CN115828251A - Method and device for evaluating data risk - Google Patents
Method and device for evaluating data risk Download PDFInfo
- Publication number
- CN115828251A CN115828251A CN202211182048.XA CN202211182048A CN115828251A CN 115828251 A CN115828251 A CN 115828251A CN 202211182048 A CN202211182048 A CN 202211182048A CN 115828251 A CN115828251 A CN 115828251A
- Authority
- CN
- China
- Prior art keywords
- sensitive data
- risk detection
- data
- code
- information related
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses a method and a device for evaluating data risk, which can be used in the technical field of data code detection, wherein in the method, firstly, data used for internal access is scanned to obtain visitor information related to sensitive data, and/or data used for external access is scanned to obtain interface information related to the sensitive data; then, obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data; and finally, performing compliance risk detection based on the range of the sensitive data-related codes, and outputting an evaluation result. Thus, it is determined whether the data code is at risk or not based on the evaluation result of the compliance risk detection output. Therefore, based on the combination of the codes after the online and the access and flow conditions of the sensitive data, the data codes can be detected without the investigation of a development team, and the risk of the data is evaluated.
Description
Technical Field
The present application relates to the field of data code detection technologies, and in particular, to a method and an apparatus for evaluating data risk.
Background
With the development of information technology, people pay more and more attention to data security, and in order to ensure the security of data codes, the current main mode is divided into three stages of 'design stage security review', 'development stage white box code static scanning' and 'black box scanning after online' according to the software life cycle.
However, in the stage of "secure review", it is necessary to strongly depend on the quality of cooperation of developers, which is time-consuming and labor-consuming, for example, the developers need to fill in the checklist by themselves; in the 'white box code static scanning' stage, only the code checking capability aiming at the basic security layer (network security and application security layer) is available at present, and data security is temporarily not available; in the stage of 'black box scanning after line feeding', only the result is seen, the reason for the result cannot be seen, only risk prompt can be given, and a fine correction point cannot be given. The development personnel are required to check the reason of the backward movement according to the risk result, so that the enthusiasm of the development personnel is low, the efficiency is low, and the effect of pushing the correction is poor.
Therefore, how to evaluate data risks aiming at data security, realize data code scanning, high-efficiency automation, reduce the range of sensitive data codes involved in human factor dependence and interference positioning, perform compliance risk detection according to the range of the sensitive data codes and output evaluation results is a technical problem which needs to be solved urgently by the technical personnel in the field.
Disclosure of Invention
In view of the above, the present application provides a method for evaluating data risk so as to evaluate data risk, and also provides an apparatus for evaluating data risk.
In a first aspect, an embodiment of the present application provides a method for assessing data risk, where the method includes:
scanning data used for internal access to obtain visitor information related to sensitive data, and/or scanning data used for external access to obtain interface information related to sensitive data;
obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data;
and performing compliance risk detection based on the range of the sensitive data-related codes, and outputting the evaluation result.
Optionally, obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data includes:
when the visitor information related to the sensitive data is used as input data, positioning an IP (Internet protocol) of the internal access sensitive data according to the visitor information related to the sensitive data, positioning a server host of the IP from the IP, positioning an application to which the server host belongs from the server host, and positioning a code of the application according to the application to which the server host belongs, wherein the code is used as a range related to the sensitive data code;
when the interface information related to the sensitive data is used as input data, positioning an interface involved in foreign access to the sensitive data according to the interface information related to the sensitive data, positioning an application to which the interface belongs from the interface, positioning a code of the application by the application, and positioning the code of the application to the interface as a range of the code related to the sensitive data.
Optionally, the performing compliance risk detection based on the range of the sensitive data-related code, and outputting a result of the evaluation includes:
acquiring a compliance risk detection instruction according to the range of the sensitive data codes;
analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier;
and determining a corresponding compliance risk detection model according to the judgment identification, judging and outputting an evaluation result.
