sql server 开源
As our company has grown, we’ve recently added developers to our team who want to use open source tools (open source languages and libraries). In the past, we built and used our own custom libraries, but our new developers to prefer to use open source libraries or add new languages that require new libraries. We’re concerned that the use of open source libraries may not be secure and may introduce new inputs and outputs in our system that we don’t fully understand. What should we consider when we think about allowing open source software, tools or languages in our environment from the standpoint of security?
随着公司的发展,我们最近在团队中增加了想要使用开源工具(开源语言和库)的开发人员。 过去,我们建立并使用了自己的自定义库,但是我们的新开发人员更喜欢使用开源库或添加需要新库的新语言。 我们担心使用开源库可能并不安全,并且可能会在我们不完全了解的系统中引入新的输入和输出。 从安全的角度考虑在我们的环境中允许使用开源软件,工具或语言时,应该考虑什么?
总览 (Overview)
While we can use open source libraries to help us build software faster, depending on our situation, the libraries may introduce unintended effects to our applications. We’ll first look at some of the advantages of open source software and evaluate some of its drawbacks in the context of security. Since different companies have different levels of scrutiny regarding security, or in some cases, different applications require different levels of scrutiny, open source may offer us a useful tool. We may also want to avoid open source tools completely.
尽管我们可以使用开放源代码库来帮助我们更快地构建软件,但是根据我们的情况,这些库可能会给我们的应用程序带来意想不到的影响。 我们将首先研究开源软件的一些优点,并在安全性方面评估其一些缺点。 由于不同的公司对安全性有不同的审查级别,或者在某些情况下,不同的应用程序需要不同的审查级别,因此开源可能会为我们提供有用的工具。 我们可能还希望完全避免使用开源工具。
优点 (Advantages)
We will obtain many benefits from using open source software tools and the three greatest advantages for companies where these tools apply are:
通过使用开源软件工具,我们将获得许多好处,而使用这些工具的公司的三大优势是:
- Open source languages and (or) libraries can increase the speed of delivery for our software by reducing the time it takes to develop tools. If a tool solves a problem that we face and it takes significant time to develop, these tools can save us the development time. 开源语言和(或)库可以通过减少开发工具的时间来提高我们软件的交付速度。 如果工具能够解决我们面临的问题并且需要花费大量时间进行开发,那么这些工具可以为我们节省开发时间。
- may be used frequently, which means that questions involving these tools can be common and have answers to these questions. While this can be a major advantage in some situations, it can also be a major problem. What if the questions being asked are a hacker trying to compromise something? For an example, the question “I’ve lost access to” or “someone compromises us and we need” could be a different actor than what’s implied in the question. 可能会经常使用,这意味着涉及这些工具的问题可能很常见,并且可以回答这些问题。 尽管这在某些情况下可能是一个主要优势,但它也可能是一个主要问题。 如果被问到的问题是黑客试图破坏某些东西怎么办? 例如,问题“我失去了联系”或“有人危及我们,我们需要”可能是与问题中所隐含的角色不同的参与者。
- Open source languages and (or) libraries can help us find technical talent easier, as we may be using tools which require talent that we struggle to find. In the case of some languages that have robust security, it can be very difficult to find people who know these languages in addition to knowing how to secure their applications. 开源语言和(或)库可以帮助我们更轻松地找到技术人才,因为我们可能正在使用需要我们难以找到的人才的工具。 对于某些具有强大安全性的语言,除了知道如何保护其应用程序外,很难找到了解这些语言的人。
- If open source languages and (or) libraries are heavily scrutinized from a security standpoint and we have evidence that this is the case (not assumed), these may be more robust than closed source tools as each line of code that is changed is scrutinized. Provided that we also contribute to the tool while also ensuring the community surrounding it watches security carefully, we can increase the probability of preventing security problems. This point becomes a weakness if we assume this is true for the language and (or) library without evidence. 如果从安全角度对开放源语言和(或)库进行严格审查,并且我们有证据表明是这种情况(未假设),则由于对每行更改的代码进行审查,因此它们可能比封闭源工具更强大。 如果我们还对该工具做出了贡献,同时还确保该工具周围的社区小心地监视安全性,那么我们可以增加预防安全问题的可能性。 如果我们假设对于没有证据的语言和(或)库来说这是正确的,那么这将成为一个弱点。
Even when we’re considering security, we should not overlook the advantages of open source tools, as these advantages can help us in some areas. As we see in the below image, in many environments we may be able to demarcate the applications which require strict security from applications which may not carry as strict rules. Consider a data environment where we have PII data, which must have strict rules, with data from public sources. We could keep and analyze the data in open source tools, while keeping our PII data separate in a more secure layer, with a queue layer that delays communication between the secure and applications layers (see below image). This means that we can use open source tooling in less strict environments (the “application layer” in the below image), if security is a concern, or we can architect our environment in a manner that allows us to use open source tooling anywhere – such as refraining from storing data that could compromise our environment.
