CN109214192A - A kind of risk processing method and processing device of application oriented system - Google Patents
A kind of risk processing method and processing device of application oriented system Download PDFInfo
- Publication number
- CN109214192A CN109214192A CN201811244378.0A CN201811244378A CN109214192A CN 109214192 A CN109214192 A CN 109214192A CN 201811244378 A CN201811244378 A CN 201811244378A CN 109214192 A CN109214192 A CN 109214192A
- Authority
- CN
- China
- Prior art keywords
- risk
- value
- loophole
- safety detection
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
This application discloses a kind of processing of the risk of application oriented system to determine method and device, it can be according to application system itself Assets, the safety detection of various dimensions is carried out to application system using a plurality of types of security tools, and the present risk value of dynamic comprehensive assessment application system, determine that risk handles type according to present risk value.It is handled by the risk of application oriented system described herein and determines method and device, it can be realized and carry out the safety detection and unified risk processing of various dimensions in application system level grade, in the process by the discovery of application system security problem, rectification, Tracking Integrative, meet requirement of the enterprise development to the comprehensive of security breaches management, globality and procedure.
Description
Technical field
The present invention relates to field of information security technology, and more specifically, it relates at a kind of risk of application oriented system
Manage method and device.
Background technique
With the continuous development of Internet technology, various security threats also emerge one after another on network, and how is enterprise
Effectively known bugs are found and disposed, are always the important subject of network safety filed.
Current network security product is usually the safety product with specific aim field, for example, in safety testing field
Basic environment vulnerability scanning product, source code safety detection product, WEB security sweep product, APP security sweep product etc.,
The security fields of each product and direction difference.There presently does not exist can carry out comprehensive, various dimensions in application system level grade
Safety detection and risk disposition technology.
Summary of the invention
In view of this, the present invention provides a kind of risk processing method and processing device of application oriented system, to be in application
Level of uniting carries out the safety detection and unified risk processing of various dimensions.
To achieve the above object, the invention provides the following technical scheme:
A kind of determining method of risk processing of application oriented system, comprising:
Safety detection project is determined based on the assets information of application system, and is executed corresponding with the safety detection project
Safety detection;
System specifications risk information is generated based on the testing result of the assets information and the safety detection;
Determine that practical security breaches, the practical security breaches are determined based on the system specifications risk information;
Loophole reinforcing is carried out to determining practical security breaches;
If reinforcing successfully, return is described to determine safety detection project based on the assets information, and executes and the safety
The step of detection project corresponding safety detection;
If reinforcing failure or not reinforcing, the present risk value of the application system is calculated;
Determine that risk handles type according to the present risk value and preset rules.
Optionally, the assets information based on application system determines safety detection project, and executes and examine with the safety
The corresponding safety detection of survey project, comprising:
Safety detection project is determined based on the assets information of application system, and is executed and the peace using a variety of security tools
The corresponding safety detection of full detection project;
Including: safety detection is carried out to the same safety detection project using different types of security tool;
The then practical security breaches of determination, comprising:
It will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.
Optionally, the practical security breaches of determination, comprising:
The security breaches that only one security tool detects are determined according to the determination information that user inputs
For practical security breaches.
Optionally, the present risk value for calculating the application system, comprising:
According to guarantor's level calculation such as the risk class of practical security breaches, loophole object carrier numerical value and application system
The residual risk of application system;
The present risk value for determining the application system is calculated according to the residual risk and the risk conditioned factor.
Optionally, described to be protected according to risk class, loophole object carrier numerical value and application system of practical security breaches etc.
The residual risk of application system described in level calculation, comprising:
The value-at-risk of each practical security breaches is summed, the residual risk of the application system is obtained, wherein the wind
Danger value=(safeguarding grades such as loophole risk class * loophole object carrier numerical value * application system are other).
Optionally, described that the current wind for determining the application system is calculated according to the residual risk and the risk conditioned factor
Danger value, comprising:
According to formula value-at-risk=residual risk * risk conditioned factor, the current risk for determining the application system is calculated
Value;
The determination of the risk conditioned factor includes:
Determine the average and standard deviation value of the loophole quantity of each responsibility development company of history;
Determine the current loophole quantity of the affiliated responsibility development company of the application system;
Calculate current loophole difference, the current loophole difference=(average value of current loophole quantity-loophole quantity);
Regulated value 1 is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity;
Respectively determine the high risk of each responsibility development company of history, the rectification time of risk and low-risk loophole is averaged
Value and standard deviation;
The current of the high risk of the affiliated responsibility development company of the application system, risk and low-risk loophole is determined respectively
Rectify and improve the time;
Calculate separately the current rectification time difference of high risk, risk and low-risk, the current rectification time difference
=(average value of m- rectification time when current rectification);
According to the standard deviation of the current rectification time difference of different risk classes and the rectification time of corresponding risk class
Ratio and the regulated value 1 determine the regulated values 2 of different risk classes, respectively high risk regulated value 2, risk tune
Section value 2 and low-risk regulated value 2;
Wind is determined according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and preset algorithm
Dangerous regulatory factor.
