Uhlaselo lweenkqubo zokubonelela ngesoftware luya lusanda kwaye lutshabalalisa. Umzekelo, Gartner iqikelela ukuba ama-45% azo zonke iishishini aza kuhlangabezana nokwaphulwa komthetho ngo-2025. Ukongeza, I-cybersecurity Venture igxininisa ubunzulu bale ngozi, iqikelela umonakalo omkhulu we-$138 yezigidigidi ngonyaka ngo-2031. Xa zizonke, ezi zibikezelo zibonisa imfuneko engxamisekileyo yokuba imibutho ibeke phambili software supply chain security kwaye kuphunyezwe amanyathelo aqinileyo okukhusela idatha eyimfihlo, imisebenzi, kunye nodumo.
Ngenxa yokuba yanamhlanje pipelinezixhomekeke kakhulu kwizinto zangaphandle, ukunyuka kwamathala eencwadi eqela lesithathu, imijikelo yophuhliso lwesoftware ekhawulezayo, imixokelelwane yokubonelela eyinkimbinkimbi, ukungabonakali kakuhle, iindlela ezintsha zokuhlasela, ukwamkelwa kweSaaS, kunye nezixhobo ezinqongopheleyo zonke ezi zibangela ukwanda okukhulu. uhlaselo lwenkqubo yokubonelela ngesoftwareNgoko ke, imibutho kufuneka isebenzise indlela ebanzi nesebenzayo yokujongana nale mingeni kunye nokukhusela uthotho lwayo lokubonelela ngesoftware.
Yintoni uhlaselo lweSoftware Supply Chain?
ENISA ichaza a Uhlaselo lweTyathanga lokuNikezela ngeSoftware as "isivumelwano sempahla ethile, umz. iziseko zoboneleli besoftware kunye nesoftware yorhwebo, ukonakalisa ngokungathanga ngqo ithagethi ethile okanye iithagethi, umz. abathengi benkampani yesoftware." Ngamanye amazwi, iSoftware Supply Chain Attack ngumsebenzi onobungozi ojolise kwisoftware supply chain, ojolise ekubekeni esichengeni nasekufakeni ubuthathaka okanye i-malware kwinkqubo yophuhliso nokusasazwa. Ngenxa yoko, olu hlobo lohlaselo lusebenzisa inethiwekhi edibeneyo nehlala iyinkimbinkimbi yeenkqubo, izixhobo, kunye namaziko abandakanyekayo ekwakheni nasekuhambiseni isoftware.
Izinto eziphambili kunye neengcamango ezinxulumene nohlaselo lweSoftware Supply Chain
Uncwadi lwe-intelligence kunye ne-infosec threat ludla ngokuqhekeka uhlaselo lwenkqubo yokubonelela ngesoftware ngokweendidi ezahlukeneyo ukuze kuhlalutywe ngcono kwaye kukhuselwe. Ngoko ke, eli candelo lizisa iingcamango ezintlanu eziphambili ezichazwe yi Ikhathalogu yePatheni yoHlaselo lweMITREOlu lwakhiwo lwekhathalogu lubonelela ngeepatheni zohlaselo lwetsheyini ukuze kube lula uhlalutyo kusetyenziswa imithombo eyahlukeneyo, kuquka nezoyikiso ezichaseneyo eziqokelelwe yi-NIST.
Umthetho woHlaselo: Yintoni
Isenzo sohlaselo sisenzo esithile esizisa umthwalo okanye injongo enobungozi kwinkqubo. Ngenxa yoko, sivelisa umonakalo othe ngqo.
- Umzekelo 1: I-Malware ifakwe kwisoftware yenkqubo ngexesha lenkqubo yokwakha.
- Umzekelo 2: Iimfuno zenkqubo okanye amaxwebhu oyilo aguqulwe ngokungekho mthethweni.
I-Attack Vector: Indlela
Ivektha yohlaselo yindlela abachasi abayisebenzisayo ukuxhaphaza ubuthathaka okanye ubuthathaka bokusebenza. Ngenxa yoko, ibonisa indlela abahlaseli abafikelela ngayo kwaye basebenzise kakubi umphezulu wohlaselo.
