攻击应用程序池停止_您的攻击者不会高兴gitlab如何帮助您保护云本机应用程序...

攻击应用程序池停止

In the cloud-native ecosystem, decisions and changes are made on a rapid basis. Applications get adapted and deployed multiple times a week or even day. Microservices get developed decentralized with different peoples and teams involved. In such an environment, it is crucial to ensure that applications are developed and operated safely. This can be done by shifting security left into the developer lifecycle but also by using DevSecOps to empower operations with enhanced monitoring and protection for the application runtime.

在云原生生态系统中，决策和变更是快速做出的。 应用程序每周甚至一天都会进行多次适应和部署。 微服务的开发是分散的，涉及的人员和团队都不同。 在这样的环境中，至关重要的是确保安全地开发和操作应用程序。 这可以通过将安全性转移到开发人员生命周期中来完成，也可以使用DevSecOps通过增强对应用程序运行时的监视和保护来授权操作。

In this article, I would like to show you how GitLab can help you streamline your application security from a code and operations point of view by providing you with real-world examples. Before we deep dive into the example, let me first introduce you to the GitLab Secure and GitLab Defend product portfolio which are the foundation for this. GitLab Secure helps developers to enable accurate, automated, and continuous assessment of their applications by proactively identifying vulnerabilities and weaknesses and therefore minimizing security risk. GitLab Defend, on the other hand, supports operations by proactively protecting environments and cloud-native applications by providing context-aware technologies to reduce overall security risk. Both are backed by leading open-source projects that have been fully integrated into developer and operation processes and the GitLab user interface (UI).

在本文中，我想向您展示GitLab如何通过为您提供实际示例，从代码和操作的角度帮助您简化应用程序的安全性。 在深入研究该示例之前，让我首先向您介绍GitLab Secure和GitLab Defend产品组合，它们是此基础。 GitLab Secure通过主动识别漏洞和弱点，从而最大程度地降低安全风险，帮助开发人员对其应用程序进行准确，自动化和连续的评估。 另一方面，GitLab Defend通过提供上下文感知技术来降低总体安全风险，从而通过主动保护环境和云原生应用程序来支持操作。 两者都得到领先的开源项目的支持，这些项目已完全集成到开发人员和操作流程以及GitLab用户界面(UI)中。

攻击 (The attack)

Let’s assume we have an application hosting a web interface that allows a user to provide some input. The application is written in Golang and executes the input as part of an external operating system command (os/exec). The application does not contain any validation or security features to validate the input, which allows us to inject additional commands that are also executed in the application environment.

假设我们有一个托管Web界面的应用程序，允许用户提供一些输入。 该应用程序用Golang编写，并作为外部操作系统命令( os / exec )的一部分执行输入。 该应用程序不包含任何用于验证输入的验证或安全功能，这使我们可以注入在应用程序环境中也执行的其他命令。

The application is running as containerized microservices in a Kubernetes cluster. The Kubernetes Cluster is shared across multiple teams and projects, allowing us to inject and read data in another application running next to ours. In our example, we will connect an unsecured Redis instance in a different Namespace and read/write data.

该应用程序作为Kubernetes集群中的容器化微服务运行。 Kubernetes集群在多个团队和项目之间共享，从而使我们能够在与我们相邻的另一个应用程序中注入和读取数据。 在我们的示例中，我们将在另一个命名空间中连接不安全的Redis实例并读取/写入数据。

Now let us take a closer look at how GitLab can help us detect the attack, permit its execution, and finally help us find and fix the root cause in our code.

现在，让我们仔细看看GitLab如何帮助我们检测攻击，允许其执行并最终帮助我们在代码中找到并解决根本原因。

容器主机安全 (Container Host Security)

Container Host Security helps us to detect an attack in real-time by monitoring the pod for any unusual activity. It can then alert operations with detailed information on the attack itself.

容器主机安全性可以通过监视pod的任何异常活动来帮助我们实时检测攻击。 然后，它可以使用有关攻击本身的详细信息来提醒操作。

Container Host Security is powered by Falco, an open-source runtime security tool that listens to the Linux kernel using eBPF. Falco parses system calls and asserts the stream against a configurable rules engine in real-time. The Falco deployment used by Container Host Security can be deployed and fully managed using GitLab Managed Apps.

Container Host Security由Falco (一种开源的运行时安全工具)提供支持，该工具使用eBPF侦听Linux内核。 Falco实时分析系统调用并根据可配置的规则引擎声明流。 可以使用GitLab托管应用程序来部署和完全管理Container Host Security使用的Falco部署。

In our example, Falco detects the injected redis-cli command, which is used to read/write data into the unsecured Redis instance.

在我们的示例中，Falco检测到注入的redis-cli命令，该命令用于将数据读/写到不安全的Redis实例中。

Falco can now alert operations who can use those valuable insights to define and execute further steps.

Falco现在可以提醒操作人员，他们可以使用这些宝贵的见解来定义和执行进一步的步骤。

容器网络安全 (Container Network Security)

A first step to permit access to the unsecured Redis instance would be to permit traffic between the application in our Kubernetes cluster. This can be done by using Container Network Security. Container Network Security is again fully managed by GitLab Managed Apps and can also be configured within the GitLab project user interface.

允许访问不安全的Redis实例的第一步是允许Kubernetes集群中的应用程序之间进行通信。 这可以通过使用Container Network Security来完成。 容器网络安全性再次由GitLab托管应用程序完全管理，也可以在GitLab项目用户界面中进行配置。

Container Network Security is powered by Cilium, an open-source networking plugin for Kubernetes that can be used to implement support for NetworkPolicy resources. Network Policies can be used to detect and block unauthorized network traffic between pods and to/from the Internet.