即使在考虑安全性时,我们也不应忽视开源工具的优势,因为这些优势可以在某些领域为我们提供帮助。 如下图所示,在许多环境中,我们可以将要求严格安全性的应用程序与可能没有严格规则的应用程序区分开来。 考虑一个我们拥有PII数据的数据环境,该数据必须具有严格的规则,并具有来自公共来源的数据。 我们可以在开源工具中保存和分析数据,同时在更安全的层中将我们的PII数据分开,而队列层会延迟安全层与应用程序层之间的通信(请参见下图)。 这意味着,如果出于安全考虑,我们可以在不太严格的环境中使用开源工具(下图中的“应用程序层”),或者我们可以以允许我们在任何地方使用开源工具的方式设计环境。例如不要存储可能危害我们环境的数据。
缺点 (Disadvantages)
In the advantages of open source, I did not include the “many eyes” argument without evidence that we often hear and there’s a reason why. While I agree with some people that open source tools can come with many people scrutinizing the tool, this is often only true for a small set of the overall open source universe. There’s also a danger in this argument which social psychologists call the diffusion of responsibility (see below image) – “I don’t need to worry about the security of this library because other people are looking at it.” How do we actually know this?
在开放源代码的优势中,我没有包括“很多眼睛”的论点,而没有我们经常听到的证据,这是有原因的。 尽管我同意某些人的观点,即开放源代码工具可能伴随着许多人对其进行审查,但通常仅对一小部分总体开放源代码世界如此。 这种争论还存在着一种危险,社会心理学家称之为责任的分散 (见下图)–“我不必担心这个图书馆的安全性,因为其他人正在关注它。” 我们实际上如何知道这一点?
This problem compounds when we see a proliferation of new open source tools, as attention to each tool begins to thin, increasing the probability that a flawed design is checked-in to the tool. As one security expert once warned me, “Hackers rely on developers using tools they don’t fully understand.” If a developer can only explain what the library does, that’s not enough. Where are the possible security holes in the library?
当我们看到新的开源工具激增时,这个问题就变得更加复杂,因为对每种工具的关注开始减弱,从而增加了将有缺陷的设计签入工具的可能性。 正如一位安全专家曾经警告过我的那样:“黑客依赖开发人员使用他们不完全了解的工具。” 如果开发人员只能解释库的功能,那还不够。 库中可能存在哪些安全漏洞?
Another drawback to open source tools is that they add new inputs and outputs in our system (communication) among actors (applications, databases, tools, etc) that we may not fully understand or monitor, especially if we don’t thoroughly test them. For an example, suppose that we use a tool that needs to be updated from time to time and experiences a bug without an update. To update software means we have to add something to our system – an input into our system. This drawback increases if we assume that others are carefully evaluating the library when they are not. Tools as simple as browsers have experienced zero-day compromises, so even simpler software that we assume is safe, can come with dangers.
开源工具的另一个缺点是,它们会在我们可能不完全了解或监视的参与者(应用程序,数据库,工具等)之间的系统(通信)中添加新的输入和输出,尤其是如果我们没有对其进行全面测试的话。 例如,假设我们使用的工具需要不时地进行更新,并且遇到没有更新的错误。 更新软件意味着我们必须在系统中添加一些内容-系统的输入。 如果我们假设其他人在不认真评估库的情况下,这个缺点就会增加。 像浏览器这样简单的工具都经历了零日漏洞,因此,即使我们认为比较安全的简单软件也可能带来危险。
如何解决弊端 (How to address the disadvantages)
First, security concerns do not apply to every company equally, as we’re seeing a growing number of companies opting out of storing data that require complex security. This doesn’t mean that these companies can do anything they want, but it does mean they have more flexibility when they’re considering how they want to design their applications. As we continue to see security compromises, these companies will continue to have a competitive edge.
