小程序开源组件_您的应用程序是否包含开源组件？ 5个安全提示

小程序开源组件

A modern web application is bundled with tons of open-source dependencies. Developers are usually unaware of the number of open-source packages that's running under their package's hood. If you've ever wondered why your node_modules were so large, well that's why!

现代的Web应用程序捆绑了许多开源依赖项。 开发人员通常不知道在其软件包内部运行的开源软件包的数量。 如果您曾经想知道为什么node_modules这么大，那就是为什么！

Contrary to popular belief, open-source components and dependencies are not more secure than their proprietary counterparts. Sure, there's a fleet of developers who volunteer to maintain certain repositories and that's great! However, the mere fact that lots of people use something doesn't make it more secure.

与流行的看法相反，开源组件和依赖性并不比专有组件更安全。 当然，有一群开发人员自愿维护某些存储库，这太好了！ 但是，仅许多人使用某物这一事实并不能使其变得更加安全。

Add to this the issues around obsolete and abandoned packages. They're still popular amongst developers, but no longer maintained by anyone. In certain other cases, the developers are at fault by not prioritizing security updates. It becomes clear that protecting an organization's applications on a daily basis has now become a crucial necessity for survival in the market.

与此相关的是过时和废弃软件包的问题。 它们在开发人员中仍然很流行，但不再由任何人维护。 在某些其他情况下，开发人员由于不优先考虑安全更新而有过错。 显而易见的是，每天保护组织的应用程序已成为市场生存的关键必要条件。

As you might already know, layered security is imperative and crucial. No one layer or program can withstand the numerous attacks from the unknowns of the dark web. Therefore, once organizations follow some of these best practices, they should be empowered to implement a robust strategy for a secure environment around their business-critical applications.

您可能已经知道，分层的安全性是至关重要的。 任何一层或程序都无法抵御来自暗网未知事物的大量攻击。 因此，一旦组织遵循了这些最佳实践中的一些最佳实践，就应该授权他们为围绕业务关键型应用程序的安全环境实施可靠的策略。

将组件包装在容器中 (Package Your Components in a Container)

The first stage in securing your applications is to ensure that they are sheltered within a Docker-like container. The inbuilt security of a container, along with its default configurations render a much stronger security posture. Applications that reside within settings such as this automatically inherit the same security guidelines. Furthermore, you can limit the damage your open source dependencies and APIs can do by running your app inside a container.

保护您的应用程序的第一步是确保将它们存放在类似Docker的容器中 。 容器的内置安全性及其默认配置提供了更强的安全性。 诸如此类的设置中的应用程序会自动继承相同的安全准则。 此外，您可以通过在容器内运行应用程序来限制开放源代码依赖项和API可能造成的损害。

To make matters simpler, containers can be understood to be a protective shield of sorts. They isolate an application from the host computer as well as other containers. This helps to inhibit any vulnerabilities as well as any malicious use of the software.

为简化起见，可以将容器理解为各种保护罩。 它们将应用程序与主机以及其他容器隔离。 这有助于抑制任何漏洞以及对该软件的任何恶意使用。

By default, containers lean to the configurations specified in security profiles combined with security-related policies that help isolate the processes of an application from both the operating system as well as the host. The container's default security controls ensure that your application runs in a secure environment at all times.

默认情况下，容器依赖于安全配置文件中指定的配置，并结合了与安全相关的策略，这些策略有助于将应用程序的进程与操作系统以及主机隔离。 容器的默认安全控件可确保您的应用程序始终在安全的环境中运行。

Containers are also capable of acting as gatekeepers for your applications. They use role-based access controls at a granular level and employ read-only environments to inhibit unauthorized access by resources or people. As can be imagined, containers go by the principle of least privilege. This forms a critical part of the zero-trust model of security that drives cybersecurity worldwide. Once within a container, the attack surface area of your application is significantly reduced.

容器还可以充当您的应用程序的网守。 他们在粒度级别使用基于角色的访问控制，并采用只读环境来禁止资源或人员进行未经授权的访问。 可以想象，容器遵循最小特权原则。 这构成了推动全球网络安全的安全零信任模型的关键部分。 一旦放入容器中，您的应用程序的攻击面就会大大减少。

优先补丁管理 (Prioritize Patch Management)

The best way to ensure that you are in the know of whether or not your applications are safe and secure is to employ a check on the application(s) you execute. Docker's container platforms scan your container for any vulnerable databases. These scans provide users with added insight and visibility with regards the security status of your applications during each stage of production.