- Umzekelo 1: Umhlaseli uguqula ikhowudi yomthombo kwindawo yokugcina idatha eyonakeleyo.
- Umzekelo 2: Umhlaseli ufumana ukufikelela okungagunyaziswanga kumaxwebhu obuchwephesha angaphakathi.
Jonga ngakumbi kwi-intanethi yethu Uluhlu lweVektha yoHlaselo ulwazi olongezelelweyo.
Imvelaphi yoHlaselo: Ngubani
Imvelaphi ichaza umthombo wohlaselo. Ke ngoko, icacisa indima, imeko, okanye ubudlelwane bomhlaseli nenkqubo.
- Umzekelo 1: Umntu ongaphakathi onelungelo lokufikelela kwiiseva zokwakha uguqula iskripthi.
- Umzekelo 2: Umntu ohlaselayo ngaphandle ulayisha iphakheji efakwe kwi-trojan kwirejista kawonkewonke.
Injongo yoHlaselo: Isizathu
Injongo ichaza isizathu sohlaselo. Ngaphezu kwako konke, igxininisa oko iintshaba zifuna ukukufeza.
- Ukuphazamiseka: ukumisa iinkonzo okanye ukwakha.
- Urhwaphilizo: ukunciphisa ukuthembana ngokutshintsha izinto zakudala okanye ikhowudi yomthombo.
- Ukutyhilwa: ukuvuza kweemfihlo eziyimfihlo okanye impahla yobukrelekrele.
Impembelelo yoHlaselo: Iziphumo
Okokugqibela, impembelelo ichaza iziphumo zohlaselo, ibonisa iziphumo kubaboneleli besoftware kunye nabathengi.
- Umzekelo 1: Nayiphi na iprojekthi esebenzisa inkqubo embi iya konakala kamva.
- Umzekelo 2: Abantu bafaka isoftware engalunganga kwiinkqubo zabo zomsebenzi bengazi.
Uhlaselo oluqhelekileyo lweSoftware Supply Chain
Iintlobo ezininzi ze uhlaselo lwenkqubo yokubonelela ngesoftware zikho, kwaye imibutho kufuneka izazi ngeentlobo ngeentlobo zeengxaki ezibangela uloyiko kwinqanaba ngalinye lobomi. Ngokusekelwe ku isakhelo se-SLSA, i-US National Institute of Standardkunye neTekhnoloji (i-NIST), yaye i-Arhente yoKhuseleko lweIntanethi kunye neZiseko zoPhuhliso (CISA), ezi zisongelo zingahlulwahlulwa zibe ngamaqela amane: umthombo, ulwakhiwo, iphakheji, kunye neengozi zokuxhomekeka.
Uhlaselo lweTyathanga lokuNikezela ngeSoftware kwiSigaba soMthombo
- Ngenisa ikhowudi embi → bona indlela yokwenza isicelo seFlask.fumana ukusetyenziswa gwenxa or iimpazamo zokungakhuseleki kokubekwa kwezinto kwi-serial yenza iindawo zokuhlasela ngokuthe ngqo.
- I-repo yomthombo wokuvumelana
- Yakha kumthombo oguquliweyo
- Bhala ikhowudi engakhuselekanga
- Ukuphazamisa iifayile ezibalulekileyo → njengoko kuchaziwe kwi Uhlalutyo lwangasemva lwe-chmod 777.
Uhlaselo lweTyathanga lokuNikezela ngeSoftware kwiSigaba soKwakha
Kwi Yakha iSiteji, abaphuhlisi baqokelela baze badibanise ikhowudi kwinguqulelo esebenzayo. kuba Eli nqanaba libaluleke kakhulu, iingozi ziquka ukutsiba iitshekhi zokhuseleko CI/CD pipeline, ukutshintsha ikhowudi emva kolawulo lwenguqulelo, okanye ukuphazamisa inkqubo yokwakha. Ngenxa yoko, ikhowudi enobungozi inokungena kwizinto ezingabonakaliyo.