It is optionally, described to determine that risk handles type according to the present risk value and preset rules, comprising:
According to the comparison result of the present risk value and preset threshold, risk processing type is determined to avoid risk, subtracting
Few risk shifts risk or receives risk.
A kind of risk processing determining device of application oriented system, comprising:
Safety detection module determines safety detection project for the assets information based on application system, and execute with it is described
The corresponding safety detection of safety detection project;
Information generating module, for generating system specifications based on the testing result of the assets information and the safety detection
Risk information;
Loophole determining module, for determining that practical security breaches, the practical security breaches are based on the system specifications wind
Dangerous information determines;
Loophole reinforces module, for carrying out loophole reinforcing to the determining practical security breaches;
Value-at-risk computing module, for reinforcing after module reinforces failure in the loophole or not adding to practical security breaches
Gu when, calculate the present risk value of the application system;
Determining module is handled, for determining that risk handles type according to the present risk value and preset rules.
A kind of computer readable storage medium, is stored thereon with computer program, realization when which is executed by processor
The risk of any of the above-described kind of application oriented system handles the method for determination.
A kind of electronic equipment, comprising:
Processor;And
Memory, for storing the executable instruction of the processor;
Wherein, the processor is configured to execute any of the above-described kind of application-oriented system via the executable instruction is executed
The risk of system handles the method for determination.
It can be seen via above technical scheme that compared with prior art, the embodiment of the invention discloses a kind of application-oriented
The risk of system, which is handled, determines method and device, can be according to application system itself Assets, using a plurality of types of safety
Tool carries out the safety monitoring of various dimensions, and the present risk value of dynamic comprehensive assessment application system to application system, according to working as
Preceding value-at-risk determines that risk handles type.The method of determination and dress are handled by the risk of application oriented system described herein
It sets, can be realized and carry out the safety detection and the processing of unified risk of various dimensions in application system level grade, it in the process will be using being
Safety problem of uniting discovery, rectification, Tracking Integrative, meet enterprise development to the comprehensive of safety detection, globality and procedure
Requirement.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the flow chart of the method for determination;
Fig. 2 is the flow chart disclosed by the embodiments of the present invention for calculating present risk value;
Fig. 3 is the flow chart of the determining risk conditioned factor disclosed by the embodiments of the present invention;
Fig. 4 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the structural schematic diagram of determining device;
Fig. 5 is the structural schematic diagram of value-at-risk computing module disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall within the protection scope of the present invention.
Fig. 1 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the flow chart of the method for determination, referring to Fig. 1
Shown, the risk of application oriented system handles the method for determination and may include:
Step 101: safety detection project being determined based on the assets information of application system, and is executed and the safety detection item
The corresponding safety detection of mesh.
In this step, can first collect the assets information of application system, specifically, can by way of manual entry or
Person, which links, has the asset management system, and the collection of assets information is carried out from application system dimension.The assets information can with but not
It is limited to comprising assets ip, source code, operating system, middleware, database, open source component, application system access address/application
The main informations such as system app, and the related information with the system, such as application developers, application developer, operating system pipe
The information such as reason person, database administrator, middleware administrator.
It, can be according to enterprises safety management requirement and application system after being collected into the assets information of application system
Attribute change and export different testing requirements values, main body output whether carry out and carry out which dimension safety inspection scheduling.
(selection of app safety detection need not be carried out if no app, no web page is just not necessarily to carry out web inspection safely by adaptive attribute
Survey, no source code is just not necessarily to carry out source code safety detection etc.), (such as 3 grades or more must carry out which to system-level protection level
The detection etc. of dimension), whether Internet provide service (such as towards development app web class detection, not towards interconnection
Net only carries out the detection such as basic environment and source code) etc. conditions determine safety detection project, that is, determine and need to do which is examined safely
It surveys.Corresponding security tool engine is then called to execute safety detection process.
The safety detection can with but be not limited to include source code safety detection, basic environment vulnerability scanning, foundation ring
The contents such as the verification of border security configuration, component safety detection, the test of web safety detection, APP safety detection, service logic.
