I am Vladimir Melnik, technical director of Tucha. I would like to share a modern approach to creating the safe operation of online services, namely, their protection from external threats. I mean not only protection against unauthorized changes to the code of web applications, but also other aspects related to security. Therefore, now we will consider ways of countering attempts to exploit vulnerabilities of the application itself, which can be used by an attacker in order to obtain unauthorized access to certain data, their theft, substitution or destruction.
But first, I'll turn on the Captain Obvious mode and focus on some well-known postulates:
Errors in the code of a web application often allow an attacker to exploit them in such a way as to force the application to perform actions that are beneficial to the attacker and disadvantageous for the provider or other users of the online service that the application provides.
While there is no reliable way that could guarantee that there are no errors in the software code, there is no guaranteed way to ensure that they cannot be found and exploited.
By definition, the Internet cannot be considered a secure environment. Automated vulnerability scanners constantly comb through all available addresses in order to identify weaknesses in the protection of services, recall at these addresses (and if this practice were not effective enough, it would not have been applied). Popular online services, moreover, attract a lot of attention from enthusiasts, who, in turn, pay a lot of attention to finding vulnerabilities, the exploitation of which can lead to results that are interesting to them.
However, the number of online services on the network continues to grow, and the pace of this growth is also increasing. One of the really important questions is how to protect data stored on servers that are constantly connected to the Internet from intrusion.
There are quite a few practices aimed at reducing the risks of hacking, but in order not to try to grasp the immensity, we will focus our attention on two or three aspects.
What you need to be happy help desk support job descriptions
Identification of application publishing vulnerabilities by automated testing (including after each code change).
Protect against exploitation of vulnerabilities with Web Application Firewall, which detects potentially harmful patterns in user behavior and blocks potentially harmful requests.
It would also be worth mentioning the advantages of a microservice architecture, which allows you to minimize the risks of escalating access when hacking a microservice, which itself does not have such access.
Are they effective? Yes.
Are they used everywhere? Not.
Everything's under control
What can hinder the application of these practices? The answer is laziness and optimism.
“Our web applications are already reasonably well secured” is perhaps the most innocuous assumption you can make. Even more dangerous and absurd than it can only be the following: "We write code without errors."
Of course, as I already noted at the very beginning, there are no means to completely avoid errors in development, just as there is no one hundred percent reliable way to protect against their exploitation. But, the more attention is paid to these aspects, the lower the likelihood that the web application will be hacked.
And I suppose that a platform in which this functionality would be initially laid down could help here. Let's imagine what it could be.
Where are we going
Such a platform allows you to automate the processes associated with the life cycle of applications, ensures the operation of these applications, as well as storing their data in the computing cloud. To be reliable enough, it provides distributed computing and distributed data storage.
Ephemeral containers
Security and stability are important to us, therefore, using such a platform means placing application instances in isolated containers that run simultaneously on several physical nodes and receive equal shares of traffic from the load balancer, which dispatches requests from clients. Let the Kubernetes orchestration system manage the containers, which is becoming more and more popular among Ukrainian DevOps engineers, and global trends already allow us to speak of it as a new industrial standard.
No comments:
Post a Comment