通过自动化改进网络漏洞管理
Vulnerability management is important, but can be incredibly time consuming. We have to scan our systems and then fix the vulnerabilities that we’ve discovered. In a large software engineering organization this becomes more challenging — service owners are responsible for fixing vulnerabilities in their systems along with all their other work, and security has to track this work, nudge engineers to actually fix things, and report to CISO/compliance/etc. Fortunately much of this work lends itself to automation, letting security engineers focus on understanding and fixing vulnerabilities! In this post we’ll focus specifically on web vulnerabilities, and some of the fun automation challenges this process poses.
漏洞管理是很重要的,但可能是令人难以置信的耗时。我们必须扫描我们的系统,然后修复我们所发现的漏洞。在一个大型的软件工程组织中,这变得更加具有挑战性--服务所有者负责修复他们系统中的漏洞以及所有其他的工作,而安全人员必须跟踪这项工作,促使工程师真正修复这些东西,并向CISO/compliance/等报告。幸运的是,这些工作中的大部分都可以实现自动化,让安全工程师专注于理解和修复漏洞。在这篇文章中,我们将特别关注网络漏洞,以及这个过程所带来的一些有趣的自动化挑战。
The Old Ways Are Not Best
旧的方法不是最好的
Until recently, due to our ever evolving environment and infrastructure considerations, Lyft’s web vulnerability process was a very manual intensive process, from scanning and tabulating results to deduplicating issues. In addition, it was necessary to manually prepare reports on a regular basis. All of this work represented a significant effort (3 months a year), and took time away from vulnerability analysis.
直到最近,由于我们不断发展的环境和基础设施的考虑,Lyft的网络漏洞过程是一个非常密集的手工过程,从扫描和列表的结果到扣除问题。此外,有必要定期手动准备报告。所有这些工作都需要大量的精力(每年3个月),并占用了漏洞分析的时间。
Our engineer performed the following manual steps every month, in addition to the aforementioned report:
我们的工程师除了上述报告外,每个月还进行以下手工步骤。
- Run the scan on their computer using Burp (via UI) on a list of URLs, and then export the findings to an xml document. Scans could take several days, and often paused due to errors.
- 在他们的电脑上使用Burp(通过用户界面)对一个URL列表进行扫描,然后将结果导出到一个xml文档。扫描可能需要几天时间,而且经常因为错误而暂停。
- Run a script on the xml document to turn it into a CSV file of issues that could be consumed by Jira.
- 在xml文档上运行一个脚本,把它变成一个可以被Jira使用的CSV问题文件。
- Impo...