The best landing practice of cave state in an Internet ⽹⾦ financial technology enterprise

The hole state has been officially open source 10 Months , More than 200 companies , Internet coverage 、 automobile 、 Finance and other important industries .

How holes are interconnected ⽹⾦ Integrating the practice of technology enterprises ？ We interviewed security architects in this issue PK, Listen to what he said .

Video link ：https://www.bilibili.com/video/BV1LS4y1p7AX?spm_id_from=333.999.0.0

Personal introduction

⼤ Good home , I am a pk,⽬ Before ⼀ Home Internet ⽹⾦ Financial technology enterprises , Responsible for business security and data security .

Connection with hole state

Advantages of pre launch detection ,⽬ I'm making ⽤ Which safety tests ⼯ have , And advantages and disadvantages ？

Should be ⽤ Security as the core of business security ⼼, It is our ⽬ front ⼀ Key points ⼯ do .

Set before going online ⽴ The security checkpoint can “ Short and smooth ” To discover ⼤ Partial safety ⻛ risk , It is also the best landing practice of safety inspection .

Our company has relatively perfect DevOps flow ⽔ Line , Also adopt ⽤ Traditional security detection ⼿ paragraph ,⽐ Such as coding stage ⽩ box （SAST）+ Testing phase ⿊ box （DAST）.

But traditional detection ⼿ The common fault of Duan ⼀ sample ⽆ There is no way to avoid ,⽐ If the false positive rate is too ⾼、⽆ How to accurately locate and reproduce , serious influence ⽇ Often safe operation efficiency .

Why choose hole state ？ What are the unique advantages ？

Because of the coincidence , stay ⽕ Line into ⽴ In the early stage ⼀ Time touches the hole IAST.

Compared with traditional SAST+DAST Safety inspection , Cave state IAST Except that it can be obviously mentioned ⾼ Vulnerability accuracy , It also has the ability to melt quickly ⼊ company DevOps flow ⽔ Advantages of line .

For business students ⽤ Better experience , Can't produce ⽣ Obvious sense of fragmentation , Reached “ Business and security go hand in hand ” The safety of the ⽬ mark .

The landing practice of cave state

At what stage has hole state been applied in your company ？

In the early stage of technology selection, we have fully considered the business to make ⽤ The convenience of , So we have put the hole state agent Integrated into CI/CD In the construction process , Should be ⽤ It will be released ⾃ Dynamic integration hole state agent, Basically realize the safe connection ⼊ Business ⽆ perception , So push ⼴ The initial stage was smooth .

⽬ The front is still pushing ⼴ period , It's covered ⼤ about 50% Business .

Making ⽤ In the process , Cave state IAST Help us detect how many development vulnerabilities in time ？

Our detection scenarios are divided into Tradition web Loophole + Sensitive data detection 2 individual ⽅ towards .

In practical terms ,2 individual ⽉ Time harvest 2000+ Sensitive data transmission ,60+⾼ dangerous web Loophole ,200+⾼ Open source component vulnerability .

（ This is strongly related to the business form of the company , mutual ⾦⾏ trade ⾃ Take a stronger one ⼈ Information properties ）

Cave state IAST Which function of is real ⽤ Sexiest ⾼, It better matches the actual business scenario of the company

Cave state IAST⾼⾃ By degrees ⾃ Define the rules ⼗ Strong points ⼤, From the tainted source function 、 Stain propagation function , To filter function 、 Danger function , what ⾄header⽩ list , can ⾃ By combination with full ⾜ Our company “ all sorts of strange things ” The answer is ⽤ scene .

Contribution to cave community or idea

Based on the business realization needs of the company , In the development process , What upgrades and modifications have been made to the hole state ？

Making ⽤ In the process , Also met ⼀ some ⼩ problem , If found response⻓ Degree parameter bug、 Results data ⽆ Method derivation, etc .

Cave state IAST Have a good open source community ⽣ state ,bug And the demand will get feedback as long as it is reasonable , Helped solve a lot of problems .

individual ⼈⾃ The body also ⼒ Answer the questions in the community as far as you can ⽤ problem , and ⼤ Discuss and learn together at home ⻓ Soon .

The expectation of the hole

According to the actual application scenario of the company , What new functions do you most expect cave state to develop in the future ？

Hope hole IAST The future can be in web Continue to optimize the management function of the platform , Such as multidimensional statistical analysis 、URL⽩ List, etc .

about ⼤ Most a ⽅ For the security team , The improvement of safe operation efficiency requires ⻓ Statistical analysis data of the period ⽀ a , If you can do it directly ⽤ It's better to use platform data as a safety assessment indicator ！

I believe you have a further understanding of Dong state after reading this interview

The cave commercial version is in 2022 year 05 month 18 Japan Release

Some functions are only available in the commercial version , The difference between the open source version and the commercial version , Please refer to the following attachment ：

Apply for trial use of cave commercial products . Get white paper materials

Please fill in the form free apply ：https://wenjuan.feishu.cn/m?t=sEKos4DXXCCi-m2hs

About the hole state ：

“ Cave state ” It is the world's first open source IAST product , Focus on DevSecOps, High detection rate 、 Low false alarm rate 、0 Characteristics of dirty data , Help enterprises find and solve the security risks before the application goes online .

About FireWire safety ：

Firewire security mainly operates FireWire security platform 、 Fire line Zone Cloud Security Community 、 Cave state 、 Firewire safety cloud . Through self-developed automated testing tools and a large number of white hat security experts , Help enterprises solve the security risks in the whole application life cycle .

Fire line security platform ：https://www.huoxian.cn/

Fire line Zone Community ：https://zone.huoxian.cn/?sort=newest