In a schematical example, the assets information based on application system determines safety detection project, and holds
Row safety detection corresponding with the safety detection project may include: the determining safety inspection of assets information based on application system
Survey project, and safety detection corresponding with the safety detection project is executed using a variety of security tools.Including: using not
The security tool of same type carries out safety detection to the same safety detection project.Using different types of security tool to same
A safety detection project carries out safety detection, comprehensively considers the testing result of all security tools, can reduce or correct safety
Testing result improves the confidence level of testing result on the whole.
Step 102: system specifications risk information is generated based on the testing result of the assets information and the safety detection.
In the present embodiment, the fusion of multi-vendor safety detection tool system can be realized by the abstract of function and interface.
But because the usage scenario of each dimension detection function is different with input and output item, it is therefore desirable to the detection instrument of each dimension
It is integrated that (such as web layer) individually carries out standardization.Specifically, system specifications risk information can by abstract common interface ability and
Input item is realized with input report (report) value.The system specifications risk information is in addition to including that the items safety of standardization is examined
The testing result of survey can also include some assets informations.The system specifications risk information may include such as systematic name, leakage
The information such as hole title, loophole rank, Hole Detection time, loophole point position, improving suggestions.
Step 103: determining practical security breaches, it is true that the practical security breaches are based on the system specifications risk information
It is fixed.
In actual conditions, due to the problem of standard of safety detection technology is different or accuracy rate, it is also possible to safe work occur
Have the security breaches detected to be not present in a practical situation, therefore before handling security breaches, need first really
Fixed practical security breaches.
It determines practical security breaches, can there is different implementations, for example, in the above content using different types of
Under the premise of security tool carries out safety detection to the same safety detection project, determine practical security breaches may include: by
The same security breaches that at least 2 security tools detect are determined as practical security breaches.If at least two safe works
A possibility that tool all determines the same security breaches, then illustrates this security breaches necessary being is bigger.
In other implementations, it determines that practical security breaches can be inputted according to user and determines practical security breaches.Specifically
, it may is that the security breaches detected for only one security tool, according to the determination information that user inputs, really by it
It is set to practical security breaches.Under some cases, relevant staff is after security tool detects some security breaches, according to peace
The type combination experience of full loophole, can determine this security breaches necessary being, determine this peace by correlated inputs
Full loophole is practical security breaches.
Step 104: loophole reinforcing is carried out to the determining practical security breaches and enters step 101 if reinforcing successfully,
If reinforcing failure or not reinforcing, 105 are entered step.
In the present embodiment, for determining practical security breaches, automatic/hand progress loophole reinforcing one by one is needed, if plus
Gu success, return step 101 re-start safety detection and export new system specifications risk information.If reinforcing failure or not having
There is reinforcing, then the value-at-risk for needing to carry out application system calculates, to determine subsequent processing according to calculated result.
Step 105: calculating the present risk value of the application system.
The present risk value can be carried out according to the practical security breaches situation of application system currently according to preset algorithm
It calculates and determines.
Step 106: determining that risk handles type according to the present risk value and preset rules.
According to enterprise practical needs, several risk processing types can be divided.In one implementation, described to work as according to
Preceding value-at-risk and preset rules determine risk processing type may include: according to the present risk value compared with preset threshold
As a result, determining that risk processing type is to avoid risk, reduce risks, shift risk or receive risk.In this implementation, by wind
Danger processing Type division is to avoid risk, reduce risks, shift risk and receive 4 class of risk, then corresponding preset threshold can be with
Including threshold value 1, threshold value 2 and threshold value 3, when the present risk value is greater than or equal to threshold value 1, determine that risk processing type is back
Wind sheltering danger;When the present risk value is less than threshold value 1 and is greater than or equal to threshold value 2, risk processing type is determined to reduce wind
Danger;When the present risk value is less than threshold value 2 and is greater than or equal to threshold value 3, determine that risk processing type is to shift risk;?
When the present risk value is less than threshold value 3, risk processing type is determined to receive risk.
In the present embodiment, the risk of the application oriented system handles the method for determination, can be realized in application system level
The safety detection and unified risk processing for carrying out various dimensions, in the process by the discovery of application system security problem, rectification, tracking one
Body meets requirement of the enterprise development to the comprehensive of safety detection, globality and procedure.
Fig. 2 is the flow chart disclosed by the embodiments of the present invention for calculating present risk value, as shown in Fig. 2, calculating current risk
Value may include:
Step 201: other according to safeguarding grades such as the risk class of practical security breaches, loophole object carrier numerical value and application systems
Calculate the residual risk of the application system.
