vulnerability-scanning

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Vulnerability Scanning

漏洞扫描

Static Application Security Testing (SAST)

静态应用安全测试（SAST）

SAST Overview

SAST 概述

SAST analyzes source code, bytecode, or binaries without executing the application to identify security vulnerabilities.

SAST无需运行应用程序，通过分析源代码、字节码或二进制文件来识别安全漏洞。

SAST Techniques

SAST 技术手段

Pattern Matching: Match code against known vulnerability patterns
Data Flow Analysis: Track data flow through the application to identify tainted data
Control Flow Analysis: Analyze execution paths to identify potential issues
Taint Analysis: Track user input through the application to identify injection points
Semantic Analysis: Understand code semantics to identify complex vulnerabilities

Pattern Matching：将代码与已知漏洞模式进行匹配
Data Flow Analysis：跟踪应用程序中的数据流，识别受污染数据
Control Flow Analysis：分析执行路径，识别潜在问题
Taint Analysis：跟踪应用程序中的用户输入，识别注入点
Semantic Analysis：理解代码语义，识别复杂漏洞

Common SAST Vulnerabilities

常见SAST漏洞

Injection Flaws: SQL injection, command injection, LDAP injection
Cross-Site Scripting (XSS): Reflected, stored, and DOM-based XSS
Authentication Issues: Weak authentication, session management flaws
Authorization Issues: Broken access controls, privilege escalation
Cryptographic Issues: Weak algorithms, improper key management
Input Validation: Missing or insufficient input validation
Error Handling: Information leakage through error messages

注入漏洞：SQL injection、command injection、LDAP injection
跨站脚本攻击（XSS）：反射型、存储型和基于DOM的XSS
认证问题：弱认证、会话管理缺陷
授权问题：访问控制失效、权限提升
加密问题：弱算法、密钥管理不当
输入验证：缺少或不足的输入验证
错误处理：通过错误消息泄露信息

SAST Tools

SAST工具

SonarQube: Code quality and security analysis with extensive rule sets
Checkmarx: Enterprise SAST solution with deep code analysis
Fortify Static Code Analyzer: Comprehensive SAST from Micro Focus
Semgrep: Fast, open-source static analysis with custom rules
CodeQL: Semantic code analysis from GitHub
Bandit: Python security linter
ESLint: JavaScript security plugins (eslint-plugin-security)
SpotBugs: Java static analysis with security rules

SonarQube：拥有丰富规则集的代码质量与安全分析工具
Checkmarx：具备深度代码分析能力的企业级SAST解决方案
Fortify Static Code Analyzer：Micro Focus推出的综合性SAST工具
Semgrep：支持自定义规则的快速开源静态分析工具
CodeQL：GitHub推出的语义代码分析工具
Bandit：Python安全代码检查工具
ESLint：JavaScript安全插件（eslint-plugin-security）
SpotBugs：带有安全规则的Java静态分析工具

Dynamic Application Security Testing (DAST)

动态应用安全测试（DAST）

DAST Overview

DAST 概述

DAST analyzes running applications to identify security vulnerabilities through external testing.

DAST通过外部测试分析运行中的应用程序，识别安全漏洞。

DAST Techniques

DAST 技术手段

Crawling and Spidering: Discover application endpoints and functionality
Fuzzing: Send malformed or unexpected input to identify vulnerabilities
Authentication Testing: Test authentication mechanisms for weaknesses
Session Management: Analyze session handling for security issues
Input Validation: Test input fields for injection vulnerabilities
Business Logic: Test business logic flaws and authorization bypasses

爬取与蜘蛛扫描：发现应用程序端点与功能
模糊测试：发送畸形或意外输入以识别漏洞
认证测试：测试认证机制的弱点
会话管理：分析会话处理的安全问题
输入验证：测试输入字段的注入漏洞
业务逻辑：测试业务逻辑缺陷与授权绕过