Optionally, the compliance risk detection instruction includes:
the method comprises the following steps that one or more of an unauthenticated risk detection instruction, a sensitive data plaintext writing storage risk detection instruction, a non-client-side sensitive front-end page sensitive data non-desensitized risk detection instruction, a non-client-side sensitive front-end page non-watermark risk detection instruction and a log docking unified log center risk detection instruction are added;
the analyzing the compliance risk detection instruction and acquiring a corresponding judgment identifier comprises the following steps:
when the compliance risk detection instruction comprises an unauthenticated risk detection instruction, acquiring an unauthenticated risk detection judgment identifier;
when the compliance risk detection instruction comprises a sensitive data plaintext writing storage risk detection instruction, acquiring a sensitive data plaintext writing storage risk detection judgment identifier;
when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection instruction, acquiring a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection judgment identifier;
when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page watermark risk detection instruction, acquiring a non-client-side sensitivity-related front-end page watermark risk detection judgment identifier;
and when the compliance risk detection instruction comprises a log docking unified log center risk detection instruction, acquiring a log docking unified log center risk detection judgment identifier.
Optionally, the determining, according to the judgment identifier, a corresponding compliance risk detection model, performing judgment, and outputting an evaluation result includes:
when the identification is an unauthorized risk detection judgment identification, judging whether the range of the sensitive data related code relates to sensitive data and is accessed to SSO authentication, and if not, performing authentication rectification;
when the identification is a sensitive data plaintext writing storage risk detection judgment identification, judging whether codes in the range of the sensitive data related codes relate to sensitive data fields written in a storage system, if so, judging whether the codes are plaintext storage, and if so, encrypting or desensitizing modification is carried out;
when the identification is a non-client-side desensitization-related front-end page sensitive data non-desensitization risk detection judgment identification, judging whether the identification is a non-client-side application, if so, judging whether the identification is a front-end display page, if so, judging whether a static desensitization or dynamic desensitization library is called, if not, performing desensitization modification and then performing front-end display, if so, judging whether the identity data and the authority data are associated in the code, and if not, performing desensitization modification and then performing front-end page display;
when the identification is the non-client-side sensitive front-end page without adding the watermark risk detection judgment identification, judging whether the identification is the non-client-side sensitive front-end page, if so, judging whether the watermark is added, and if not, performing front-end watermark rectification and adding the watermark;
and when the identification is a risk detection judgment identification of the log docking unified log center, judging whether the range of the sensitive data-related codes is accessed to the unified log risk detection center and generating a risk detection log, and if not, rectifying the risk detection log.
Optionally, the method further includes:
the data after the associated scanning is checked whether risks exist or not and whether risk rectification is needed or not; if the risk correction is needed, the abatement is carried out and the version is iterated.
In a second aspect, an embodiment of the present application provides an apparatus for assessing risk of data, the apparatus including:
the scanning unit is used for scanning the data used for internal access to obtain visitor information related to the sensitive data and/or scanning the data used for external access to obtain interface information related to the sensitive data;
the determining unit is used for obtaining the range of the sensitive data related codes according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data;
and the detection unit is used for carrying out compliance risk detection based on the range of the sensitive data-related codes and outputting an evaluation result.
Optionally, the apparatus further comprises:
and the updating unit is used for carrying out compliance risk detection according to the range of the sensitive data codes, outputting an evaluation result and judging whether risk rectification is needed or not.
Optionally, the determining unit is specifically configured to:
when the visitor information related to the sensitive data is used as input data, locating an IP (Internet protocol) of the internal access sensitive data according to the visitor information related to the sensitive data, locating a server host of the IP from the IP, locating an application to which the server host belongs from the server host, and locating a code of the application according to the application to which the server host belongs, wherein the code is used as a range related to the sensitive data code;
when the interface information related to the sensitive data is used as input data, positioning an interface involved in foreign access to the sensitive data according to the interface information related to the sensitive data, positioning an application to which the interface belongs from the interface, positioning a code of the application by the application, and positioning the code of the application to the interface as a range of the code related to the sensitive data.