Specifically, the residual risk for calculating application system may include: that the value-at-risk of each practical security breaches is summed,
The residual risk of the application system is obtained, wherein the value-at-risk=(loophole risk class * loophole object carrier numerical value * is answered
It is other with safeguarding grades such as systems).Such as, loophole risk class: the score value of high risk, risk and low-risk is respectively 4,2,1;Loophole pair
As carrier: service application, basic environment and program in machine code score value are respectively 3,2,1;Other 4 grades, 3 grades and 2 of the safeguarding grades such as application system
The score value of grade is respectively 3,2 and 1;If during the risk class of a practical security breaches is, loophole object carrier is service application,
The safeguarding grades such as application system are not 2, then its value-at-risk is 2*3*1=6.
Step 202: the current risk for determining the application system is calculated according to the residual risk and the risk conditioned factor
Value.
Specifically, can be according to formula value-at-risk=residual risk * risk conditioned factor, calculates and determine the application system
The present risk value of system.
Fig. 3 is the flow chart of the determining risk conditioned factor disclosed by the embodiments of the present invention, as shown in figure 3, the risk tune
Section the factor determination may include:
Step 301: determining the average and standard deviation value σ of the loophole quantity of each responsibility development company of history.
Step 302: determining the current loophole quantity of the affiliated responsibility development company of the application system.
Step 303: calculate current loophole difference, the current loophole difference=(current loophole quantity-loophole quantity it is flat
Mean value).
Step 304: regulated value is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity
1。
For example, if regulated value 1==initial value * 1.5 (can be required according to safety management in enterprise in 1 section σ
It adjusts);
If regulated value 1==initial value * 2.5 (can require to adjust) according to safety management in enterprise in 2 sections σ;
If regulated value 1==initial value * 4 (can require to adjust according to safety management in enterprise in 3 σ and the above section
Section);
If regulated value 1==initial value * 0.6 (can require to adjust according to safety management in enterprise in -1 section σ
Section);
If regulated value 1==initial value * 0.4 (can require to adjust according to safety management in enterprise in -2 sections σ
Section);
If regulated value 1==initial value * 0.25 (can be wanted according to safety management in enterprise in -3 σ and following section
Ask adjusting).
Step 305: respectively when the rectification of the high risk of determining each responsibility development company of history, risk and low-risk loophole
Between average and standard deviation value.
Step 306: determining high risk, risk and the low-risk leakage of the affiliated responsibility development company of the application system respectively
The current rectification time in hole.
Step 307: calculating separately the current rectification time difference of high risk, risk and low-risk, the current rectification
Time difference=(average value of m- rectification time when current rectification).
Step 308: according to the current rectification time difference of different risk classes and the rectification time of corresponding risk class
The regulated value 2 of the ratio of standard deviation and the determining different risk classes of the regulated value 1, respectively high risk regulated value 2,
Risk regulated value 2 and low-risk regulated value 2.
Wherein, the regulated value 2=regulated value 1*X (X can require to adjust according to safety management in enterprise), works as described
It is preceding to rectify and improve time difference from the ratio for the standard deviation for rectifying and improving the time at the standard deviation section σ of different rectification time, X's
Numerical value is different, reference can be made to introducing the explanation of regulated value 1 in content above.
Step 309: according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and pre- imputation
Method determines the risk conditioned factor.
Wherein, the risk conditioned factor=high risk regulated value 2*0.6+ risk regulated value 2*0.3+ low-risk regulated value 2*
0.1, certainly, therein 0.6,0.3,0.1 etc. can have different realizations, such as 0.7,0.2,0.1 or 0.5,0.3,0.2, tool
Body according to enterprise can need be adjusted, it is only necessary to guarantee 3 numerical value and be 1, and the ratio that high risk regulated value 2 is multiplied
Example parameter is maximum, and the scale parameter that low-risk regulated value 2 is multiplied is minimum.
In the present embodiment, loophole situation and rectification time of the risk conditioned factor based on historic responsibility development company, in conjunction with
Current loophole quantity dynamic in real time and current rectification time dynamic determine have comprehensive examination and evaluation.It can be by risk tune
The section factor is published to related responsibility development company, is conducive to that it is supervised to reduce loophole quantity and is rectified and improved in time, is mentioned on the whole
Rise enterprise security maturity.
For the various method embodiments described above, for simple description, therefore, it is stated as a series of action combinations, but
Be those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because according to the present invention, certain
A little steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know that, it is retouched in specification
The embodiment stated belongs to preferred embodiment, and related actions and modules are not necessarily necessary for the present invention.
Method is described in detail in aforementioned present invention disclosed embodiment, diversified forms can be used for method of the invention
Device realize that therefore the invention also discloses a kind of devices, and specific embodiment is given below and is described in detail.
Fig. 4 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the structural schematic diagram of determining device, ginseng
As shown in Figure 4, the risk processing determining device 40 of application oriented system may include:
Safety detection module 401 determines safety detection project, and execution and institute for the assets information based on application system
State the corresponding safety detection of safety detection project.