确保您知道自己的应用程序是否安全的最好方法是对执行的应用程序进行检查。 Docker的容器平台会在您的容器中扫描任何易受攻击的数据库 。 这些扫描为用户提供了在生产的每个阶段中有关应用程序安全状态的更多见解和可见性。

Also, as images are scanned and cleaned, users can rapidly and automatically promote valid containers onward to the next phase of development and finally towards production.

同样，在扫描和清洁图像时，用户可以快速，自动地将有效的容器升级到开发的下一阶段，最终进入生产。

Automating this process makes sure that all vulnerabilities are identified in the early stages of the process itself and patches are employed on a continuous basis as and when any vulnerabilities are noticed.

使该过程自动化可确保在过程本身的早期阶段识别出所有漏洞，并在发现任何漏洞时连续使用补丁。

According to WhiteSource's open source vulnerability management report, one of the good reasons why security fails is because companies fail to address security issues and take way longer than they should to apply security patches. Apart from that, there is absence of standard practices and developer-focused tools that result in waste of resources.

根据WhiteSource的开源漏洞管理报告 ，安全性失败的一个很好的原因之一是，由于公司无法解决安全性问题，并且所采取的方法所花费的时间比应用安全补丁的时间长。 除此之外，还缺乏导致资源浪费的标准实践和以开发人员为中心的工具。

Container platforms enable quick and secure patching opportunities and would allow users to squash any breaches of security that may arise, thereby complying to regulations without having to hinder the process of development.

容器平台提供了快速而安全的补丁程序机会，并允许用户应对可能出现的任何安全漏洞，从而遵守法规，而不必阻碍开发过程。

紧跟新标准 (Stay Abreast of New Standards)

Standards bodies like the NIST or the National Institute of Standards and Technology assist companies in addressing security challenges and adhere to industry regulations based on accepted standard guidelines that help to maintain robust security practices.

NIST或美国国家标准技术研究院等标准机构可协助公司应对安全挑战，并根据公认的标准指南遵守行业法规，以帮助维护稳健的安全实践。

Standards such as these help organizations get an understanding of the best way to identify gaps between globally accepted standards the security-related status of their applications.

诸如此类的标准可帮助组织了解最佳方法，以找出全球公认的标准与其应用程序的安全性状态之间的差距。

A strategy around containerization helps organizations to close these gaps and assists them to clear the differences between your applications and globally accepted security guidelines related to your organizations.

围绕容器化的策略可帮助组织弥合这些差距，并帮助他们消除应用程序和与组织相关的全球公认安全准则之间的差异。

Containerization strategies assist you in closing the gaps between the security guidelines and your applications. This assists in making use of your container format efficiently and ensuring that you are in full control of your applications at all times.

容器化策略可帮助您缩小安全准则与应用程序之间的差距。 这有助于有效利用容器格式，并确保您始终可以完全控制应用程序。

Costs associated with compliance enforcement can be reduced by ensuring that your application resides in a container that is in line with a swath of commonly recognized standards like the NIST 800-53 and NIST's new Open Security Controls Assessment Language (OSCAL) standard.

通过确保您的应用程序驻留在符合NIST 800-53和NIST的新开放安全控制评估语言 (OSCAL)标准等一系列公认标准的容器中，可以降低与合规性实施相关的成本。

使用安全工具检查您的代码 (Use Security Tools to Check Your Codes)

A vast number of Open Source and commercial tools have been developed over the past few years that help in solving the problem of locating vulnerabilities in Open Source components. Each of these tools or services attempt to solve this problem a little differently from the other–

在过去的几年中，已经开发出了大量的开放源代码和商业工具，这些工具可以解决开放源代码组件中的漏洞定位问题。 这些工具或服务中的每一种都试图解决这个问题，而其他工具或服务则稍有不同–

1. NPM Audit – Formerly known as NSP (Node Security Project), npm audit is available inbuilt with the latest version of npm. NPM Audit checks for vulnerabilities in the node module packages. Audit also generates a report and suggests guidelines for fixing the security issues.