Common DAST Vulnerabilities

常见DAST漏洞

Injection Attacks: SQL injection, command injection, XSS
Authentication Flaws: Weak passwords, session fixation
Authorization Issues: IDOR, privilege escalation
Session Management: Session hijacking, fixation
Cryptographic Issues: Weak SSL/TLS, insecure cookies
Information Disclosure: Sensitive data in responses, error messages

注入攻击：SQL injection、command injection、XSS
认证缺陷：弱密码、会话固定
授权问题：IDOR、权限提升
会话管理：会话劫持、会话固定
加密问题：弱SSL/TLS配置、不安全Cookie
信息泄露：响应中的敏感数据、错误消息泄露

DAST Tools

DAST工具

OWASP ZAP: Free, open-source web application security scanner
Burp Suite: Comprehensive web security testing platform
AppScan: Enterprise DAST solution from IBM
Nessus: Vulnerability scanner with web application testing
Arachni: Open-source web application security scanner
SQLMap: Automated SQL injection tool
Nikto: Web server scanner

OWASP ZAP：免费开源的Web应用安全扫描器
Burp Suite：综合性Web安全测试平台
AppScan：IBM推出的企业级DAST解决方案
Nessus：具备Web应用测试能力的漏洞扫描器
Arachni：开源Web应用安全扫描器
SQLMap：自动化SQL注入工具
Nikto：Web服务器扫描器

Software Composition Analysis (SCA)

软件成分分析（SCA）

SCA Overview

SCA 概述

SCA identifies and analyzes third-party components and dependencies for known vulnerabilities.

SCA识别并分析第三方组件与依赖项的已知漏洞。

SCA Techniques

SCA 技术手段

Dependency Analysis: Identify all direct and transitive dependencies
Vulnerability Matching: Match dependencies against vulnerability databases
License Compliance: Check for license compliance issues
Version Analysis: Track dependency versions and updates
Risk Scoring: Assess risk based on vulnerability severity and usage

依赖分析：识别所有直接与间接依赖项
漏洞匹配：将依赖项与漏洞数据库进行匹配
许可证合规性：检查许可证合规问题
版本分析：跟踪依赖项版本与更新
风险评分：根据漏洞严重性与使用情况评估风险

SCA Vulnerability Databases

SCA漏洞数据库

NVD (National Vulnerability Database): US government vulnerability database
CVE (Common Vulnerabilities and Exposures): Standardized vulnerability identifiers
GitHub Advisory Database: GitHub's vulnerability database
Snyk Vulnerability Database: Snyk's curated vulnerability database
OSS Index: Sonatype's open-source vulnerability database

NVD（国家漏洞数据库）：美国政府推出的漏洞数据库
CVE（通用漏洞披露）：标准化漏洞标识符
GitHub Advisory Database：GitHub的漏洞数据库
Snyk Vulnerability Database：Snyk curated的漏洞数据库
OSS Index：Sonatype的开源漏洞数据库

SCA Tools

SCA工具

Snyk: Developer-first security platform with SCA, SAST, and container scanning
Trivy: Comprehensive vulnerability scanner for containers, files, and dependencies
Dependabot: GitHub's automated dependency updates and vulnerability alerts
WhiteSource: Enterprise SCA with comprehensive vulnerability database
Black Duck: Enterprise SCA with license compliance
OWASP Dependency-Check: Open-source SCA tool
npm audit: Node.js package manager's built-in SCA
pip-audit: Python package manager's security audit tool

Snyk：面向开发者的安全平台，支持SCA、SAST与容器扫描
Trivy：针对容器、文件与依赖项的综合性漏洞扫描器
Dependabot：GitHub的自动化依赖更新与漏洞警报工具
WhiteSource：具备全面漏洞数据库的企业级SCA工具
Black Duck：支持许可证合规的企业级SCA工具
OWASP Dependency-Check：开源SCA工具
npm audit：Node.js包管理器内置的SCA工具
pip-audit：Python包管理器的安全审计工具