In the present embodiment, the assets information of application system can be first collected, specifically, can be by way of manual entry
Or the existing asset management system that links, the collection of assets information is carried out from application system dimension.The assets information can with but
It is not limited to comprising assets ip, source code, operating system, middleware, database, open source component, application system access address/answer
With the main informations such as system app, and the related information with the system, such as application developers, application developer, operating system
The information such as administrator, database administrator, middleware administrator.
It, can be according to enterprises safety management requirement and application system after being collected into the assets information of application system
Attribute change and export different testing requirements values, main body output whether carry out and carry out which dimension safety inspection scheduling.
(selection of app safety detection need not be carried out if no app, no web page is just not necessarily to carry out web inspection safely by adaptive attribute
Survey, no source code is just not necessarily to carry out source code safety detection etc.), (such as 3 grades or more must carry out which to system-level protection level
The detection etc. of dimension), whether Internet provide service (such as towards development app web class detection, not towards interconnection
Net only carries out the detection such as basic environment and source code) etc. conditions determine safety detection project, that is, determine and need to do which is examined safely
It surveys.Corresponding security tool engine is then called to execute safety detection process.
The safety detection can with but be not limited to include source code safety detection, basic environment vulnerability scanning, foundation ring
The contents such as the verification of border security configuration, component safety detection, the test of web safety detection, APP safety detection, service logic.
In a schematical example, the safety detection module 401 is particularly used in: the assets based on application system
Information determines safety detection project, and executes safety detection corresponding with the safety detection project using a variety of security tools.
Including: safety detection is carried out to the same safety detection project using different types of security tool.Using different type
Security tool to the same safety detection project carry out safety detection, comprehensively consider the testing result of all security tools, can
To reduce or correct safety detection result, the confidence level of testing result is improved on the whole.
Information generating module 402, for generating system based on the testing result of the assets information and the safety detection
Specification risk information.
In the present embodiment, the fusion of multi-vendor safety detection tool system can be realized by the abstract of function and interface.
But because the usage scenario of each dimension detection function is different with input and output item, it is therefore desirable to the detection instrument of each dimension
It is integrated that (such as web layer) individually carries out standardization.Specifically, system specifications risk information can by abstract common interface ability and
Input item is realized with input report (report) value.The system specifications risk information is in addition to including that the items safety of standardization is examined
The testing result of survey can also include some assets informations.The system specifications risk information may include such as systematic name, leakage
The information such as hole title, loophole rank, Hole Detection time, loophole point position, improving suggestions.
Loophole determining module 403, for determining that practical security breaches, the practical security breaches are based on the system specifications
Risk information determines.
In actual conditions, due to the problem of standard of safety detection technology is different or accuracy rate, it is also possible to safe work occur
Have the security breaches detected to be not present in a practical situation, therefore before handling security breaches, need first really
Fixed practical security breaches.
It determines practical security breaches, can there is different implementations, for example, in the above content using different types of
Under the premise of security tool carries out safety detection to the same safety detection project, the loophole determining module 403 is specifically available
In: it will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.If at least two peaces
A possibility that full tool all determines the same security breaches, then illustrates this security breaches necessary being is bigger.
In other implementations, it determines that practical security breaches can be inputted according to user and determines practical security breaches.Specifically
, it may is that the security breaches detected for only one security tool, according to the determination information that user inputs, really by it
It is set to practical security breaches.Under some cases, relevant staff is after security tool detects some security breaches, according to peace
The type combination experience of full loophole, can determine this security breaches necessary being, determine this peace by correlated inputs
Full loophole is practical security breaches.
Loophole reinforces module 404, for carrying out loophole reinforcing to the determining practical security breaches.
In the present embodiment, for determining practical security breaches, automatic/hand progress loophole reinforcing one by one is needed, if plus
Gu success, returns to the safety detection module 401, re-starts safety detection and export new system specifications risk information.If
It reinforces failure or does not reinforce, then the value-at-risk for needing to carry out application system calculates, to determine subsequent processing according to calculated result.
Value-at-risk computing module 405, for reinforcing in the loophole after module reinforces failure or not to practical safety leakage
When hole reinforces, the present risk value of the application system is calculated.
The present risk value can be carried out according to the practical security breaches situation of application system currently according to preset algorithm
It calculates and determines.
Determining module 406 is handled, for determining that risk handles type according to the present risk value and preset rules.
