken object level authorization Broken user authentication Excessive data exposure Lack of resources&rate limiting Broken function level authorization Mass assignment Security misconfiguration Injection Improper assets management Insufficient logging&monitoring DDoS AttacksDDoS
5、 AttacksLAYER 3/4LAYER 3/4UDP floods NTP amplification DNS amplification Tsunami SYN flood CharGEN amplification Memcache amplification SSDP amplification SNMP amplification GRE-IP UDP floods CLDAP attacks ARMS(ARD)Jenkins DNS Water Torture SYN floods TCP RST floods SSL Negotiation floods TCP connec
6、t floods Fragmented attacks TCP ACK floods CoAP WS-DD NetBIOS LAYER 7LAYER 7NS Query floods SlowLoris attack HTTP(S)GET request floods HTTP(S)POST request floods SMTP request flood Client-side AttacksClient-side AttacksFormjacking Credit card skimming Card skimming Digital Skimmers Magecart JavaScri
7、pt supply chain attacksSupply Chain&Supply Chain&Zero Day AttacksZero Day AttacksInsider threatsUnknown new attacks Internal facing app attacksTECHNIQUESTECHNIQUESClickjackingHTTP Response Splitting HTTP Method Tampering Large RequestsMalformed Content Types Path TraversalUnvalidated Redirects Softw
8、are Supply Chain AttacksINJECTIONSINJECTIONSCommand Injection Cross-Site Scripting Cross-Site Request Forgery CSS&HTML Injection Database Access Violation JSON&XML Injection OGNL InjectionSQL InjectionWEAKNESSESWEAKNESSESInsecure Cookies&Transport Logging Sensitive Information Unauthorized Network A
9、ctivity Uncaught Exceptions Vulnerable Dependencies Weak AuthenticationWeak Browser Caching Weak Cryptography ExpeditingFingerprintingFootprintingScalpingScrapingSkewingSnipingSpammingToken CrackingVulnerability ScanningAPIs APIs 已成为攻击者的目标已成为攻击者的目标到2022,API API 将会成为企业Web应用数据泄露 最常见最常见的攻击向量的攻击向量6Propr
10、ietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.2018年开始发展开放API与其他银行以及第三方机构共享财务数据安全挑战:API安全数据隐私API的安全问题已经成为Web应用安全的重点开放银行:进入API新时代 7 7Web应用安全的定义 WAAPWeb Application and API ProtectionAPIsImperva Cloud WAFAPIGATEWAYNorthSouthDataEastWestEastWestImperva WAF Gate
11、wayRASPImperva WAF GatewayRASPAPI 安全最佳实践8A AP PI IG GA AT TE EWWA AY YNorthSouthWAF GatewayWAF GatewayRASPRASPDataDataWAF GatewayWAF GatewayRASPRASPEastWestEastWestAPIsAPIs机器人识别机器人识别D Dd dosos防护防护业务逻辑攻击业务逻辑攻击技术漏洞利用技术漏洞利用账号攻击账号攻击Advanced Bot ProtectionDDoS Protection (3-sec SLA)Cloud WAFAPI Security启
12、发式分析和机器学习启发式分析和机器学习Account TakeoverAttackAnalytics白名单模型严格控制访问白名单模型严格控制访问自动获取 OPENAPI 定义规范(Swagger)针对每个API接口进行严格的访问控制避免API滥用API 安全 vs 传统安全 9利用统一的利用统一的WebWeb应用安全平台进行应用安全平台进行 APIs APIs 安全管控安全管控Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.2020年12月,SolarWi
13、nds Orion软件系统被俄罗斯黑客利用零日漏洞如何进行防护?软件供应链安全1010这些供应链攻击方法是:攻陷供应商第三方程序利用开源库漏洞利用依赖包混淆恶意的账号接管Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.从头开始造轮子 vs 快速开发永远都可能存在的“后门”1111第三方组件第三方组件漏洞利用漏洞利用开源库开源库漏洞利用漏洞利用Proprietary and confidential.Do not distribute.Proprietary
14、 and confidential.Do not distribute.Runtime Application Self-Protection,实时应用自我保护Secure By Default无需修改代码、程序运行时检测看到程序代码运行的情况RASP:给Web应用打上疫苗1212美国国家标准技术研究院在“信息系统和组织的安全和隐私控制”*中建议使用RASP在软件开发的各个阶段开始防护Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.更加适应未来Web应用的
15、架构Web应用安全的未来趋势1414未来未来On-PremisesOn-PremisesCloudCloudMulti-cloud,Multi-cloud,ServerlessServerless现在现在过去过去Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.WAAP各层次保护手段1515At the At the EdgeEdgeAt the At the Cloud ProviderCloud ProviderAt the At the Data Ce
16、nterData CenterAt the At the Service MeshService MeshAt theAt theWorkloadWorkloadAt the At the FunctionFunction保护手段保护手段Cloud WAF集成服务WAF Gateway云原生集成RASPServerless保护安全维度安全维度WAAP WAAP 安全服务安全服务API Security,Application Security,Bot,Client-Side Protection,Intelligence&Reputation.集成集成系统集成系统集成 防病毒,API 网关,云
17、供应商,DevOps 集成,身份认证供应商,SIEMs.管理管理&分析分析集中管理和云端分析集中管理和云端分析统一管理和配置,机器学习.Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.WAAP Anywhere1616Imperva WAF GatewayApplications&APISSecurity LabelsCopy ofRequestEnvoyProxyImperva Runtime ProtectionImpervaServerless ProtectionImperva Cloud WAFImperva Sonar Cloud PlatformWAAP ServicevPOPvPOPTelemetryClient SDK概念架构概念架构Proprietary and confidential.Do not distribute.Proprietary and confidential.Do not distribute.1717Thank You