Optionally, the detection unit is specifically configured to:
acquiring a compliance risk detection instruction according to the range of the sensitive data codes;
analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier;
and determining a corresponding compliance risk detection model according to the judgment identification, judging and outputting an evaluation result.
Compared with the prior art, the method has the following beneficial effects:
the embodiment of the application provides a method for evaluating data risk. When the method is executed, firstly, data used for internal access is scanned to obtain visitor information related to sensitive data, and/or data used for external access is scanned to obtain interface information related to sensitive data; then, obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data; and finally, performing compliance risk detection based on the range of the sensitive data-related codes, and outputting an evaluation result. Thus, it is determined whether the data code is at risk or not based on the evaluation result of the compliance risk detection output. Therefore, based on the combination of the codes after the online and the access and flow conditions of the sensitive data, the data codes can be detected without the investigation of a development team, and the risk of the data is evaluated.
Drawings
To illustrate the technical solutions in the present embodiment or the prior art more clearly, the drawings needed to be used in the description of the embodiment or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for assessing risk of data according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of a process for obtaining a range of sensitive data-related codes in an embodiment of the present application;
FIG. 3 is a flowchart illustrating compliance risk detection based on the range of the sensitive data-related codes and outputting evaluation results according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for assessing data risk according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
It should be noted that the method and the device for evaluating data risk provided by the present application are used in the field of data code detection technology. The foregoing is merely an example, and does not limit the application field of the method and apparatus name provided in the present application.
Referring to fig. 1, the figure is a flowchart of a method for assessing risk of data according to an embodiment of the present application, where the method includes the following steps:
s101: data used for internal access is scanned for visitor information related to sensitive data, and/or data used for foreign access is scanned for interface information related to sensitive data.
In the embodiment of the application, data used for internal access and data used for foreign access are respectively scanned, and in the process of scanning the data used for internal access, which IP accesses sensitive data at what time is acquired and recorded as information of an acquisition visitor; and acquiring which external interface accesses the sensitive data at what time and recording the data as acquisition interface information in the process of scanning the data used for the external access.
The method for acquiring the visitor information comprises the following steps:
and scanning access logs stored in database logs and the like according to the data classification and classification information base to acquire fields in the data table accessed by a certain IP.
And further associating the data classification and grading identification results, determining that the IP accessed field contains a sensitive field, and determining that further association is needed. The data classification hierarchical information base is used for storing the identified result of the sensitive data so as to indicate which fields are sensitive fields.
The interface information acquisition method comprises the following steps:
a) According to the method, sensitive data are related to the interface in the external Internet outlet flow, and the interface information is recorded, wherein the scanning positioning is to perform scanning positioning on the sensitive data accessed from the inside to the outside and/or the sensitive data collected from the outside to the inside.
S102: and obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data.
In the embodiment of the application, visitor information and interface information related to sensitive data are respectively further subjected to code scanning positioning to be accurate to the range related to the sensitive data codes.
One possible way is as follows:
when the visitor information related to the sensitive data is used as input data, the method comprises the following steps:
a) Based on the IP-associated CMDB (asset configuration information base) of the internal access sensitive data, it is queried to which server host the IP is assigned.
b) And inquiring the business application from the CMDB database according to the server host.
c) And according to the company code base query, locating the code base ID where the application is positioned and the range of the code related to the sensitive data.
When the interface information related to the sensitive data is used as input data, the method comprises the following steps:
a) And inquiring an application to which the interface belongs based on the interface information association CMDB (asset configuration information base) of the interface for externally-involved access to the sensitive data.
b) And searching and locating the code base ID where the application is located and the code of the related application according to the company code base.
c) And further positioning the code of the interface from the code of the relevant application based on the acquired interface name and other relevant information, and taking the code as the range of the code related to the sensitive data.
S103: and performing compliance risk detection based on the range of the sensitive data-related codes, and outputting the evaluation result.