According to enterprise practical needs, several risk processing types can be divided.In one implementation, the processing determines mould
Block 406 is particularly used in: according to the comparison result of the present risk value and preset threshold, determining risk processing type to avoid
Risk is reduced risks, shifts risk or received to risk.In this implementation, risk processing Type division is avoidance risk, subtracted
Few risk shifts risk and receives 4 class of risk, then corresponding preset threshold may include threshold value 1, threshold value 2 and threshold value 3, in institute
When stating present risk value more than or equal to threshold value 1, risk processing type is determined to avoid risk;It is less than in the present risk value
Threshold value 1 and be greater than or equal to threshold value 2 when, determine risk processing type be reduce risks;It is less than threshold value 2 in the present risk value
And when being greater than or equal to threshold value 3, determine that risk processing type is to shift risk;When the present risk value is less than threshold value 3, really
Risk processing type is determined to receive risk.
In the present embodiment, the risk of the application oriented system handles determining device, can be realized in application system level
The safety detection and unified risk processing for carrying out various dimensions, in the process by the discovery of application system security problem, rectification, tracking one
Body meets requirement of the enterprise development to the comprehensive of safety detection, globality and procedure.
Fig. 5 is the structural schematic diagram of value-at-risk computing module disclosed by the embodiments of the present invention, as shown in figure 5, the risk
Value computing module 405 may include:
Residual risk computing module 501, for according to the risk class of practical security breaches, loophole object carrier numerical value and
Application system etc. protects the residual risk of application system described in level calculation.
Specifically, the residual risk for calculating application system may include: that the value-at-risk of each practical security breaches is summed,
The residual risk of the application system is obtained, wherein the value-at-risk=(loophole risk class * loophole object carrier numerical value * is answered
It is other with safeguarding grades such as systems).Such as, loophole risk class: the score value of high risk, risk and low-risk is respectively 4,2,1;Loophole pair
As carrier: service application, basic environment and program in machine code score value are respectively 3,2,1;Other 4 grades, 3 grades and 2 of the safeguarding grades such as application system
The score value of grade is respectively 3,2 and 1;If during the risk class of a practical security breaches is, loophole object carrier is service application,
The safeguarding grades such as application system are not 2, then its value-at-risk is 2*3*1=6.
Value-at-risk computational submodule 502 is answered described in determination for being calculated according to the residual risk and the risk conditioned factor
With the present risk value of system.
Specifically, can be according to formula value-at-risk=residual risk * risk conditioned factor, calculates and determine the application system
The present risk value of system.
In the present embodiment, loophole situation and rectification time of the risk conditioned factor based on historic responsibility development company, in conjunction with
Current loophole quantity dynamic in real time and current rectification time dynamic determine have comprehensive examination and evaluation.It can be by risk tune
The section factor is published to related responsibility development company, is conducive to that it is supervised to reduce loophole quantity and is rectified and improved in time, is mentioned on the whole
Rise enterprise security maturity.
The risk processing determining device of any one application oriented system in above-described embodiment includes processor
And memory, safety detection module, information generating module, loophole determining module in above-described embodiment, loophole reinforce module, wind
Danger value computing module, processing determining module etc. store in memory as program module, are stored in institute by processor execution
The above procedure module in memory is stated to realize corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program module by kernel.Kernel can be set one
Or it is multiple, the processing of return visit data is realized by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
The embodiment of the invention provides a kind of storage mediums, are stored thereon with program, real when which is executed by processor
The risk of application oriented system described in existing above-described embodiment handles the method for determination.
The embodiment of the invention provides a kind of processor, the processor is for running program, wherein described program operation
The risk of application oriented system described in Shi Zhihang above-described embodiment handles the method for determination.
Further, a kind of electronic equipment, including processor and memory are present embodiments provided.Wherein memory is used for
The executable instruction of the processor is stored, the processor is configured to execute above-mentioned reality via the executable instruction is executed
The risk for applying application oriented system described in example handles the method for determination.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other
The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment
For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part
It is bright.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. a kind of risk of application oriented system handles the method for determination characterized by comprising
Safety detection project is determined based on the assets information of application system, and executes safety corresponding with the safety detection project
Detection;
System specifications risk information is generated based on the testing result of the assets information and the safety detection;
Determine that practical security breaches, the practical security breaches are determined based on the system specifications risk information;
Loophole reinforcing is carried out to determining practical security breaches;
If reinforcing successfully, return is described to determine safety detection project based on the assets information, and executes and the safety detection
The step of project corresponding safety detection;
If reinforcing failure or not reinforcing, the present risk value of the application system is calculated;
Determine that risk handles type according to the present risk value and preset rules.
2. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described to be based on answering
Safety detection project is determined with the assets information of system, and executes safety detection corresponding with the safety detection project, comprising:
Safety detection project is determined based on the assets information of application system, and is executed using a variety of security tools and examined with the safety
The corresponding safety detection of survey project;
Including: safety detection is carried out to the same safety detection project using different types of security tool;
The then practical security breaches of determination, comprising:
It will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.
3. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described determining real
Border security breaches, comprising:
Reality is determined it as according to the determination information that user inputs for the security breaches that only one security tool detects
Border security breaches.
4. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that the calculating institute
State the present risk value of application system, comprising:
It is applied according to guarantor's level calculation such as the risk class of practical security breaches, loophole object carrier numerical value and application system
The residual risk of system;
The present risk value for determining the application system is calculated according to the residual risk and the risk conditioned factor.
5. the risk of application oriented system according to claim 4 handles the method for determination, which is characterized in that described according to reality
Risk class, loophole object carrier numerical value and application system of border security breaches etc. protect the remnants of application system described in level calculation
Risk, comprising:
The value-at-risk of each practical security breaches is summed, the residual risk of the application system is obtained, wherein the value-at-risk
=(safeguarding grades such as loophole risk class * loophole object carrier numerical value * application system are other).
6. the risk of application oriented system according to claim 4 handles the method for determination, which is characterized in that described according to institute
It states residual risk and the risk conditioned factor calculates the present risk value for determining the application system, comprising:
According to formula value-at-risk=residual risk * risk conditioned factor, the present risk value for determining the application system is calculated;
The determination of the risk conditioned factor includes:
Determine the average and standard deviation value of the loophole quantity of each responsibility development company of history;
Determine the current loophole quantity of the affiliated responsibility development company of the application system;
Calculate current loophole difference, the current loophole difference=(average value of current loophole quantity-loophole quantity);
Regulated value 1 is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity;
Determine respectively the rectification time of the high risk of each responsibility development company of history, risk and low-risk loophole average value and
Standard deviation;
The current rectification of the high risk, risk and low-risk loophole of the affiliated responsibility development company of the application system is determined respectively
Time;
Calculate separately the current rectification time difference of high risk, risk and low-risk, the current rectification time difference=(when
The average value of m- rectification time when preceding rectification);
According to the ratio of the current rectification time difference of different risk classes and the standard deviation of the rectification time of corresponding risk class
Value and the regulated value 1 determine the regulated value 2 of different risk classes, respectively high risk regulated value 2, risk regulated value 2
With low-risk regulated value 2;
Risk tune is determined according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and preset algorithm
Save the factor.
7. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described according to institute
It states present risk value and preset rules determines that risk handles type, comprising:
According to the comparison result of the present risk value and preset threshold, risk processing type is determined to avoid risk, reducing wind
Danger shifts risk or receives risk.
8. a kind of risk of application oriented system handles determining device characterized by comprising
Safety detection module determines safety detection project for the assets information based on application system, and executes and the safety
The corresponding safety detection of detection project;
Information generating module, for generating system specifications risk based on the testing result of the assets information and the safety detection
Information;
Loophole determining module, for determining that practical security breaches, the practical security breaches are believed based on the system specifications risk
Breath determines;
Loophole reinforces module, for carrying out loophole reinforcing to the determining practical security breaches;
Value-at-risk computing module, for reinforcing after module reinforces failure in the loophole or not reinforced to practical security breaches
When, calculate the present risk value of the application system;
Determining module is handled, for determining that risk handles type according to the present risk value and preset rules.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
Realize that the risk of the described in any item application oriented systems of claim 1~7 handles the method for determination when row.