首先,安全问题并不平等地适用于所有公司,因为我们看到越来越多的公司选择不存储需要复杂安全性的数据。 这并不意味着这些公司可以做他们想做的任何事情,但这确实意味着他们在考虑如何设计应用程序时具有更大的灵活性。 随着我们继续看到安全漏洞,这些公司将继续具有竞争优势。
Second, we should recognize when we’re faced with the diffusion of responsibility regarding an open source tool – when people assume someone else is measuring the security of the tool. Some of the patterns with open source tools are:
其次,我们应该认识到,当我们面对开源工具的责任分散时,即人们认为其他人正在衡量该工具的安全性时。 开源工具的一些模式是:
- Developers emphasize the convenience of the tool, but not the security. A great example of this is an about page explaining the tool, but with no discussion about security. 开发人员强调工具的便利性,而不是安全性。 一个很好的例子是一个关于该工具的“关于”页面,但没有讨论安全性。
- We get no answers or deferred answers about security when we ask about the security of the open source tool. A great example of this is when we ask about security and we get the reply, “Other developers are looking at that” but no names are mentioned and we have no reference points for who these developers are. 当我们询问开源工具的安全性时,我们没有得到关于安全性的答案或推迟的答案。 一个很好的例子是,当我们询问安全性并得到答复“其他开发人员正在研究此问题”时,却没有提及任何名字,并且我们也没有关于这些开发人员身份的参考。
- We cannot answer how to keep the communication (inputs and outputs) of the language or tools safe or monitored. If a tool will need to be updated from time to time, how will we ensure that the update doesn’t install code that could compromise our system? Will we always allow the application to update whenever it needs to? 我们无法回答如何保持语言或工具的通信(输入和输出)安全或受到监控。 如果需要不时更新工具,我们如何确保该更新不会安装可能危害我们系统的代码? 我们会始终允许应用程序在需要时进行更新吗?
- The open source language and (or) library is very new and hasn’t been challenged. Anything new should be thoroughly tested in development before ever considering it in a higher environment (this also includes non-open source languages and libraries). 开源语言和(或)库是非常新的,并且没有受到挑战。 任何新事物都应在开发中进行全面测试,然后再在更高的环境中考虑(包括非开源语言和库)。
Once we know who’s evaluating the tool from an open source perspective, we can query the developers involving our concerns with security and our use. In addition to their answers, we can also check this information for ourselves. In a similar manner, if we’re reading about an open source tool, we should start with security, then look at the what it offers. If we’re not comfortable with the security, we should avoid it, regardless of its convenience.
一旦知道了谁从开放源代码的角度评估该工具,便可以查询涉及安全性和使用问题的开发人员。 除了他们的答案,我们还可以自己检查这些信息。 以类似的方式,如果我们正在阅读有关开源工具的信息,那么我们应该从安全性入手,然后看看它提供了什么。 如果我们对安全性不满意,则无论安全性如何,都应避免使用它。
To prevent watering hole hacks, never publicly discuss outside appropriate sources what open source libraries you use and when contacting developers behind an open source library, do not contact them with any affiliation to a company. While watering hole attacks are generally associated with websites, these may be used with open source tools where hackers identify popular tools and try to compromise them. Never forget that a hacker can create or contribute to an open source with the intent of compromising the people who use the tool.
为了防止出现漏洞,请不要在适当的来源之外公开讨论您使用的开放源代码库,并且在与开放源代码库背后的开发人员联系时,请勿与公司有任何隶属关系。 虽然水坑攻击通常与网站相关联,但可以与开放源代码工具一起使用,黑客可以在这些工具中识别流行的工具并试图对其进行破坏。 永远不要忘记,黑客可以以损害使用工具的人员为目的来创建或贡献开源。
Third, when we have applications with communication involving secure information and data, we should design in a manner that allows being strict in our validation of the communication. An example of this would be a request for PII data for a customer which is placed into queue and the queue delays the information from being sent for a period while the request is validated (again) and the data are sent securely. The faster we can get our own data, the faster a hacker can. If we delay requests for high priority data, the hacker has another obstacle too.
第三,当我们具有涉及安全信息和数据的通信应用程序时,我们应该以一种允许对通信进行严格验证的方式进行设计。 这样的一个示例是对客户的PII数据的请求,该请求被放入队列中,并且队列在请求被确认(再次)并且安全地发送数据的同时将信息的发送延迟了一段时间。 我们获取自己的数据的速度越快,黑客越快。 如果我们延迟了对高优先级数据的请求,那么黑客也会遇到另一个障碍。
Fourth, if we are using an open source tool in a situation where we have any type of client or third-party private or personal data where we’re using a tool, we should inform these individuals with the context, such as “we use open source tools for our front-end reports” or “we use open source tools for our back-end which stores your private data.”
第四,如果我们在使用工具的情况下使用任何类型的客户或第三方私人或个人数据的情况下使用开放源代码工具,则应向这些人提供上下文信息,例如“我们使用开源工具用于我们的前端报告”或“我们将开源工具用于我们的后端,用于存储您的私人数据。”
翻译自: https://www.sqlshack.com/sql-server-security-considerations-with-open-source-tools/
sql server 开源
256
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
