雲端資訊安全測試流程與工具

雲端資訊安全測試流程與工具

這篇文章主要說明雲端資訊安全測試流程的範本參考與筆者建議的相關工具,

希望可以提供比較容易採用的一些方法、工具,

並且建議的流程與工具主要是非營利組織所制定的相關Best Practices。

 

內部資訊安全流程

如果內部軟體開發流程希望導入一定的資訊安全流程應該怎樣開始呢?

筆者建議可以參考 SAMM 所建議的方法與步驟。簡單來說, SAMM將 Security分為四大功能。

http://www.opensamm.org/download/

 

十大雲端與網站威脅

https://www.owasp.org/index.php/OWASP_Cloud_%E2%80%90_10/Initial_Pre-Alpha_List_of_OWASP_Cloud_Top_10_Security_Risks

https://www.owasp.org/index.php/Top_10_2013-Top_10

OWASP Top 10 – 2010 (Previous Version) OWASP Top 10 – 2013 (Current Version)
A1-Injection A1-Injection
A3-Broken Authentication and Session Management A2-Broken Authentication and Session Management
A2-Cross Site Scripting (XSS) A3-Cross-Site Scripting (XSS)
A4-Insecure Direct Object Reference A4-Insecure Direct Object References
A6-Security Misconfiguration A5-Security Misconfiguration
A7-Insecure Cryptographic Storage – Merged with A9 –> A6-Sensitive Data Exposure
A8-Failure to Restrict URL Access – Broadened into –> A7-Missing Function Level Access Control
A5-Cross Site Request Forgery (CSRF) A8-Cross-Site Request Forgery (CSRF)
<buried in A6: Security Misconfiguration> A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards A10-Unvalidated Redirects and Forwards
A9-Insufficient Transport Layer Protection Merged with 2010-A7 into 2013-A6

 

雲端威脅的防護設計

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

 

雲端威脅的測試個案

https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project#tab=Downloads

Application Security Verification Standard .png

測試工具集

https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

Leave a Reply

Your email address will not be published.