Container Security Scanning

容器安全扫描

Container Vulnerabilities

容器漏洞

Base Image Vulnerabilities: Vulnerabilities in the base OS image
Application Dependencies: Vulnerabilities in application dependencies
Configuration Issues: Insecure container configurations
Secrets in Images: Hardcoded secrets or credentials
Outdated Packages: Outdated packages with known vulnerabilities

基础镜像漏洞：基础操作系统镜像中的漏洞
应用依赖漏洞：应用依赖项中的漏洞
配置问题：不安全的容器配置
镜像中的密钥：硬编码的密钥或凭证
过时软件包：存在已知漏洞的过时软件包

Container Scanning Tools

容器扫描工具

Trivy: Comprehensive vulnerability scanner for containers
Clair: Open-source vulnerability static analysis for containers
Anchore: Container inspection and vulnerability analysis
Aqua Security: Enterprise container security platform
Twistlock: Container security from Prisma Cloud
Docker Scout: Docker's built-in vulnerability scanner
Grype: Vulnerability scanner for container images

Trivy：针对容器的综合性漏洞扫描器
Clair：开源容器漏洞静态分析工具
Anchore：容器检查与漏洞分析工具
Aqua Security：企业级容器安全平台
Twistlock：Prisma Cloud推出的容器安全工具
Docker Scout：Docker内置的漏洞扫描器
Grype：容器镜像漏洞扫描器

Container Security Best Practices

容器安全最佳实践

Use Minimal Base Images: Use minimal base images like Alpine or distroless
Scan Images: Scan images at build time and runtime
Patch Regularly: Keep base images and dependencies updated
Scan Dependencies: Include SCA for application dependencies
Run as Non-Root: Run containers as non-root users
Read-Only Filesystems: Use read-only filesystems where possible
Resource Limits: Set resource limits to prevent DoS

使用极简基础镜像：使用Alpine或distroless等极简基础镜像
扫描镜像：在构建时与运行时扫描镜像
定期打补丁：保持基础镜像与依赖项更新
扫描依赖项：对应用依赖项执行SCA分析
以非root用户运行：以非root用户身份运行容器
只读文件系统：尽可能使用只读文件系统
资源限制：设置资源限制以防止DoS攻击

Dependency Vulnerability Management

依赖项漏洞管理

Dependency Management Strategies

依赖项管理策略

Regular Updates: Regularly update dependencies to latest secure versions
Automated Scanning: Integrate SCA into CI/CD pipelines
Vulnerability Alerts: Set up alerts for new vulnerabilities
Version Pinning: Pin specific versions to prevent unexpected updates
Lock Files: Use lock files to ensure reproducible builds
Supply Chain Security: Verify package integrity and provenance

定期更新：定期将依赖项更新至最新安全版本
自动化扫描：将SCA集成到CI/CD流水线中
漏洞警报：设置新漏洞警报
版本锁定：锁定特定版本以避免意外更新
锁定文件：使用锁定文件确保构建可复现
供应链安全：验证软件包完整性与来源

SBOM (Software Bill of Materials)

SBOM（软件物料清单）

What is SBOM: Formal inventory of software components and dependencies
SBOM Formats: SPDX, CycloneDX, SWID tags
SBOM Benefits: Vulnerability tracking, license compliance, supply chain security
SBOM Tools: Syft, Trivy, Microsoft SBOM Tool, CycloneDX tools

什么是SBOM：软件组件与依赖项的正式清单
SBOM格式：SPDX、CycloneDX、SWID标签
SBOM优势：漏洞跟踪、许可证合规、供应链安全
SBOM工具：Syft、Trivy、Microsoft SBOM Tool、CycloneDX工具

Supply Chain Security

供应链安全

Package Integrity: Verify package signatures and checksums
Provenance: Track package origin and build process
Signed Artifacts: Use signed packages and container images
Dependency Pinning: Pin to specific verified versions
Private Registries: Use private registries for sensitive packages
Reproducible Builds: Ensure builds are reproducible and verifiable