In the process of executing the steps, firstly, a compliance risk detection instruction is obtained according to the range of the sensitive data-related codes; analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier; and determining a corresponding compliance risk detection model according to the judgment identification, judging, and outputting a verification result and an evaluation result.
In the embodiment of the application, a corresponding compliance risk detection instruction is obtained according to the range of the sensitive data codes; analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier; in the process of obtaining the corresponding judgment identifications, one or more corresponding judgment identifications may be obtained at the same time, then the corresponding compliance risk detection model is determined according to the judgment identifications and judged, wherein one or more judgments may be performed at the same time, and finally the evaluation result is output.
Referring to fig. 2 and fig. 3, another method flowchart of a method for assessing data risk provided in the embodiment of the present application is shown, where fig. 2 is a flowchart of a process for obtaining a range of sensitive data codes in the embodiment of the present application, and fig. 3 is a flowchart of performing compliance risk detection based on the range of sensitive data codes and outputting an assessment result in the embodiment of the present application, where the method includes:
a) Obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data:
a01a: data to be used for internal access is scanned and visitor information relating to sensitive data is obtained as input data.
A01b: and scanning the data used for foreign access, and taking the acquired interface information related to the sensitive data as input data.
A02a: and positioning the IP of the internal access sensitive data according to the visitor information related to the sensitive data.
A02b: and positioning the interface involved in the foreign access sensitive data according to the interface information related to the sensitive data.
A03a: and positioning to the server host of the IP according to the IP.
A03b: locating an application to the interface according to the interface.
A04a: and positioning the application to which the server host belongs according to the server host.
A04b: code that locates to the application in accordance with the application.
A05a: and positioning the codes of the application according to the application to be used as the range of the sensitive data related codes.
A05b: the code of the application is located to the code of the interface as a range of sensitive data related code.
A06: and outputting the range of the sensitive data related codes.
Referring to fig. 3, a flowchart of performing compliance risk detection based on the range of the sensitive data-related code and outputting an evaluation result in the embodiment of the present application is shown.
Performing compliance risk detection based on the range of the sensitive data-related codes, and outputting an evaluation result:
b1: and acquiring an unauthorized risk detection instruction according to the range of the sensitive data codes.
After the above steps are executed, the corresponding judgment mark can be obtained according to the detection instruction.
B2: and acquiring an unauthorized risk detection judgment identifier according to the unauthorized risk detection instruction.
After the above steps are executed, the judgment process can be entered for judgment according to the type of the judgment identification.
B3: and judging whether the authentication is not performed.
B3a: and judging whether the range of the sensitive data-related code is accessed to SSO authentication (login system authentication) or not according to the fact that the identification is an unauthorized risk detection judgment identification, if so, marking that no risk exists, entering the step B4 for judgment, and otherwise, marking that the risk exists.
And judging whether the range related to the sensitive data codes is included in an application (or interface) list (or a database) accessed by the SSO authentication center so as to judge whether the SSO authentication risk exists.
B4: and performing clear text writing storage risk judgment on the sensitive data.
B4a: and judging whether the codes in the range of the sensitive data-related codes relate to sensitive data fields written in a storage system, if not, marking the codes as having no risk, if so, judging whether the codes are stored in a plaintext, if so, marking the codes as having the risk, otherwise, marking the codes as having no risk, and if not, judging whether the codes do not relate to sensitive operations or judging that the codes do not relate to the sensitive operations and then do not carry out the plaintext storage, and entering the step B5 for judgment.
The storage system comprises a database, a file system and the like. When the data is written into the storage, the data is not encrypted or desensitized, and the data is stored in a plain text.
B5: and carrying out non-desensitization risk judgment on the page sensitive data of the non-client-side desensitization front end.
B5a: and judging whether the code is the client application code, if so, marking that no risk exists, and if not, entering the step B5B for judgment.
B5B: and judging whether the page code is a front-end display page code, if not, marking that no risk exists, and if so, entering the step B5c for judgment.
B5c: and judging whether a static desensitization library or a dynamic desensitization library is called in the code, if so, entering the step B5d for judgment, and otherwise, marking that the risk exists.
