开源代码安全扫描工具_使用开源工具向网络安全过渡的简单介绍-CSDN博客

开源代码安全扫描工具

It’s February 2020 and already I have seen multiple articles predicting the massive doomsday heading our way due to the lack of people in information security. Are some of it scaremongering? Probably. But the reality is, most industries are moving towards tech, and with tech comes cyber threats. So traditional IT departments are having to adapt and start putting cybersecurity at the forefront. It’s no longer going to be as easy to hire out contractors to look after your security as IR35 changes are due to come into effect in April 2020 (even though it’s been around since 2000). So what does this mean for IT departments, for some it means recruiting for talent, be it internally or looking at the current market? This could be made harder by the upcoming changes to the UK immigration system stemming from Brexit. For those looking to get into the industry however, this presents the opportunity to get into an industry with great demand.

余吨二月份到2020年已经我所看到的多篇文章，预测了大量的末日向我们袭来，由于缺人的信息安全。其中有些令人生畏吗？大概。但是现实是，大多数行业都在朝着技术发展，而技术带来了网络威胁。因此，传统的IT部门必须适应并开始将网络安全放在首位。由于IR35变更将于2020年4月生效( 即使它始于2000年 )，因此雇用承包商来照顾您的安全不再那么容易。那么，这对IT部门意味着什么，对于某些部门而言，这意味着内部或正在寻找当前市场的人才招聘？英国退欧带来的英国移民制度即将发生的变化可能会使这一点变得更加困难。但是，对于那些希望进入该行业的人来说，这提供了进入一个需求量很大的行业的机会。

因此，让我们假设您已经在技术领域中，并且想要将流转换为网络，那么您将从哪里开始！ (So let’s make the assumption you’re in tech already and want to change streams to cyber, where do you begin!)

There are so many roles in cybersecurity, knowing where your interests are is a good start. A good way to figure this out is to start consuming cyber content, this can be in the form of podcasts, books, YouTube or even reading on Medium. What do you find interesting? If you are coming from a data science background and love data, well cybersecurity 🤝data science = two peas in a pod. In this life, you have to love what you do, and when you love what you do, it doesn’t feel like work, right? And the more you enjoy what you do, the more curious you become and go the extra mile. In cybersecurity, an appetite for knowledge is needed this can be what separates candidates who graduated from the same institute with the same grade.

网络安全中有许多角色，因此了解自己的利益是一个好的开始。解决这个问题的一种好方法是开始使用网络内容，可以是播客，书籍，YouTube甚至是在Medium上阅读的形式。你觉得有趣吗？如果您来自数据科学背景并且喜欢数据，那么网络安全security数据科学=豆荚里有两个豌豆。在这一生中，您必须热爱自己的工作，而当您热爱自己的工作时，那感觉就不像工作，对吗？而且，您越喜欢工作，您就会变得越好奇，越努力。在网络安全中，需要有知识的胃口，这可以将那些从同一机构以相同年级毕业的候选人区分开来。

让我们从您需要的一些工具开始⚒️ (Let’s start with some tools you need ⚒️)

Virtual Machines will be your best friend. It’s not only an environmentally friendly solution than building your lab, but it presents an opportunity to replicate (to an extent, this is determined by how powerful your home machine is) scenarios and also for those not comfortable on the command line and opportunity to get to grips with it.

虚拟机将是您最好的朋友。它不仅是建立实验室的环保解决方案，而且还提供了复制(在一定程度上取决于您的家用计算机的功能)方案的机会，对于不熟悉命令行的人和获得机会的人来说，抓住它。

VirtualBox is the most common opensource virtualisation tool used by most to deploy VMs. A common practice is to deploy a vulnerable machine (let’s say a mail server with a known vulnerability) and then deploying another VM with Kali Linux or Parrot OS, setting up the network settings to ensure they can communicate and then working on exploiting the vulnerability.

VirtualBox是大多数人用来部署VM的最常见的开源虚拟化工具。一种常见的做法是先部署有漏洞的机器( 例如具有已知漏洞的邮件服务器 )，然后再使用Kali Linux或Parrot OS部署另一台VM，设置网络设置以确保它们可以通信，然后着手利用此漏洞。

我应该尝试什么操作系统？ (What operating systems should I try out?)

Kali is often the most recommended operating system for cybersecurity and especially if you’re into penetration testing. However, Kali is also a swiss army knife with many tools so for a first time user, it can be daunting, confusing and too much to handle. So how do you get to grips with it?

Kali通常是最推荐的网络安全操作系统，尤其是在您进行渗透测试时。但是，Kali还是瑞士军刀，具有许多工具，因此对于首次使用该工具的人来说，它可能令人生畏，令人困惑且难以处理。那么，您如何掌握它呢？

实践使完美！ (Practise makes perfect!)

