You do not understand my tears: some of the safety of enterprises landing experience

You do not understand my tears: some of the safety of enterprises landing experience. Hi everyone, what I am sharing today is the experience of our company's security system. Since the last time I read the article "A Security Department for a Person" of atiger77, I was deeply touched. After that, I joined a person's "Security Department WeChat group and his comrades to communicate, in which found a commonplace question: the theory is theory, the safety of landing is one thing.

Struct2 and fastjson outbreak some time ago loopholes in the high-risk loopholes spread in the shortest possible time, after a week, the comrades in the group and ran into another developer retreat, resulting in the engine room was exploited by struct2 vulnerabilities, Not to mention many comrades in the research and development department colleagues are not willing to escalate the struct2 things, so only this article and I communicate some of my own experience of the safety of the landing.

There is a common saying that any security problem is essentially human in nature. If a person has no security awareness, no matter how good the security system is, it will also become negligible in the slack process. As a result, the whole system will become riddled with problems. There are lots of loopholes, so the focus of my work is to push people forward.

Find the right people

Only the leader of each R & D team with you, only the leader can control the team members to promote their work, do not see who wrote the code directly to the corresponding R & D engineers, the leader teamer to modify their own code to ensure that Safe, it's a matter of course that teamer feels right should be modified, if you bypass the leader of the corresponding research and development, leader often interfere in your communication, resulting in greatly reduced communication.

So I teach you a trick, we found that if some xss class loopholes, we can say you found a front-end bug, rather than that is found loopholes, and then construct a casually jump out of a bunch of numbers or no logical string Link, submitted as a bug, and that this is affecting the user experience, then modify or even enhance the code norms are good. The reason I want to do this is because after I went to the company, I found that fewer and fewer people participated in the technology sharing. Even the information I spent on purchasing was everyone's laughter. Therefore, we must not make any apparent efforts Leadership look: "You see I did a technology sharing, I demonstrated loopholes, so I need you to help me advance work." That is of no use because the real tasks on the ground often depend on the details and the large leadership can not cover everything. He can only express his consent and support. When the concrete implementation is carried out, the leadership of the major leaders has very limited progress in the details. If he does not understand some technologies Details, and development colleagues objected to the big leadership, big boss if you can not refute, the matter is half the yellow, even after you explain how developers will refuse to modify the project, not to mention the big leaders are sometimes not supported, so tens of millions It is a waste of time not to lead the big show here, you must first do the work on a specific staff side, not just technical work but also interpersonal work.

I know a lot of comrades work like me: the company's authority is very low, the more the lower the privilege, your priority will be greater than the business colleagues' needs, this time you will be the choice? Continue to strongly promote the work? Or choose to make concessions?

At first, I chose to give in, because the big boss is the business origin. So many of my colleagues in the eyes of our business needs greatly exceeded the security needs, several times I found a high-risk loopholes, the company colleagues did not pay attention to this, nor with my work to promote, I concession a few times ago Later, I found a problem, no one will remember that you raised this matter, even if you write in the R & D exchange system, these loopholes are still a half and a half months after the formal service still above, so if the company system construction and work floor In case of any problems, we must not neglect work. On the one hand, we must actively promote system construction. On the one hand, we must also communicate with leaders. On several occasions, we urge the government to find ways to solve the problems. Triggering a series of attacks, if still not modified, decisively in the formal service to interfere with the normal page display, until the research and development staff to force changes in the process to learn to protect themselves, you must first write written information, e-mail or to develop the exchange of reservations With the file, with the date, it can be used as counterargument to prevent direct service Face unnecessary problems caused by the operation, after the necessary modifications Dingsi leader, tens of thousands do not bypass the leader directly to specific R & D engineers, otherwise it will fall short.

Communication skills

The first point I mentioned leader work methods, leader's personality is different, must adapt to different personality come up with different ways to do the communication work, take several leaders of our company example of my thinking: the front end The engineer's leader is young and feminine, straightforward, barely comprehensible to my job, especially complain about the rework of the code, so it's hard to deal with, and she did not agree with the xss question I submitted at this time You can not be discouraged, to find more opportunities to chat jokingly concerned about her subtle habits until I found she likes to boast she is beautiful and young and likes to eat fruit.