   NPM审核–以前称为NSP(节点安全项目)， npm审核内置于最新版本的npm中。 NPM Audit检查节点模块软件包中的漏洞。 审计还生成报告，并提出解决安全问题的指南。

2. Dependency-check –Dependency-check supports Javascript, Java, .NET as well as Ruby. It pulls its vulnerability information from the NIST NVD.

   依赖性检查– 依赖性检查支持Javascript，Java，.NET以及Ruby。 它从NIST NVD中提取其漏洞信息。

3. Gemnasium – Gemnasium supports Ruby, NPM, PHP, Python, and Bower.

   Gemnasium – Gemnasium支持Ruby，NPM，PHP，Python和Bower。

4. Bundler-audit – Bundler-audit is an open source command line tool. This checks for dependencies focused on Ruby Bundler
   Bundler-audit – Bundler-audit是一个开源命令行工具。 这将检查针对Ruby Bundler的依赖项
5. RetireJS – An open source dependency checker specific to JavaScript, RetireJS' USP is its ease of use and high efficiency. It contains multiple components including a command line scanner as well as plugins for Chrome, Firefox, Grunt, Gulp, ZAP ad Burp
   RetireJS – RetireJS的USP是专用于JavaScript的开源依赖项检查器，它易于使用且效率很高。 它包含多个组件，包括命令行扫描器以及Chrome，Firefox，Grunt，Gulp，ZAP ad Burp的插件

6. OSSIndex – OSSIndex is a tool that supports several different technologies. It adequately covers JavaScript, .NET/C# and Java ecosystems. It also provides API vulnerability for free.

   OSSIndex – OSSIndex是支持多种不同技术的工具。 它充分涵盖了JavaScript，.NET / C＃和Java生态系统。 它还免费提供API漏洞。

7. SRC: CLR – Source Clear comes with a load of plugins to several IDEs, deployment systems, and source repositories as well as a command-line interface.
   SRC：CLR – Source Clear带有许多IDE，部署系统和源存储库的插件，以及命令行界面。

坚持多层安全性方法 (Stick with a Multi-layer Security Approach)

Some third-party vendors within the container ecosystem offer third-party plugins and integrations that facilitate additional layers of security, capabilities, and features for containers. These integrations of ecosystems can easily be a part of our existing strategy around security by way of extending these security policies to applications as these integrations assist in complying with required procedures.

容器生态系统内的某些第三方供应商提供了第三方插件和集成，从而促进了容器的附加安全性，功能和特性。 通过将这些安全策略扩展到应用程序，生态系统的这些集成很容易成为我们现有安全策略的一部分，因为这些集成有助于遵守所需的程序。

Ex- integration specifically for enforcement of runtime security policies can help inhibit unwanted container behavior and allow container-firewalling to help mitigate inter-container attacks. It can also be used to confirm the validity of an image container and ensure its compliance with the best practices of the company in question.

专门用于实施运行时安全策略的Ex-integration可帮助抑制有害的容器行为，并允许容器防火墙来减轻容器间攻击。 它也可以用于确认图像容器的有效性，并确保其符合相关公司的最佳做法。

The Docker system contains security vendors where each vendor can provide strategic defensive layers to prevent malicious attacks that might be forthcoming.

Docker系统包含安全厂商，其中每个厂商都可以提供战略防御层，以防止可能发生的恶意攻击。

容器平台还可以帮助提高安全性 (Container Platforms Can Also Help Advance Security)

Container platforms allow users to secure their applications, develop them in a safe environment and check and verify their integrity at every stage of the development process. By making use of the advantages of the container platform and its inherent integrated security features, users can accelerate time to market by identifying and patching vulnerabilities as they are unearthed without hindering the development process in any way.

容器平台允许用户保护其应用程序，在安全的环境中进行开发以及在开发过程的每个阶段检查并验证其完整性。 通过利用容器平台的优势及其固有的集成安全性功能，用户可以通过发现和修补安全漏洞来加快上市时间，而不会以任何方式阻碍开发过程。

翻译自: https://www.sitepoint.com/does-your-app-include-open-source-components-5-security-tips/

小程序开源组件