Okay, let’s assume you’re a DBA who has been working with databases for a substantial amount of time but now wants to switch sides and join us in infosec. You know databases but have never used Kali, so the best way to learn it is to build a VM with MongoDB and install a version you know has a vulnerability. The standard in identifying vulnerabilities in cybersecurity are called Common Vulnerabilities and Exposures (CVEs). So for example, searching for MongoDB returns 36 CVEs which will all now be patched. However, if for example you download and install on a VM a version of MongoDB that hasn’t been patched for CVE-2015–7882 which due to improper handling of LDAP authentication on versions 3.0.0 to 3.0.6 allowed an unauthenticated client to gain unauthorised access, you are then able to practise using tools like Metasploit or other database cracking tools. The principle behind this method is to get you using some of the tool kits in Kali, switching databases and tools and learning the basics of penetration testing. People often say the attack is the best form of defence. And this applies, especially in cybersecurity. Can’t defend something if you don’t know how it’s getting attacked right?

好的，假设您是一个DBA，他已经使用数据库很多时间了，但是现在希望转而加入Infosec。您知道数据库，但从未使用过Kali，因此了解它的最佳方法是使用MongoDB构建VM并安装您知道有漏洞的版本。识别网络安全漏洞的标准称为“常见漏洞和披露( CVE )”。因此，例如，搜索MongoDB将返回36个CVE，现在将全部对其进行修补。但是，例如，如果您下载并在VM上安装了尚未为CVE-2015–7882修补的MongoDB版本，由于版本3.0.0至3.0.6上LDAP身份验证的处理不当，MongoDB 允许未经身份验证的客户端获得未经授权的访问权限 ，您便可以使用Metasploit等工具或其他数据库破解工具进行练习。该方法背后的原理是让您使用Kali中的一些工具套件，切换数据库和工具并学习渗透测试的基础。人们经常说，进攻是最好的防御方式。这适用于网络安全。如果您不知道某事如何受到攻击，就无法捍卫它？

但是，网络安全不只是渗透测试相信与否！ (But cybersecurity is more than just penetration testing believe it or not!)

And through here comes one of my favourite VMs. It’s a full security suite that can be used to bolster your home defences. It can be a great way to start using your data as a means to learn. Introducing Security Onion!

而这就是我最喜欢的VM之一。这是一个完整的安全套件，可用于增强您的家庭防御。这可能是开始使用数据作为学习手段的好方法。介绍安全洋葱！

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools.

Security Onion是一个免费的开源Linux发行版，用于入侵检测，企业安全监视和日志管理。它包括Elasticsearch，Logstash，Kibana，Snort，Suricata，Bro，Wazuh，Sguil，Squit，CyberChef，NetworkMiner和许多其他安全工具。

这里提到了很多工具，让我们分解一下： (A lot of tools were mentioned here, let’s break them down:)

ELK Stack — The Elastic stack consists of Elasticsearch, Kibana and Logstash, like Voltron, they combine and work together to form a great SIEM tool with Logstash ingesting & processing logs, Elasticsearch storing and parsing and Kibana displaying them for analysis.
ELK堆栈 — Elastic堆栈由Elasticsearch，Kibana和Logstash组成，就像Voltron一样，它们结合并一起形成了一个出色的SIEM工具，其中Logstash提取和处理日志，Elasticsearch存储和解析以及Kibana显示它们以进行分析。

Image for post — Courtesy of Elastic 由Elastic提供

SNORT — is a free open source network intrusion detection system and intrusion prevention system. Created by Martin Roesch in 1998, it is capable of real-time traffic analysis and packet logging.
SNORT —是一个免费的开源网络入侵检测系统和入侵防御系统。它由Martin Roesch在1998年创建，能够进行实时流量分析和数据包记录。

那么SNORT如何工作？ (So how does SNORT work?)

Let’s use CVE-2017–0144 — Windows SMB Remote Code Execution Vulnerability as an example, otherwise known as EternalBlue which was a catalyst in the Wannacry epidemic of 2017. SNORT allows you to set rules on your network to block any exploit attempts of this vulnerability. So for example, WannaCry was known to communicate with a certain sinkhole and check whether a certain URL was live, as this was a known indicator, any machine in your network displaying this behaviour would most likely be compromised, so having the rule to detect and block this would be a great defensive strategy. Data Scientists will enjoy working with SNORT rules and the data it generates, combined with Kibana, you will be able to build graphs and incorporate machine learning to predict & analyse trends.

让我们以CVE-2017-0144 — Windows SMB远程执行代码漏洞为例，也称为EternalBlue ，它是2017年Wannacry流行的催化剂。 SNORT允许您在网络上设置规则以阻止对该漏洞的任何利用尝试。因此，例如，已知WannaCry可以与某个特定的漏洞通信，并检查某个URL是否存在，因为这是一个已知的指标，因此网络中任何显示此行为的机器都极有可能受到损害，因此要有规则来检测和阻止这将是一个很好的防御策略。数据科学家将喜欢使用SNORT规则，并将其生成的数据与Kibana结合使用，您将能够构建图形并结合机器学习来预测和分析趋势。

BRO — It’s now called Zeek, but not many people know. But BRO is a network analysis framework that is much different from the typical IDS.
BRO-现在称为Zeek，但很少有人知道。但是BRO是一个网络分析框架，与典型的IDS有很大不同。
Wazuh — is an open-source and enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance.
Wazuh —是一种开源的企业级安全监视解决方案，用于威胁检测，完整性监视，事件响应和合规性。
Sguil — (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event-driven analysis.
Sguil (发音为sgweel)是由网络安全分析师为网络安全分析师构建的。 Sguil的主要组件是直观的GUI，可提供对实时事件，会话数据和原始数据包捕获的访问。 Sguil促进了网络安全监控和事件驱动分析的实践。
Squert — is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
Squert —是一个Web应用程序，用于查询和查看存储在Sguil数据库中的事件数据(通常是IDS警报数据)。 Squert是一种可视化工具，它试图通过使用元数据，时间序列表示以及加权的和逻辑分组的结果集为事件提供其他上下文。希望这些观点将提示可能没有被问到的问题。

From afar it may look daunting seeing all these tools and thinking I don’t know what I’m doing, but being in control of your environment, looking at tutorials and working towards tasks and vulnerabilities is a great way to learn. Whenever I carried out any activity on Kali, I always used to ensure I was monitoring the session and then going back and trying to replay it via the logs. By viewing what was happening with each analysis tool it helps me in my day to day job recognise and remember behaviour I have seen before.

从远处看，看到所有这些工具并以为我不知道我在做什么，这似乎令人生畏，但是在控制您的环境，查看教程以及努力解决任务和漏洞方面，这是一种学习的好方法。每当我在Kali上进行任何活动时，我总是会确保自己正在监视会话，然后返回并尝试通过日志重播。通过查看每个分析工具发生的情况，它可以帮助我在日常工作中识别并记住我以前见过的行为。

Windows event logs are a great example of this in practice. What happens when a user logs in? What logs are associated with a login if they log in via an LDAP server or VPN? Being able to see successful logins and also compare them to attempted logs by a system helps shape your understanding of infrastructure environments.

Windows事件日志实际上就是一个很好的例子。用户登录后会怎样？如果通过LDAP服务器或VPN登录，哪些日志与登录名相关联？能够查看成功的登录并将其与系统尝试的日志进行比较，有助于塑造您对基础架构环境的理解。

我想学习如何进行笔测，但是没有时间建立环境？ (I want to learn how to pen test, but don’t have time to build an environment?)

Learning about at home is key to growth in many fields, but in cybersecurity, it is also key to discovering new talents and specialisation. But not everyone has time or resources to set up their home labs. And that’s where tools like Hack The Box have come in. Founded by Haris Pylarinos, Hack The Box offers an online platform to test and advance penetration skills. With material always changing, you can now find on YouTube videos of how someone hacked into a retired system. You can only find videos of retired systems, by the way, it’s to ensure everyone has a fair shot of attempting the live systems and can rank on the leader board. And here is the fun part, to get an account, you have to hack your way in.

了解在家是许多领域增长的关键，但在网络安全中，这也是发现新人才和专业化的关键。但是并不是每个人都有时间或资源来建立自己的家庭实验室。这就是诸如Hack The Box之类的工具问世的地方。Hack The Box由Haris Pylarinos创立，它提供了一个在线平台来测试和提高渗透能力。随着资料的不断变化，您现在可以在YouTube视频上找到某人如何侵入退休系统的视频。顺便说一下，您只能找到退役系统的视频，这是为了确保每个人都可以尝试使用实时系统，并且可以在排行榜上排名。这是有趣的部分，要获得一个帐户，您必须闯入自己的道路。

If you’re getting into cybersecurity and you’re realising that there’s a lot to learn, a good way to remember is to start writing up about it. Learn how to install a new GoPhish phishing server? Do a blog about it. Issues you face, someone else is bound to come across them, your narrative might even be better the documentation as I often find. I will always look to Medium to understand a new tool as often someone has written about alternatives I might not have considered or recommended excellent content to aid in learning.

如果您正在学习网络安全，并且意识到有很多东西要学习，那么记住的一个好方法就是开始撰写有关它的文章。了解如何安装新的GoPhish网络钓鱼服务器？做一个关于它的博客。您面对的问题，注定会有其他人遇到，您的叙述甚至可能比我经常发现的文档更好。我总是希望Medium能够理解一种新工具，因为经常有人写过一些我可能没有考虑或推荐的优秀内容来帮助学习的替代方法。