软件包完整性：验证软件包签名与校验和
来源追溯：跟踪软件包来源与构建流程
签名制品：使用签名软件包与容器镜像
依赖项锁定：锁定至特定已验证版本
私有仓库：对敏感软件包使用私有仓库
可复现构建：确保构建可复现与验证

Common Vulnerability Tools

常见漏洞工具

Snyk

Features: SCA, SAST, container scanning, IaC scanning
Integration: CI/CD, IDEs, package managers, registries
Languages: JavaScript, Python, Java, Go, Ruby, PHP, .NET
Use Cases: Developer-first security, automated scanning, remediation

功能：SCA、SAST、容器扫描、IaC扫描
集成：CI/CD、IDE、包管理器、仓库
支持语言：JavaScript、Python、Java、Go、Ruby、PHP、.NET
使用场景：面向开发者的安全、自动化扫描、漏洞修复

Trivy

Features: Container scanning, file scanning, dependency scanning
Integration: CI/CD, container registries, Kubernetes
Languages: Supports multiple languages and package managers
Use Cases: DevSecOps, container security, infrastructure scanning

功能：容器扫描、文件扫描、依赖项扫描
集成：CI/CD、容器仓库、Kubernetes
支持语言：支持多语言与包管理器
使用场景：DevSecOps、容器安全、基础设施扫描

OWASP ZAP

Features: Automated and manual web application security testing
Integration: CI/CD, browsers, proxies
Capabilities: Spidering, scanning, fuzzing, authentication testing
Use Cases: DAST, web application security, penetration testing

功能：自动化与手动Web应用安全测试
集成：CI/CD、浏览器、代理
能力：蜘蛛扫描、漏洞扫描、模糊测试、认证测试
使用场景：DAST、Web应用安全、渗透测试

SonarQube

Features: Code quality, security analysis, technical debt tracking
Integration: CI/CD, IDEs, build tools
Languages: 25+ programming languages
Use Cases: Code quality, security, technical debt management

功能：代码质量、安全分析、技术债务跟踪
集成：CI/CD、IDE、构建工具
支持语言：25+编程语言
使用场景：代码质量、安全、技术债务管理

Grype

Features: Container image and filesystem vulnerability scanning
Integration: CI/CD, container registries
Vulnerability Database: Uses Grype vulnerability database
Use Cases: Container security, DevSecOps pipelines

功能：容器镜像与文件系统漏洞扫描
集成：CI/CD、容器仓库
漏洞数据库：使用Grype漏洞数据库
使用场景：容器安全、DevSecOps流水线

Vulnerability Scanning Best Practices

漏洞扫描最佳实践

Scanning Strategy

扫描策略

Shift Left: Scan early and often in the development lifecycle
Automate: Integrate scanning into CI/CD pipelines
Multiple Tools: Use multiple tools for comprehensive coverage
Regular Scans: Schedule regular scans for production systems
False Positive Management: Establish process for managing false positives
Prioritization: Prioritize vulnerabilities based on risk and exploitability

左移测试：在开发生命周期早期且频繁进行扫描
自动化：将扫描集成到CI/CD流水线中
多工具协同：使用多种工具实现全面覆盖
定期扫描：为生产系统安排定期扫描
误报管理：建立误报处理流程
优先级排序：根据风险与可利用性对漏洞排序

Remediation Process

修复流程

Triage: Categorize vulnerabilities by severity and risk
Prioritize: Prioritize based on CVSS score, exploitability, and business impact
Remediate: Fix vulnerabilities or apply mitigations
Verify: Verify that remediation was successful
Monitor: Monitor for new vulnerabilities
Report: Report on vulnerability status and trends

分类筛选：按严重性与风险对漏洞分类
优先级排序：根据CVSS评分、可利用性与业务影响确定优先级
漏洞修复：修复漏洞或应用缓解措施
验证修复：验证修复是否成功
持续监控：监控新出现的漏洞
报告反馈：报告漏洞状态与趋势