B5d: and judging whether static desensitization is called, if so, marking that no risk exists, and otherwise, entering the step B5e for judgment.
B5e: and judging whether to call dynamic desensitization, if so, judging whether to dynamically associate the identity data and the authority data, if so, marking that no risk exists, and otherwise, marking that the risk exists.
B6: and carrying out risk judgment on the condition that no watermark is added to the non-client-side sensitive front-end page.
B6a: and judging whether the page code is not displayed at the front end of the client, and if so, entering the step B6B for judgment.
B6B: and judging whether the page is a non-client-side sensitively-displayed page or not and whether a watermark is added or not, and if not, marking that the page has a risk.
B7: and judging the access to the unified log risk detection center.
B7a: and judging whether the codes in the range of the sensitive data-related codes are accessed to a unified log risk detection center, if not, marking that the codes have risks, and if so, marking that the codes do not have risks.
In this embodiment, after the steps B1 to B7 are performed, the method further includes:
b8: and judging whether the mark has risk or not, if so, outputting an evaluation result, and if so, outputting the evaluation result after risk correction.
Wherein the compliance risk detection instructions include:
the method comprises one or more of an unauthenticated risk detection instruction, a sensitive data plain writing storage risk detection instruction, a non-client-side sensitive front-end page sensitive data non-desensitization risk detection instruction, a non-client-side sensitive front-end page non-watermark risk detection instruction and a log docking unified log center risk detection instruction.
The analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier includes:
and when the compliance risk detection instruction comprises an unauthenticated risk detection instruction, acquiring an unauthenticated risk detection judgment identifier.
And when the compliance risk detection instruction comprises a sensitive data plain writing storage risk detection instruction, acquiring a sensitive data plain writing storage risk detection judgment identifier.
And when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection instruction, acquiring a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection judgment identifier.
And when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page watermark risk detection instruction, acquiring a non-client-side sensitivity-related front-end page watermark risk detection judgment identifier.
And when the compliance risk detection instruction comprises a log docking unified log center risk detection instruction, acquiring a log docking unified log center risk detection judgment identifier.
It should be noted that, as an example, in the embodiment of the present application, in the process of obtaining the range of the sensitive data codes and performing compliance risk detection based on the range of the sensitive data codes according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data and outputting the result of the evaluation, this embodiment is only one of the cases, but is not limited to the case, and one or more compliance risk detection instructions may be simultaneously obtained according to the range of the sensitive data codes, then a corresponding judgment identifier is obtained according to the compliance risk detection instruction, a corresponding compliance risk detection model is determined according to the judgment identifier, the judgment is performed, and finally the result of the evaluation is output.
Referring to fig. 4, this figure is a schematic structural diagram of an apparatus for assessing risk of data according to an embodiment of the present application, where the apparatus includes: scanning unit 401, determining unit 402, detecting unit 403.
The scanning unit 401 is configured to scan data used for internal access to obtain visitor information related to sensitive data, and/or scan data used for external access to obtain interface information related to sensitive data.
In the apparatus for evaluating data risk provided by the present application, the scanning unit 401 is specifically configured to scan data accessed internally and data accessed externally, and respectively obtain visitor information related to the sensitive data and obtain interface information related to the sensitive data.
A determining unit 402, configured to obtain a range of the sensitive data-related code according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data.
In the apparatus for evaluating data risk provided by the present application, the determining unit 402 is specifically configured to: when the visitor information related to the sensitive data is used as input data, positioning an IP (Internet protocol) of the internal access sensitive data according to the visitor information related to the sensitive data, positioning a server host from the IP to the IP, positioning an application to which the server host belongs from the server host, and taking a code positioned to the application according to the application as a range of codes related to the sensitive data; when the interface information related to the sensitive data is used as input data, positioning an interface involved in foreign access to the sensitive data according to the interface information related to the sensitive data, positioning an application to which the interface belongs from the interface, positioning a code of the application by the application, and positioning the code of the application to the interface as a range of the code related to the sensitive data.