- ukudlula CI/CD → inxulunyaniswe ne I-malware yokwakha kwangaphambili yeGitHub.
- Guqula ikhowudi emva kolawulo lomthombo
- Inkqubo yokwakha uhlengahlengiso → incitshiswe yi Ukufunyanwa kwesilumkiso sakwangoko seDevSecOps.
- Indawo yokugcina izinto zakudala ezitshintshileyo
Uhlaselo lweTyathanga lokuNikezela ngeSoftware kwiSigaba sePakeji
The Isigaba sePhakheji kulapho sidibanisa yonke ikhowudi ukuze senze imveliso yokugqibela. Le nxalenye iyingozi kuba umntu angasebenzisa iipakeji ezimbi okanye atshintshe iindawo ezikwi-intanethi apho sizifumana khona. Abahlaseli banokude balayishe iinguqulelo eziyingozi zeepakeji ezidumileyo kwezi webhusayithi.
- Sebenzisa iphakheji echaphazelekileyo → egutyungelwe kwi Uvavanyo lweskena se-malware.
- Ubhaliso lwephakheji yokuvumelana
- Layisha iphakheji eguquliweyo → ihlalutywe kwi I-malware yomenzi we-fake we-Namso-gen.
Uhlaselo lweThreyini yoNikezelo lweSoftware kwiSigaba soXhomekeko
Kwi Inqanaba lokuxhomekeka, songeza iilayibrari kunye neepakeji zomntu wesithathu kwisoftware yethu. Eli nqanaba liyingozi kuba naziphi na iingxaki kwezo ndawo zinokusasazeka ngokulula nangokuthe cwaka kuyo yonke iprojekthi.
- Sebenzisa ukuxhomekeka okudibeneyo → kuchaziwe nge Iingozi ze-DoS kuxhomekeko olufihlakeleyo.
- Ukuxhomekeka Okudala okanye Okungakhuselekanga
- Iingozi zokuxhomekeka okuguquguqukayo
- Iirejista zeePakethe ezinobungozi → zincitshiswe nge Izixhobo zokhuseleko zeDevOps kwaye Ulawulo lomngcipheko womntu wesithathu.
Iingozi zeCandelo lokuNika uBonelelo oluQhelekileyo kwiNqanaba ngalinye le SDLC
| Isigaba | Izoyikiso eziqhelekileyo | umzekelo |
|---|---|---|
| imvelaphi | • Ukungenisa ikhowudi enobungozi okanye engakhuselekanga • Ukuphazamisana neefayile ezibalulekileyo • Ukubeka ecaleni indawo yokugcina izinto | I-XcodeGhost (2015): ikhowudi enobungozi efakwe kwi-compiler ye-Xcode ye-Apple, isasazeka kuzo zonke ii-apps ze-iOS. |
| Yakha | • Ukungayilandeli CI/CD iitshekhi zokhuseleko • Ukulungisa ikhowudi emva kolawulo lomthombo • Iindawo zokugcina izinto zakudala ezinobungozi | I-SolarWinds Orion (2020): abahlaseli bangene ngaphakathi kwisakhiwo pipeline, ukufaka ucango olungasemva kuhlaziyo lwesoftware olusayiniweyo. |
| ipakethe | • Ukulayisha iipakeji ezilungisiweyo • Iirejista zeepakeji zokubulala ityhefu • Ukusasaza izinto ezisetyenzisiweyo ezisengozini | I-EventStream NPM (2018): umhlaseli ufake ucango lwangasemva kwiphakheji edumileyo ye-NPM ekhutshelweyo amaxesha amaninzi. |
| ukuXhomekeka | • Ukusebenzisa ukuxhomekeka okudala okanye okubuthathaka • Ukusebenzisa kakubi ukuxhomekeka okuguquguqukayo • Ukupapasha iipakethe ezibonakala ngathi ziyingozi | I-XZ Utils Backdoor (2024): ilayibrari yokucinezela efakwe kwi-trojanized iphantse yathunyelwa ngezantsi kwi-Linux distributions. |
Iindlela zokuhlasela zeNkqubo yoNikezelo lweSoftware eqhelekileyo
Ngokutsho CISIngxelo ye-A kunye ne-NIST, ukuhlaselwa kweenkqubo zobonelelo lwesoftware kudla ngokwahlulwahlulwa zibe ziindidi ezintathu eziphambili.
Nangona kunjalo, iziganeko zakutshanje zibonisa ezinye iivektha ekufuneka abaphuhlisi baziqonde.
Ngezantsi siza kwandisa iindlela ezifanelekileyo ngemizekelo esebenzayo.
Uhlaziyo lokuQhaqa
Abahlaseli bayayiphazamisa indlela yokuhlaziya esemthethweni ukuze basasaze i-malware.
Umzekelo, uhlaselo lweNotPetya ngo-2017 lwasebenzisa kakubi iseva yohlaziyo lwesoftware yerhafu ye-MEDoc yase-Ukraine, nto leyo eyabangela
i-malware etshabalalisayo efihliweyo njenge-patch. Ukuzikhusela kule ngozi, amaqela kufuneka afake isicelo ukufunyanwa kwesoyikiso kunye nempendulo yeDevOps iindlela ezibonisa ukuziphatha okungaqhelekanga ekuhambeni kohlaziyo.
Ukungavumi ukuSayinwa kweKhowudi
Le ndlela ibandakanya ukusebenzisa kakubi okanye ukuba izatifikethi zokusayina ezisemthethweni ukuze ikhowudi enobungozi ibonakale isemthethweni.
Ityala eliphawulekayo yayilisivumelwano se-CCleaner ngo-2017, apho abahlaseli basasaza isoftware ye-trojanized esayiniweyo ngeesatifikethi ezisemthethweni.
Ngenxa yoko, imibutho ifuna ulawulo oluhlangeneyo lokuthembeka olufana nolo luchazwe kwi amaqhinga eqonga lokhuseleko lwe-cyber
Ikhowudi yoMthombo oVulekileyo ebeka emngciphekweni
Iintshaba zifaka iingcango zangasemva kwiiphakheji ezidumileyo zemithombo evulekileyo, kamva zitsalwa kwiiprojekthi ezininzi.
Isiganeko se-EventStream NPM kunye ne-XZ Utils backdoor (2024) zibonisa indlela esibaluleke ngayo esi siganeko.
Abaphuhlisi kufuneka bahlole izixhobo ezifana Imibuzo ebuzwa rhoqo malunga noKhuseleko lwe-NPM kwaye iziganeko zephakheji ezibhalwe nge-typosquat ukufunda indlela yokuphepha ukuxhomekeka kwizinto ezinobungozi.
Ukudideka kokuxhomekeka
Olu hlaselo, olwaqala ukuchazwa ngu-Alex Birsan ngo-2021, lusebenzisa amagama okungqubana phakathi kweerejista zeepakeji zangaphakathi nezikawonke-wonke, lukhohlisa iinkqubo zokwakha ukuba zitsale iinguqulelo ezinobungozi endaweni yeepakeji zangaphakathi ezithembekileyo.
Iipakethi zeTyposquatting kunye neMonacious
Abahlaseli bapapasha iipakethe ezinobuthi ezinamagama afana neelayibrari ezidumileyo (umz., “ii-requeusts” endaweni “yezicelo”).
Abaphuhlisi bazifaka ezi ngempazamo, befaka i-malware kwiiprojekthi zabo.
Umzekelo wokwenyani uhlalutywa kwi I-malware ye-Namso-gen kwaye kuluhlu lwethu lwe izikena ze-malware ezivulelekileyo.
Yakha Pipeline Ukuthintela
Njengoko kubonwe kwisivumelwano seSolarWinds Orion, abahlaseli banokungena kwiiseva zokwakha ukufaka ikhowudi enobungozi ngexesha lokuhlanganiswa.
Oku kwenza lonke uthotho lwezinto ezisetyenzisiweyo ezisayiniweyo lungathembeki. Iindlela zokuthintela ziquka ukubeka esweni CI/CD ukuthembeka kunye ukufunyanwa kwesilumkiso kwangethuba kunye nokuhlalutya
Iiphulo ze-malware ezakhelwe kwangaphambili yiGitHub.
Indlela Uhlaselo lweSoftware Supply Chain olubonakala ngayo: Ityala leSolarWinds
Ngaphezu kwako konke, uhlaselo lweSolarWinds Orion lolona mzekelo waziwayo wokwaphulwa kweenkqubo zesoftware. Lubonisa indlela abahlaseli abanokuhamba ngayo inyathelo ngenyathelo kwinkqubo yokwakha, kwaye ngenxa yoko, basasaze ikhowudi enobungozi kumawaka abasebenzisi.
Okokuqala, abahlaseli bangene kwiiseva zokwakha zeSolarWinds.
Emva koko, bongeza ikhowudi enobungozi ngokuzolileyo kuhlaziyo lwe-Orion.
Ngenxa yokuba olu hlaziyo lusayinwe kwaye luthunyelwe njengesoftware ethembekileyo, iinkampani ezininzi zilufakile ngaphandle kokwazi umngcipheko.
Lilonke, imibutho engaphezu kwe-18,000 yachaphazeleka, kwaye abahlaseli bafumana ukufikelela kwiinkqubo ezibuthathaka kakhulu.
Ngokwembono yomphuhlisi, olu hlaselo lunika izifundo ezintathu ezilula:
- Ukuzikhusela komjikelezo akwanelanga: abahlaseli batshintshe indlela eyakhiwe ngayo pipeline ngokwayo.
- Ukuhlolwa rhoqo kubalulekile: ikhuselekile build attestations, ukuhlolwa kobunyani, kunye nokuchongwa kwezinto ezingaqhelekanga kunceda ukuthintela ukuphazamisana.
- Ulwakhiwo olunye olunetyhefu lunokufikelela kwihlabathi liphela: enye pipeline Ukuvumelana kunokubangela ingxaki yokhuseleko kwihlabathi liphela.
I-Xygeni: Iqonga le-AppSec eliPhambili kwi-All-in-One
Ngenxa yokuba uhlaselo lweenkqubo zokubonelela ngesoftware lunokuchaphazela onke amanyathelo SDLC,
iqonga le-AppSec elisebenza kuzo zonke izinto, I-Xygeni, ikhusela izigaba zomthombo, zokwakha, zephakheji, kunye nezokuxhomekeka. Inika abaphuhlisi kunye namaqela okhuseleko indawo enye yokuthintela, ukufumanisa, kunye nokulungisa iingozi ngendlela elula. Ngenxa yoko, akusafuneki ukuba udibanise izixhobo ezininzi, iXygeni igubungela umjikelo wobomi bonke.
Ukhuseleko lweSigaba soMthombo
Kwinqanaba lomthombo, iingozi ziquka ukungakhuselekanga commits, iindawo zokugcina izinto ezinetyhefu, okanye iifayile ezitshintshiweyo. I-Xygeni iskena ikhowudi ngexesha langempela ngobunzulu SAST kunye nokuchongwa kweemfihlo.
Ikwavimba izinto ezinobungozi commits nge CI/CD guardrails.
Ngale ndlela, iingxaki ziyamiswa ngaphambi kokuba ziphume kwindawo yokugcina izinto.
Ukhuseleko lweSiteji soKwakha
Ngexesha lokwakha, abahlaseli banokuzama ukudlula pipelineokanye ukutshintsha izinto zakudala.
I-Xygeni ikhusela inkqubo yokwakha ngokuhlolwa okuthotyelwa yi-SLSA, ukuqinisekiswa kobunyani, kunye notyikityo olungenazisitshixo. Ikwajonga ukuziphatha okungaqhelekanga ngaphakathi CI/CD imisebenzi. Ngenxa yoko, izakhiwo eziphazamisekileyo ziphawulwa ngoko nangoko kwaye zivalwe ngaphambi kokuba zikhutshwe.
Ukhuseleko lweSigaba sePhakeji
Kwinqanaba lephakheji, iirejista ezisengozini okanye iilayibrari ezilungisiweyo zihlala zingenisa i-malware. Ukufunyanwa kwe-malware yeXygeni kunye nokuskena ilayisensi hlaziya yonke into eyenziweyo, ngelixa I-AutoFix icebisa iindlela zokuphucula ezikhuselekileyo kunye nohlalutyo lwayo loMngcipheko wokuLungiswa. Kuphela ziiphakheji eziqinisekisiweyo nezithobelayo eziya phambili kwi pipeline.
Ukhuseleko lweSigaba sokuxhomekeka
Ikhowudi yomntu wesithathu yeyona ndawo inkulu yokuhlasela. Uhlalutyo loBume beSoftware kaXygeni (SCA) Yenza okungaphezulu nje kokudwelisa ii-CVE, ijonga ukuba ikhowudi enobungozi inokusetyenziswa na ngokwenene. Ikwaphawula ii-malware ezifihliweyo kunye nokuxhomekeka okuyingozi kokuguquka. Ngaphezu kwako konke, oku kuqinisekisa ukuba abaphuhlisi bathumela kuphela ukuxhomekeka okukhuselekileyo.
Iimfihlo kunye noKhuseleko lweZiseko zoPhuhliso
Ngaphandle kwekhowudi kunye neepakeji, uhlaselo ludla ngokusebenzisa iimfihlo ezivuzayo okanye iziseko ezibuthathaka. I-Xygeni iskena izitshixo eziveziweyo, iithokheni, kunye neziqinisekiso kwikhowudi, kwii-configs, nakwii-Docker layers. Ingaqinisekisa kwaye irhoxise ngokuzenzekelayo iimfihlo ezivuzayo nge Ukulungiswa kwe-AutoFix. Ngaxeshanye, IaC ukuskena ithintela ukulungelelaniswa okungafanelekanga abahlaseli abanokukusebenzisa kakubi kamva.
Ukuchonga nokulungisa izinto ngobuchule
Uninzi lwezixhobo luphela xa kuqatshelwa. IXygeni iyaqhubeka. Injini yayo ye-AutoFix idala ii-patches ezikhuselekileyo, pull requests, okanye isikhokelo senyathelo ngenyathelo ngokuxhomekeke kwingxaki. Umbono wayo weRemediation Risk ukwabonisa ukuba loluphi uhlobo lwepatch olukhuselekileyo, ngoko ke amaqela alungisa iingxaki ngaphandle kokongeza ezintsha.
Iqonga Elinye Elimanyeneyo
Kuba iXygeni idibanisa SAST, SCA, ukufunyanwa kwe-malware, ulawulo lweemfihlo, IaC ukuskena, ukufunyanwa kwezinto ezingaqhelekanga, kunye nolawulo lokwakha olukhuselekileyo kwiqonga elinye le-AppSec,
inika ingxelo epheleleyo kulo lonke SDLCBobabini abaphuhlisi kunye namaqela okhuseleko bafumana umthombo omnye wenyaniso ngokubonakala ngokucacileyo, ukulungiswa okusebenzayo, kunye nokhuseleko oluqinileyo kuhlaselo lwekhonkco lokubonelela.
Zonke izinto ziqwalaselwe, I-Xygeni, iqonga le-AppSec eligqibeleleyo elisebenza kuzo zonke izinto, inceda amaqela akhe ngokukhawuleza kwaye ahlale ekhuselekile. Ngokukhusela umthombo, ukwakha, iphakheji, kunye nezigaba zokuxhomekeka, nangokongeza izilungiso ezenzekelayo kuyo yonke inyathelo, iqinisekisa ukuba uhlaselo lwenkqubo yokubonelela ngesoftware luyayekiswa ngaphambi kokuba lufikelele kwimveliso.