10. a kind of electronic equipment characterized by comprising
Processor;And
Memory, for storing the executable instruction of the processor;
Wherein, the processor be configured to via execute the executable instruction come perform claim require it is 1~7 described in any item
The risk of application oriented system handles the method for determination.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811244378.0A CN109214192B (en) | 2018-10-24 | 2018-10-24 | Application system-oriented risk processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811244378.0A CN109214192B (en) | 2018-10-24 | 2018-10-24 | Application system-oriented risk processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109214192A true CN109214192A (en) | 2019-01-15 |
CN109214192B CN109214192B (en) | 2021-01-29 |
Family
ID=64996544
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811244378.0A Active CN109214192B (en) | 2018-10-24 | 2018-10-24 | Application system-oriented risk processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109214192B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112699090A (en) * | 2020-12-23 | 2021-04-23 | 北京北信源软件股份有限公司 | Log auditing method and device, electronic equipment and storage medium |
CN113037766A (en) * | 2021-03-23 | 2021-06-25 | 中通服创发科技有限责任公司 | Comprehensive evaluation method for asset safety and health degree under multiple scenes |
CN113343243A (en) * | 2021-04-29 | 2021-09-03 | 浙江乾冠信息安全研究院有限公司 | Organization risk assessment method and device, electronic equipment and medium |
CN116522350A (en) * | 2023-07-05 | 2023-08-01 | 中电科新型智慧城市研究院有限公司 | Application program detection method, device, terminal equipment and readable storage medium |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104809404A (en) * | 2015-04-17 | 2015-07-29 | 广东电网有限责任公司信息中心 | Data layer system of information security attack-defense platform |
CN106598842A (en) * | 2016-11-10 | 2017-04-26 | 乐视控股(北京)有限公司 | Code detection method and device and electronic equipment |
CN107122664A (en) * | 2016-02-24 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Safety protecting method and device |
CN107766728A (en) * | 2017-08-28 | 2018-03-06 | 国家电网公司 | Mobile application security managing device, method and mobile operation safety protection system |
US20180124094A1 (en) * | 2016-10-31 | 2018-05-03 | Acentium Inc. | Methods and systems for ranking, filtering and patching detected vulnerabilities in a networked system |
CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
-
2018
- 2018-10-24 CN CN201811244378.0A patent/CN109214192B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104809404A (en) * | 2015-04-17 | 2015-07-29 | 广东电网有限责任公司信息中心 | Data layer system of information security attack-defense platform |
CN107122664A (en) * | 2016-02-24 | 2017-09-01 | 阿里巴巴集团控股有限公司 | Safety protecting method and device |
US20180124094A1 (en) * | 2016-10-31 | 2018-05-03 | Acentium Inc. | Methods and systems for ranking, filtering and patching detected vulnerabilities in a networked system |
CN106598842A (en) * | 2016-11-10 | 2017-04-26 | 乐视控股(北京)有限公司 | Code detection method and device and electronic equipment |
CN107766728A (en) * | 2017-08-28 | 2018-03-06 | 国家电网公司 | Mobile application security managing device, method and mobile operation safety protection system |
CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112699090A (en) * | 2020-12-23 | 2021-04-23 | 北京北信源软件股份有限公司 | Log auditing method and device, electronic equipment and storage medium |
CN112699090B (en) * | 2020-12-23 | 2024-05-14 | 北京北信源软件股份有限公司 | Log auditing method and device, electronic equipment and storage medium |
CN113037766A (en) * | 2021-03-23 | 2021-06-25 | 中通服创发科技有限责任公司 | Comprehensive evaluation method for asset safety and health degree under multiple scenes |
CN113343243A (en) * | 2021-04-29 | 2021-09-03 | 浙江乾冠信息安全研究院有限公司 | Organization risk assessment method and device, electronic equipment and medium |
CN116522350A (en) * | 2023-07-05 | 2023-08-01 | 中电科新型智慧城市研究院有限公司 | Application program detection method, device, terminal equipment and readable storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109214192B (en) | 2021-01-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109214192A (en) | A kind of risk processing method and processing device of application oriented system | |
US8312549B2 (en) | Practical threat analysis | |
US6311166B1 (en) | Method for analyzing effectiveness of internal controls in a model of an accounting system | |
US9052980B2 (en) | Exception based quality assessment | |
US20090182593A1 (en) | Automated risk assessments using a contextual data model that correlates physical and logical assets | |
CN108092981B (en) | Data security protection method, device and storage medium | |
Felderer et al. | Integrating manual and automatic risk assessment for risk-based testing | |
WO2016018286A1 (en) | Product risk profile | |
Shamsaei et al. | A systematic review of compliance measurement based on goals and indicators | |
Bai et al. | On risk management with information flows in business processes | |
US20130030860A1 (en) | Managing inspection, test, analys, and acceptance criteria (itaac) activities, systems and methods | |
JP2011165118A (en) | Project support method and device, and execution program therefor | |
Izurieta et al. | A position study to investigate technical debt associated with security weaknesses | |
CN113535546A (en) | Open source component evaluation method and device and computer readable storage medium | |
Felderer et al. | A risk assessment framework for software testing | |
US20160162813A1 (en) | Integration of big-data analysis into audit engagement software | |
Boubaker et al. | Event-b based approach for verifying cloud resource allocation in business process | |
Garg et al. | When to stop testing: a study from the perspective of software reliability models | |
Bhattacharjee et al. | A two-phase quantitative methodology for enterprise information security risk analysis | |
Menzies et al. | Model-based tests of truisms | |
Yücalar et al. | Regression analysis based software effort estimation method | |
Pathari et al. | Deriving an information security assurance indicator at the organizational level | |
Varela-Vaca et al. | Opbus: Risk-aware framework for the conformance of security-quality requirements in business processes | |
Arima et al. | A study on inappropriately partitioned commits: How much and what kinds of ip commits in java projects? | |
Conforti et al. | Automated risk mitigation in business processes |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |