维护者聚焦:管理依赖关系和Metasploit笔测试工具包(译文)
By S.F.
版权声明 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
- 4 分钟阅读 - 1520 个词 阅读量 0维护者聚焦:管理依赖关系和Metasploit笔测试工具包(译文)
原文作者:Sasha Rosenbaum
译文由本站翻译
确保开源软件的安全是社区的责任.但是,对于数百万个项目,很难从噪声中识别正确的信号,并找到并修复真正重要的突破.分享开放源代码维护人员的故事,介绍如何保护全球软件.第二点:答案Metasploit框架
官方的维护者 Metasploit框架, [_Spencer McIntyre ](https://github.com / zeroSteiner) 在一家总部位于美国的技术公司工作,致力于安全性的进攻性研发. Spencer之前在一家咨询公司工作,负责与医疗,能源和制造业等多个行业的客户打交道,他是狂热的开源贡献者和Python爱好者.
什么是Metasploit?
就漏洞利用模块的数量而言,Metasploit框架是最大的开源渗透测试工具包.它使安全专业人员可以测试漏洞的存在,展示其影响并验证其环境中的安全控制.自2011年加入GitHub平台以来,该项目已经开发了15年以上,并吸引了800多个用户的参与.
Metasploit项目将如何改善我的生活?
世界各地的渗透测试人员都使用Metasploit框架来演示攻击者的功能并向其客户端推荐安全性改进.许多财富500强公司以及政府机构的内部安全团队都使用它来测试和保护其基础结构.尽管Metasploit框架针对特定的用户群(笔测试人员),但开发人员仍然可以通过改善其项目的安全性间接受益于它的使用.
维护者面临哪些日常的安全斗争?
与其他任何软件项目一样,Metasploit框架面临的最大安全问题之一就是处理外部依赖项.任何软件项目都将有其安全漏洞份额,因此我们需要能够监视那些影响我们的依赖关系树的漏洞,并确定它们是否影响我们的项目.
Within the Metasploit Framework specifically, one of the unique challenges that we face is the need for our “payloads” to operate within highly constrained environments. To demonstrate that a vulnerability is present, and to show the risk of exploiting it, we often end up running a piece of software on the remote system that is a part of our framework. Because it might run in a variety of environments, this software can’t rely on the presence of any third-party libraries or even modern operating system environments. This often requires us to put in a lot of effort into maintaining compatibility, and security features are no exception to that.
Metasploit使查找和修复应用程序的漏洞(尤其是可利用的漏洞)更加容易.为什么这很重要,Metasploit如何帮助开发人员社区? ]]开发者社区)
The Metasploit Framework gives users and organizations of all sizes free and open access to attacker capabilities and enables them to test and demonstrate vulnerabilities. This helps organizations to better understand which vulnerabilities are exploitable within their environment, and thus focus their remediation efforts where they’ll have the highest impact. For developers specifically, there’s a growing trend in using complex infrastructure as part of the software development lifecycle (SDLC). The Metasploit Framework can be used as part of a CI/CD pipeline to test for common security vulnerabilities as part of existing development infrastructure, allowing developers to more confidently ensure the integrity of their projects.
您将如何为开发人员提供最好的建议,以最好地改善其开源项目的安全性?[] -他们的开源项目)
Make reasonable efforts to limit the number of dependencies and select the ones that are used carefully. Follow best practices like performing periodic security checks and reviewing the configuration of any bundled components.
您如何做才能使代码更安全?
We recently started using 斯尼克 which sends us a report periodically to help us be aware of issues that may be affecting our codebase. We also use GitHub与GPG的集成to sign our merge commits, allowing us to attribute a contribution to a specific developer with write access.
您如何确保项目中的依存关系是安全的?
We regularly update the majority of our dependencies using some automation tools. In addition to that, we use Snyk to monitor our dependencies.
您还有其他最佳做法吗?
We peer review code contributions and also use extensive automated testing to catch potential issues. In addition to unit tests in 特拉维斯CI, we use 詹金斯 to run some usage checks. 随着最近的公告 that we’re developing version 6 of the Metasploit Framework, we’ve taken strides in key locations to attempt to be “secure by default” in our development pipeline. So far, that’s manifested as changes to encrypt traffic by default where possible.
更多地了解开源安全性?阅读:[OWASP ZAP的维护者_Simon Bennetts](https://github.blog/2020-07-30-maintainer-spotlight-how-to-secure-your-project-with-one-of-the-worlds-top-open- source-tools /)
很快回来查看-我们将在接下来的几周内深入研究开源安全项目,并与开源维护者分享安全最佳实践._
Community Open source 新闻 翻译