And a detection unit 403, configured to perform compliance risk detection based on the range of the sensitive data-related code, and output an evaluation result.
In the apparatus for evaluating data risk provided in the present application, the detecting unit 403 is specifically configured to: acquiring a compliance risk detection instruction according to the range of the sensitive data codes; analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier; and determining a corresponding compliance risk detection model according to the judgment identification, judging and outputting an evaluation result.
In a possible implementation manner, visitor information related to sensitive data acquired after scanning by the scanning unit 401 is input to the determining unit 402, the determining unit 402 performs scanning association on data accessed by the visitor information related to sensitive data, determines an IP of the sensitive data, further determines a host and an application of the visitor information server related to sensitive data, and finally determines a range of codes related to sensitive data.
Inputting the interface information related to the sensitive data acquired after scanning by the scanning unit 401 into the determining unit, performing scanning association on the external internet port traffic data of the interface information related to the sensitive data by the determining unit, determining an interface of a sensitive data field, further determining an application to which the interface information related to the sensitive data belongs, and finally determining the range of the code related to the sensitive data.
In one possible implementation, the detection unit 403 includes the following sub-modules: the device comprises an instruction acquisition module, an identification acquisition module, a judgment module and an evaluation result output module.
And the instruction acquisition module is used for acquiring different instructions according to the range of the sensitive data-related codes and executing subsequent different judgment steps.
And the identification acquisition module corresponds to the related instruction and is used for corresponding to different judgment modules.
And the judging module is used for carrying out corresponding compliance risk detection judgment.
And the evaluation result output module is used for outputting the evaluation result.
Each instruction in the instruction acquisition module is provided with an identifier corresponding to the instruction in the identifier acquisition module, each identifier in the identifier acquisition module is also provided with a judgment process corresponding to the identifier in the judgment module, and after the judgment process is finally executed, the judgment result is transmitted to the evaluation result output module for outputting the evaluation result.
In addition to the above units, the apparatus further comprises:
and an updating unit 404, configured to perform rectification and updating on the sensitive data code whose evaluation result is that there is a risk.
The data risk assessment device provided by the application is used for scanning in combination with access and flow conditions involving sensitive data, manual investigation is not needed, the data code safety risk existing in the data risk assessment device can be located through scanning of each unit, and the assessment result is finally output.
In the embodiments of the present application, the names "first" and "second" (if present) in the names "first" and "second" are used for name identification, and do not represent the first and second in sequence.
It should be noted that, in this specification, each embodiment is described in a progressive manner, and the same and similar parts between the embodiments are referred to each other, and each embodiment focuses on differences from other embodiments. In particular, the apparatus and system embodiments, because they are substantially similar to the method embodiments, are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts suggested as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The method and the device for evaluating data risk provided by the application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are merely provided to assist in understanding the method and its core concepts. It should be noted that, for those skilled in the art, without departing from the principle of the present application, the present application can also make several improvements and modifications, and those improvements and modifications also fall into the protection scope of the claims of the present application.
Claims (10)
1. A method of assessing risk of data, the method comprising:
scanning data used for internal access to obtain visitor information related to sensitive data, and/or scanning data used for external access to obtain interface information related to sensitive data;
obtaining the range of the code related to the sensitive data according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data;
and performing compliance risk detection based on the range of the sensitive data-related codes, and outputting the evaluation result.
2. The method of claim 1, wherein obtaining the range of the sensitive data-related code according to the visitor information and/or the interface information related to the sensitive data comprises:
when the visitor information related to the sensitive data is used as input data, positioning an IP (Internet protocol) of the internal access sensitive data according to the visitor information related to the sensitive data, positioning a server host of the IP from the IP, positioning an application to which the server host belongs from the server host, and positioning a code of the application according to the application to which the server host belongs, wherein the code is used as a range related to the sensitive data code;
when the interface information related to the sensitive data is used as input data, positioning an interface involved in foreign access to the sensitive data according to the interface information related to the sensitive data, positioning an application to which the interface belongs from the interface, positioning a code of the application by the application, and positioning the code of the application to the interface as a range of the code related to the sensitive data.