So, I will buy some fruit from time to time, when passing by her side, to be a little sweet mouth, say a few words you are young, you hairstyle really good words, so slowly close the relationship in order to lay a good communication relationship Basis, in doing some big moves, I just buy snacks and then sprinkle a thicker face Jiao, you can ensure the safe work can be normal progress. For oa system R & D engineers, is a loyal Shandong man with a large pattern, my idea is to take the initiative to help resolve his negative emotions and his reasoning, and then if he can help you modify the loopholes but also say a little more grace And so on, how many times have you got late? I also took the initiative to thank him for his hard work and used his human resources to move forward with his work. R & D leader in online mall Young and energetic, but sometimes, I do not directly look for him to promote the work, I secretly responsible for the online mall operating area to overheard their recent business actions, and then the operation of the meaning of security-related Need to translate the statement, and then the online store's research and development leader to express, so that he can feel the things they do now can promote business needs, but also to meet security needs. For the leader of app, because of his recent birth, his mentality is certainly more and more stable. At this time, the best way is to vigorously promote system construction. Here we recommend the app security scanning technique, especially Ali's scan report, Ali's brand name fame, you put Ali's security report sent to the immediate leadership, and then lobbied his competitor's app a lot of loopholes in the app, if we can do 0 loopholes in the business promotion can be against opponents and so on , This will ensure that the leadership support your system design. Remember the old saying goes way more than the problem, this sentence is absolutely applicable to people.

The principle of work promotion

The principle of work to promote, after reading the above two points, we must know that the origin of these tips and ideas is that you are helping R & D engineers to complete the work, not to complete the task you arranged because they themselves have the workload, If you communicate the details of your work with what you are trying to accomplish, you are certainly unable to work because your job priorities are definitely the lowest, especially if your needs add to his workload without any Substantial changes. But if you take you and him with common goals and tasks, stand in his position thinking and organize language to communicate, the other engineer will feel that you and he are people who work for the common goal and purpose, So he will take the initiative to complete the work content. The core of this communication is to make him feel that you and he are for a common goal, or you are helping him accomplish his goal, so as to ensure that the work of landing.

If you do not know, start from these few details: You have to remember everyone's mouth addiction, such as A like to say yes, you have to learn to say the same thing in the same case, B like to say very good, you have to Learn to speak great, in the same context, to mimic the common language of others.

The other party in the decoration, you have to look at some of the decoration of information and then chat with him, so chatting with him in the work showed that the decoration of the project manager is a thief who will only steal the thief of decoration materials, the so-called common enemy Is a friend, and friends are naturally good to discuss myself. Also in expressing their own purpose of work, try to find his main work needs, especially the operation or the front-end business needs to find the common ground of these needs and safety, and then packaged to ensure the business advance or combat competition The purpose of the adversary is to move forward with work so that he feels he is completing the high-priority business needs rather than the final security needs of the priority.

Fourth: learn to wear a pin at work time, I am in the company are not willing to tell me the progress of the new project, I can only run around to stand behind everyone to see everyone's progress, try to figure out your latest research and development ideas and Work content, a long time I found this has a huge advantage, I can find opportunities to chat and contact with them, to ensure a stable relationship, but also know the recent progress of research and development. Because at work, I find it extremely inefficient and overwhelming to send messages that are over-worked. The information exchanged is not only of low quality, but often it is merely a written proof proving that I am trying to advance my work. Role, like the above said security issues in the first issue of a proof of their own discovery of this problem, the subtext is to change the research and development is something I did not any responsibility, and this behavior in many people's eyes In fact, will be considered the beginning of the push responsibility. So, when you are familiar with R & D staff, you can say: "I will not send my emails, but I'll send them to the leaders for free. Even if we make changes privately, the other party can fully agree and feel that you have given He faces. This is especially effective for colleagues who are more powerful but do not like to discuss emails. A lot of research and development is going to see a lot of demand emails every day. It is very objectionable to emails and can be solved privately. It is both simple and face-to-face Things.

Share: a test of human safety tips

But also to share a toss out of their own skills, our company is completely human testing, automated testing completely no use of this I use the workplace network built burpsuit as a generator to generate security detection documents.

first step:

In the proxy menu bar, select All interfaces LAN can use this port

Step two:

In the site menu bar, right-click the domain name to be tested I demo travel master

Will be testing the domain name in the queue

At the same time open the passive scanning

In the scan page to open the scanning queue in the target option

After the testers to do any testing Through your network port 8080 will be able to start the security scan, and are logged in with scan permissions, can be more in depth than the active scan, some developers refused to tell me the new features can also be tested The process is well tested

Do not forget to turn off the interceptor

Here's how to generate statements

Right-click on the domain name and select report as shown, and then all the way next

The last step, you need to provide the path to generate the report file

I can refer to the document submitted to the leadership set the security level

If you have any suggestions or comments please leave a message, thank you!