容器网络安全性由Cilium提供支持， Cilium是Kubernetes的开源网络插件，可用于实现对NetworkPolicy资源的支持。 网络策略可用于检测和阻止Pod之间以及与Internet之间的未经授权的网络通信。

Implementing Network Policies for our application will block the underlying network traffic generated by the attack. The policies can be enabled within the GitLab project UI:

为我们的应用程序实施网络策略将阻止攻击产生的基础网络流量。 可以在GitLab项目用户界面中启用策略：

Web应用防火墙 (Web Application Firewall)

With Container Network Security in place, our attack isn’t able to talk to the Redis instance anymore, but it is still possible to execute other network unrelated attacks using the command injection. Web Application Firewall (WAF) can now help us to increase the security and detect and block the attack at the Kubernetes Ingress level.

有了Container Network Security后，我们的攻击不再能够与Redis实例通信，但是仍然可以使用命令注入来执行其他与网络无关的攻击。 Web应用程序防火墙(WAF)现在可以帮助我们提高安全性，并在Kubernetes Ingress级别检测和阻止攻击。

The Web Application firewall is also powered by open-source. It is based on the ModSecurity module, a toolkit for real-time web application monitoring, logging, and access control. It is preconfigured to use the OWASP’s Core Rule Set, which provides generic attack detection capabilities. Like the other integrations, Web Application Firewall is also fully managed by GitLab using GitLab Managed Apps.

Web应用程序防火墙也由开源提供支持。 它基于ModSecurity模块，该模块是用于实时Web应用程序监视，日志记录和访问控制的工具包。 它被预先配置为使用OWASP的核心规则集，它提供了通用的攻击检测功能。 与其他集成一样，Web应用程序防火墙也由GitLab使用GitLab托管应用程序进行全面管理。

In our example, the Web Application Firewall detects the attack and is also able to block it:

在我们的示例中，Web应用程序防火墙检测到了该攻击并能够阻止该攻击：

Blocking the attack at the Ingress level will help us to deny the traffic before it hits our application. To do so, we can enable the Web Application Firewall blocking mode directly from the GitLab UI:

在Ingress级别阻止攻击将有助于我们在流量到达应用程序之前对其进行拒绝。 为此，我们可以直接从GitLab UI启用Web应用程序防火墙阻止模式：

In addition to Container Host Security, we could have used the Web Application Firewall to detect the attack using the Thread Monitoring dashboard within our GitLab project:

除了Container Host Security，我们还可以使用Web应用程序防火墙通过GitLab项目中的Thread Monitoring仪表板检测攻击：

The Thread Monitoring dashboard also provides us with useful insights and metrics of our enforced Container Network Policy.

线程监视仪表板还为我们提供了有关强制实施的容器网络策略的有用见解和指标。

静态应用程序安全性测试 (Static Application Security Testing)

We have now successfully protected our application runtime and ensured that no additional attacks can be executed. But we should also find and fix the root cause to ensure that such incidents are not recurring in the future. This is where Static Application Security Testing (SAST) can help us. Static Application Security Testing can be easily integrated into our project using GitLab CI/CD and then allows us to analyze our source code for known vulnerabilities.

现在，我们已经成功保护了应用程序运行时，并确保不会执行其他攻击。 但是，我们还应该找到并解决根本原因，以确保将来不再发生此类事件。 这是静态应用程序安全测试(SAST)可以为我们提供帮助的地方。 可以使用GitLab CI / CD将静态应用程序安全测试轻松地集成到我们的项目中，然后使我们能够分析源代码中的已知漏洞。

In our case (a Golang application) the code scanning is executed using the open-source project Golang Security Checker. The results are displayed in the Security dashboard of our GitLab project for easy access:

在我们的案例(一个Golang应用程序)中，代码扫描是使用开源项目Golang Security Checker执行的。 结果显示在我们的GitLab项目的“安全性”仪表板上，以便于访问：

In our example, the code scan has identified the root cause and provides us with detailed information about the vulnerability, the line of code that needs to be fixed, and the ability to easily create an issue to fix it.

在我们的示例中，代码扫描已确定了根本原因，并向我们提供了有关漏洞，需要修复的代码行以及轻松创建问题以解决此问题的能力的详细信息。

Finally, of course, we should also talk to the team running the other application to make sure that their Redis instance gets secured too. We should also verify how the other GitLab Secure features can help to further improve the overall security of the application.

最后，当然，我们还应该与运行其他应用程序的团队联系，以确保其Redis实例也得到保护。 我们还应该验证其他GitLab Secure功能如何帮助进一步提高应用程序的整体安全性。

GitLab捍卫和保护行动 (GitLab Defend and Secure in action)

If you like to get more insights on GitLab Secure and Defend and want to see it in action, you are welcome to check out Wayne, Philippe and myself in our session “Your Attackers Won’t Be Happy! How GitLab Can Help You Secure Your Cloud-Native Applications!” at GitLab Commit where you can gain further insights on Container Host Security, Container Network Security, Web Application Firewall (WAF), and Status Application Security Testing (SAST).

如果您想在GitLab Secure and Defend上获得更多真知灼见，并希望将其付诸实践，欢迎您在我们的“您的攻击者不高兴！”部分中查看Wayne ， Philippe和我本人。 GitLab如何帮助您保护本地云应用程序！” 在GitLab Commit上，您可以获得有关容器主机安全性，容器网络安全性，Web应用程序防火墙(WAF)和状态应用程序安全性测试(SAST)的更多见解。

演示地址

翻译自: https://medium.com/01001101/your-attackers-wont-be-happy-how-gitlab-can-help-you-secure-your-cloud-native-applications-267faba5ede2

攻击应用程序池停止