3. The method of claim 1, wherein performing compliance risk detection based on the range of the sensitive data-related code and outputting the result of the evaluation comprises:
acquiring a compliance risk detection instruction according to the range of the sensitive data codes;
analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier;
and determining a corresponding compliance risk detection model according to the judgment identification, judging and outputting an evaluation result.
4. The method of claim 3, wherein the compliance risk detection instructions comprise:
the method comprises the following steps that one or more of an unauthenticated risk detection instruction, a sensitive data plaintext writing storage risk detection instruction, a non-client-side sensitive front-end page sensitive data non-desensitized risk detection instruction, a non-client-side sensitive front-end page non-watermark risk detection instruction and a log docking unified log center risk detection instruction are added;
the analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier includes:
when the compliance risk detection instruction comprises an unauthenticated risk detection instruction, acquiring an unauthenticated risk detection judgment identifier;
when the compliance risk detection instruction comprises a sensitive data plaintext writing storage risk detection instruction, acquiring a sensitive data plaintext writing storage risk detection judgment identifier;
when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection instruction, acquiring a non-client-side sensitivity-related front-end page sensitive data non-desensitization risk detection judgment identifier;
when the compliance risk detection instruction comprises a non-client-side sensitivity-related front-end page watermark risk detection instruction, acquiring a non-client-side sensitivity-related front-end page watermark risk detection judgment identifier;
and when the compliance risk detection instruction comprises a log docking unified log center risk detection instruction, acquiring a log docking unified log center risk detection judgment identifier.
5. The method according to claim 3, wherein the determining a corresponding compliance risk detection model according to the judgment identifier, performing judgment, and outputting a result of the evaluation comprises:
when the identification is an unauthorized risk detection judgment identification, judging whether the range of the sensitive data related code relates to sensitive data and is accessed to SSO authentication, and if not, performing authentication rectification;
when the identification is sensitive data plaintext write storage risk detection judgment identification, judging whether codes in the range of the sensitive data codes relate to sensitive data fields written in a storage system, if so, judging whether the codes are plaintext storage, and if so, encrypting or desensitizing rectification;
when the identification is a non-client-side desensitization-related front-end page sensitive data non-desensitization risk detection judgment identification, judging whether the identification is a non-client-side application, if so, judging whether the identification is a front-end display page, if so, judging whether a static desensitization or dynamic desensitization library is called, if not, performing desensitization modification and then performing front-end display, if so, judging whether the identity data and the authority data are associated in the code, and if not, performing desensitization modification and then performing front-end page display;
when the identification is that no watermark risk detection judgment identification is added to the non-client-side sensitive front-end page, judging whether the identification is the non-client-side sensitive front-end page, if so, judging whether a watermark is added, and if not, performing front-end watermark rectification and adding the watermark;
and when the identification is a risk detection judgment identification of the log docking unified log center, judging whether the range of the sensitive data-related codes is accessed to the unified log risk detection center and generating a risk detection log, and if not, rectifying the risk detection log.
6. The method of claim 1, further comprising:
the data after the associated scanning is checked whether risks exist or not and whether risk rectification is needed or not; if the risk correction is needed, the abatement is carried out and the version is iterated.
7. An apparatus for assessing risk of data, the apparatus comprising:
the scanning unit is used for scanning the data used for internal access to obtain visitor information related to the sensitive data and/or scanning the data used for external access to obtain interface information related to the sensitive data;
the determining unit is used for obtaining the range of the sensitive data related codes according to the visitor information related to the sensitive data and/or the interface information related to the sensitive data;
and the detection unit is used for carrying out compliance risk detection based on the range of the sensitive data-related codes and outputting an evaluation result.
8. The apparatus of claim 7, further comprising:
and the updating unit is used for carrying out compliance risk detection according to the range of the sensitive data codes, outputting an evaluation result and judging whether risk rectification is needed or not.
9. The apparatus according to claim 7, wherein the determining unit is specifically configured to:
when the visitor information related to the sensitive data is used as input data, locating an IP (Internet protocol) of the internal access sensitive data according to the visitor information related to the sensitive data, locating a server host of the IP from the IP, locating an application to which the server host belongs from the server host, and locating a code of the application according to the application to which the server host belongs, wherein the code is used as a range related to the sensitive data code;
when the interface information related to the sensitive data is used as input data, positioning an interface involved in foreign access to the sensitive data according to the interface information related to the sensitive data, positioning an application to which the interface belongs from the interface, positioning a code of the application by the application, and positioning the code of the application to the interface as a range of the code related to the sensitive data.
10. The apparatus according to claim 7, wherein the detection unit is specifically configured to:
acquiring a compliance risk detection instruction according to the range of the sensitive data codes;
analyzing the compliance risk detection instruction to obtain a corresponding judgment identifier;
and determining a corresponding compliance risk detection model according to the judgment identification, judging and outputting an evaluation result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211182048.XA CN115828251A (en) | 2022-09-27 | 2022-09-27 | Method and device for evaluating data risk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211182048.XA CN115828251A (en) | 2022-09-27 | 2022-09-27 | Method and device for evaluating data risk |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115828251A true CN115828251A (en) | 2023-03-21 |
Family
ID=85524015
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211182048.XA Pending CN115828251A (en) | 2022-09-27 | 2022-09-27 | Method and device for evaluating data risk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115828251A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117494148A (en) * | 2024-01-03 | 2024-02-02 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
-
2022
- 2022-09-27 CN CN202211182048.XA patent/CN115828251A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117494148A (en) * | 2024-01-03 | 2024-02-02 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
| CN117494148B (en) * | 2024-01-03 | 2024-03-26 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Security detection method, security detection device, terminal equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8880435B1 (en) | Detection and tracking of unauthorized computer access attempts | |
| CN110851872B (en) | Risk assessment method and device for private data leakage | |
| CN109831459B (en) | Method, device, storage medium and terminal equipment for secure access | |
| CN115526605B (en) | Approval method and system based on enterprise internal control management | |
| CN115828251A (en) | Method and device for evaluating data risk | |
| CN115982012A (en) | Evaluation model and method for interface management capability maturity | |
| CN111212030A (en) | Settlement information real-time sharing system and method | |
| CN116319089B (en) | Dynamic weak password detection method, device, computer equipment and medium | |
| CN112347523A (en) | Information safety system based on cloud computing | |
| JP2008210043A (en) | Server device and conversion rule creation program | |
| CN111046382A (en) | Database auditing method, device, storage medium and device | |
| Maiti | Capturing, Eliciting, and Prioritizing (CEP) Non-Functional Requirements Metadata during the Early Stages of Agile Software Development | |
| CN113435986A (en) | Financial data management method | |
| CN112632247A (en) | Method and device for detecting man-hour report, computer equipment and storage medium | |
| CN114117425A (en) | DSMM-based data acquisition safety detection method | |
| CN113297488A (en) | Data processing method and system based on big data and artificial intelligence | |
| CN111934949A (en) | Safety test system based on database injection test | |
| Jung et al. | Practical experience gained from modeling security goals: using SGITs in an industrial project | |
| KR101709952B1 (en) | Management server and method for detecting personal information | |
| CN111193685B (en) | Method, device, equipment and medium for verifying authenticity of log information | |
| CN112560055B (en) | Credible electronic license system based on PKI technology and working method | |
| CN112528293B (en) | Security vulnerability early warning method, device, equipment and computer readable storage medium | |
| CN116401714B (en) | Security information acquisition method, device, equipment and medium | |
| CN116055180B (en) | Internet resource record information inquiry verification method and device based on gateway | |
| CN115688153A (en) | Method for tracking divulgence of electronic document data based on commercial secrets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |