CN109214192A - A kind of risk processing method and processing device of application oriented system - Google Patents

A kind of risk processing method and processing device of application oriented system Download PDF

Info

Publication number
CN109214192A
CN109214192A CN201811244378.0A CN201811244378A CN109214192A CN 109214192 A CN109214192 A CN 109214192A CN 201811244378 A CN201811244378 A CN 201811244378A CN 109214192 A CN109214192 A CN 109214192A
Authority
CN
China
Prior art keywords
risk
value
loophole
safety detection
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811244378.0A
Other languages
Chinese (zh)
Other versions
CN109214192B (en
Inventor
王照文
邹帮山
秦旭果
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jilin Billion Bank Ltd By Share Ltd
Original Assignee
Jilin Billion Bank Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jilin Billion Bank Ltd By Share Ltd filed Critical Jilin Billion Bank Ltd By Share Ltd
Priority to CN201811244378.0A priority Critical patent/CN109214192B/en
Publication of CN109214192A publication Critical patent/CN109214192A/en
Application granted granted Critical
Publication of CN109214192B publication Critical patent/CN109214192B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

This application discloses a kind of processing of the risk of application oriented system to determine method and device, it can be according to application system itself Assets, the safety detection of various dimensions is carried out to application system using a plurality of types of security tools, and the present risk value of dynamic comprehensive assessment application system, determine that risk handles type according to present risk value.It is handled by the risk of application oriented system described herein and determines method and device, it can be realized and carry out the safety detection and unified risk processing of various dimensions in application system level grade, in the process by the discovery of application system security problem, rectification, Tracking Integrative, meet requirement of the enterprise development to the comprehensive of security breaches management, globality and procedure.

Description

A kind of risk processing method and processing device of application oriented system
Technical field
The present invention relates to field of information security technology, and more specifically, it relates at a kind of risk of application oriented system Manage method and device.
Background technique
With the continuous development of Internet technology, various security threats also emerge one after another on network, and how is enterprise Effectively known bugs are found and disposed, are always the important subject of network safety filed.
Current network security product is usually the safety product with specific aim field, for example, in safety testing field Basic environment vulnerability scanning product, source code safety detection product, WEB security sweep product, APP security sweep product etc., The security fields of each product and direction difference.There presently does not exist can carry out comprehensive, various dimensions in application system level grade Safety detection and risk disposition technology.
Summary of the invention
In view of this, the present invention provides a kind of risk processing method and processing device of application oriented system, to be in application Level of uniting carries out the safety detection and unified risk processing of various dimensions.
To achieve the above object, the invention provides the following technical scheme:
A kind of determining method of risk processing of application oriented system, comprising:
Safety detection project is determined based on the assets information of application system, and is executed corresponding with the safety detection project Safety detection;
System specifications risk information is generated based on the testing result of the assets information and the safety detection;
Determine that practical security breaches, the practical security breaches are determined based on the system specifications risk information;
Loophole reinforcing is carried out to determining practical security breaches;
If reinforcing successfully, return is described to determine safety detection project based on the assets information, and executes and the safety The step of detection project corresponding safety detection;
If reinforcing failure or not reinforcing, the present risk value of the application system is calculated;
Determine that risk handles type according to the present risk value and preset rules.
Optionally, the assets information based on application system determines safety detection project, and executes and examine with the safety The corresponding safety detection of survey project, comprising:
Safety detection project is determined based on the assets information of application system, and is executed and the peace using a variety of security tools The corresponding safety detection of full detection project;
Including: safety detection is carried out to the same safety detection project using different types of security tool;
The then practical security breaches of determination, comprising:
It will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.
Optionally, the practical security breaches of determination, comprising:
The security breaches that only one security tool detects are determined according to the determination information that user inputs For practical security breaches.
Optionally, the present risk value for calculating the application system, comprising:
According to guarantor's level calculation such as the risk class of practical security breaches, loophole object carrier numerical value and application system The residual risk of application system;
The present risk value for determining the application system is calculated according to the residual risk and the risk conditioned factor.
Optionally, described to be protected according to risk class, loophole object carrier numerical value and application system of practical security breaches etc. The residual risk of application system described in level calculation, comprising:
The value-at-risk of each practical security breaches is summed, the residual risk of the application system is obtained, wherein the wind Danger value=(safeguarding grades such as loophole risk class * loophole object carrier numerical value * application system are other).
Optionally, described that the current wind for determining the application system is calculated according to the residual risk and the risk conditioned factor Danger value, comprising:
According to formula value-at-risk=residual risk * risk conditioned factor, the current risk for determining the application system is calculated Value;
The determination of the risk conditioned factor includes:
Determine the average and standard deviation value of the loophole quantity of each responsibility development company of history;
Determine the current loophole quantity of the affiliated responsibility development company of the application system;
Calculate current loophole difference, the current loophole difference=(average value of current loophole quantity-loophole quantity);
Regulated value 1 is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity;
Respectively determine the high risk of each responsibility development company of history, the rectification time of risk and low-risk loophole is averaged Value and standard deviation;
The current of the high risk of the affiliated responsibility development company of the application system, risk and low-risk loophole is determined respectively Rectify and improve the time;
Calculate separately the current rectification time difference of high risk, risk and low-risk, the current rectification time difference =(average value of m- rectification time when current rectification);
According to the standard deviation of the current rectification time difference of different risk classes and the rectification time of corresponding risk class Ratio and the regulated value 1 determine the regulated values 2 of different risk classes, respectively high risk regulated value 2, risk tune Section value 2 and low-risk regulated value 2;
Wind is determined according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and preset algorithm Dangerous regulatory factor.
It is optionally, described to determine that risk handles type according to the present risk value and preset rules, comprising:
According to the comparison result of the present risk value and preset threshold, risk processing type is determined to avoid risk, subtracting Few risk shifts risk or receives risk.
A kind of risk processing determining device of application oriented system, comprising:
Safety detection module determines safety detection project for the assets information based on application system, and execute with it is described The corresponding safety detection of safety detection project;
Information generating module, for generating system specifications based on the testing result of the assets information and the safety detection Risk information;
Loophole determining module, for determining that practical security breaches, the practical security breaches are based on the system specifications wind Dangerous information determines;
Loophole reinforces module, for carrying out loophole reinforcing to the determining practical security breaches;
Value-at-risk computing module, for reinforcing after module reinforces failure in the loophole or not adding to practical security breaches Gu when, calculate the present risk value of the application system;
Determining module is handled, for determining that risk handles type according to the present risk value and preset rules.
A kind of computer readable storage medium, is stored thereon with computer program, realization when which is executed by processor The risk of any of the above-described kind of application oriented system handles the method for determination.
A kind of electronic equipment, comprising:
Processor;And
Memory, for storing the executable instruction of the processor;
Wherein, the processor is configured to execute any of the above-described kind of application-oriented system via the executable instruction is executed The risk of system handles the method for determination.
It can be seen via above technical scheme that compared with prior art, the embodiment of the invention discloses a kind of application-oriented The risk of system, which is handled, determines method and device, can be according to application system itself Assets, using a plurality of types of safety Tool carries out the safety monitoring of various dimensions, and the present risk value of dynamic comprehensive assessment application system to application system, according to working as Preceding value-at-risk determines that risk handles type.The method of determination and dress are handled by the risk of application oriented system described herein It sets, can be realized and carry out the safety detection and the processing of unified risk of various dimensions in application system level grade, it in the process will be using being Safety problem of uniting discovery, rectification, Tracking Integrative, meet enterprise development to the comprehensive of safety detection, globality and procedure Requirement.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the flow chart of the method for determination;
Fig. 2 is the flow chart disclosed by the embodiments of the present invention for calculating present risk value;
Fig. 3 is the flow chart of the determining risk conditioned factor disclosed by the embodiments of the present invention;
Fig. 4 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the structural schematic diagram of determining device;
Fig. 5 is the structural schematic diagram of value-at-risk computing module disclosed by the embodiments of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Fig. 1 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the flow chart of the method for determination, referring to Fig. 1 Shown, the risk of application oriented system handles the method for determination and may include:
Step 101: safety detection project being determined based on the assets information of application system, and is executed and the safety detection item The corresponding safety detection of mesh.
In this step, can first collect the assets information of application system, specifically, can by way of manual entry or Person, which links, has the asset management system, and the collection of assets information is carried out from application system dimension.The assets information can with but not It is limited to comprising assets ip, source code, operating system, middleware, database, open source component, application system access address/application The main informations such as system app, and the related information with the system, such as application developers, application developer, operating system pipe The information such as reason person, database administrator, middleware administrator.
It, can be according to enterprises safety management requirement and application system after being collected into the assets information of application system Attribute change and export different testing requirements values, main body output whether carry out and carry out which dimension safety inspection scheduling. (selection of app safety detection need not be carried out if no app, no web page is just not necessarily to carry out web inspection safely by adaptive attribute Survey, no source code is just not necessarily to carry out source code safety detection etc.), (such as 3 grades or more must carry out which to system-level protection level The detection etc. of dimension), whether Internet provide service (such as towards development app web class detection, not towards interconnection Net only carries out the detection such as basic environment and source code) etc. conditions determine safety detection project, that is, determine and need to do which is examined safely It surveys.Corresponding security tool engine is then called to execute safety detection process.
The safety detection can with but be not limited to include source code safety detection, basic environment vulnerability scanning, foundation ring The contents such as the verification of border security configuration, component safety detection, the test of web safety detection, APP safety detection, service logic.
In a schematical example, the assets information based on application system determines safety detection project, and holds Row safety detection corresponding with the safety detection project may include: the determining safety inspection of assets information based on application system Survey project, and safety detection corresponding with the safety detection project is executed using a variety of security tools.Including: using not The security tool of same type carries out safety detection to the same safety detection project.Using different types of security tool to same A safety detection project carries out safety detection, comprehensively considers the testing result of all security tools, can reduce or correct safety Testing result improves the confidence level of testing result on the whole.
Step 102: system specifications risk information is generated based on the testing result of the assets information and the safety detection.
In the present embodiment, the fusion of multi-vendor safety detection tool system can be realized by the abstract of function and interface. But because the usage scenario of each dimension detection function is different with input and output item, it is therefore desirable to the detection instrument of each dimension It is integrated that (such as web layer) individually carries out standardization.Specifically, system specifications risk information can by abstract common interface ability and Input item is realized with input report (report) value.The system specifications risk information is in addition to including that the items safety of standardization is examined The testing result of survey can also include some assets informations.The system specifications risk information may include such as systematic name, leakage The information such as hole title, loophole rank, Hole Detection time, loophole point position, improving suggestions.
Step 103: determining practical security breaches, it is true that the practical security breaches are based on the system specifications risk information It is fixed.
In actual conditions, due to the problem of standard of safety detection technology is different or accuracy rate, it is also possible to safe work occur Have the security breaches detected to be not present in a practical situation, therefore before handling security breaches, need first really Fixed practical security breaches.
It determines practical security breaches, can there is different implementations, for example, in the above content using different types of Under the premise of security tool carries out safety detection to the same safety detection project, determine practical security breaches may include: by The same security breaches that at least 2 security tools detect are determined as practical security breaches.If at least two safe works A possibility that tool all determines the same security breaches, then illustrates this security breaches necessary being is bigger.
In other implementations, it determines that practical security breaches can be inputted according to user and determines practical security breaches.Specifically , it may is that the security breaches detected for only one security tool, according to the determination information that user inputs, really by it It is set to practical security breaches.Under some cases, relevant staff is after security tool detects some security breaches, according to peace The type combination experience of full loophole, can determine this security breaches necessary being, determine this peace by correlated inputs Full loophole is practical security breaches.
Step 104: loophole reinforcing is carried out to the determining practical security breaches and enters step 101 if reinforcing successfully, If reinforcing failure or not reinforcing, 105 are entered step.
In the present embodiment, for determining practical security breaches, automatic/hand progress loophole reinforcing one by one is needed, if plus Gu success, return step 101 re-start safety detection and export new system specifications risk information.If reinforcing failure or not having There is reinforcing, then the value-at-risk for needing to carry out application system calculates, to determine subsequent processing according to calculated result.
Step 105: calculating the present risk value of the application system.
The present risk value can be carried out according to the practical security breaches situation of application system currently according to preset algorithm It calculates and determines.
Step 106: determining that risk handles type according to the present risk value and preset rules.
According to enterprise practical needs, several risk processing types can be divided.In one implementation, described to work as according to Preceding value-at-risk and preset rules determine risk processing type may include: according to the present risk value compared with preset threshold As a result, determining that risk processing type is to avoid risk, reduce risks, shift risk or receive risk.In this implementation, by wind Danger processing Type division is to avoid risk, reduce risks, shift risk and receive 4 class of risk, then corresponding preset threshold can be with Including threshold value 1, threshold value 2 and threshold value 3, when the present risk value is greater than or equal to threshold value 1, determine that risk processing type is back Wind sheltering danger;When the present risk value is less than threshold value 1 and is greater than or equal to threshold value 2, risk processing type is determined to reduce wind Danger;When the present risk value is less than threshold value 2 and is greater than or equal to threshold value 3, determine that risk processing type is to shift risk;? When the present risk value is less than threshold value 3, risk processing type is determined to receive risk.
In the present embodiment, the risk of the application oriented system handles the method for determination, can be realized in application system level The safety detection and unified risk processing for carrying out various dimensions, in the process by the discovery of application system security problem, rectification, tracking one Body meets requirement of the enterprise development to the comprehensive of safety detection, globality and procedure.
Fig. 2 is the flow chart disclosed by the embodiments of the present invention for calculating present risk value, as shown in Fig. 2, calculating current risk Value may include:
Step 201: other according to safeguarding grades such as the risk class of practical security breaches, loophole object carrier numerical value and application systems Calculate the residual risk of the application system.
Specifically, the residual risk for calculating application system may include: that the value-at-risk of each practical security breaches is summed, The residual risk of the application system is obtained, wherein the value-at-risk=(loophole risk class * loophole object carrier numerical value * is answered It is other with safeguarding grades such as systems).Such as, loophole risk class: the score value of high risk, risk and low-risk is respectively 4,2,1;Loophole pair As carrier: service application, basic environment and program in machine code score value are respectively 3,2,1;Other 4 grades, 3 grades and 2 of the safeguarding grades such as application system The score value of grade is respectively 3,2 and 1;If during the risk class of a practical security breaches is, loophole object carrier is service application, The safeguarding grades such as application system are not 2, then its value-at-risk is 2*3*1=6.
Step 202: the current risk for determining the application system is calculated according to the residual risk and the risk conditioned factor Value.
Specifically, can be according to formula value-at-risk=residual risk * risk conditioned factor, calculates and determine the application system The present risk value of system.
Fig. 3 is the flow chart of the determining risk conditioned factor disclosed by the embodiments of the present invention, as shown in figure 3, the risk tune Section the factor determination may include:
Step 301: determining the average and standard deviation value σ of the loophole quantity of each responsibility development company of history.
Step 302: determining the current loophole quantity of the affiliated responsibility development company of the application system.
Step 303: calculate current loophole difference, the current loophole difference=(current loophole quantity-loophole quantity it is flat Mean value).
Step 304: regulated value is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity 1。
For example, if regulated value 1==initial value * 1.5 (can be required according to safety management in enterprise in 1 section σ It adjusts);
If regulated value 1==initial value * 2.5 (can require to adjust) according to safety management in enterprise in 2 sections σ;
If regulated value 1==initial value * 4 (can require to adjust according to safety management in enterprise in 3 σ and the above section Section);
If regulated value 1==initial value * 0.6 (can require to adjust according to safety management in enterprise in -1 section σ Section);
If regulated value 1==initial value * 0.4 (can require to adjust according to safety management in enterprise in -2 sections σ Section);
If regulated value 1==initial value * 0.25 (can be wanted according to safety management in enterprise in -3 σ and following section Ask adjusting).
Step 305: respectively when the rectification of the high risk of determining each responsibility development company of history, risk and low-risk loophole Between average and standard deviation value.
Step 306: determining high risk, risk and the low-risk leakage of the affiliated responsibility development company of the application system respectively The current rectification time in hole.
Step 307: calculating separately the current rectification time difference of high risk, risk and low-risk, the current rectification Time difference=(average value of m- rectification time when current rectification).
Step 308: according to the current rectification time difference of different risk classes and the rectification time of corresponding risk class The regulated value 2 of the ratio of standard deviation and the determining different risk classes of the regulated value 1, respectively high risk regulated value 2, Risk regulated value 2 and low-risk regulated value 2.
Wherein, the regulated value 2=regulated value 1*X (X can require to adjust according to safety management in enterprise), works as described It is preceding to rectify and improve time difference from the ratio for the standard deviation for rectifying and improving the time at the standard deviation section σ of different rectification time, X's Numerical value is different, reference can be made to introducing the explanation of regulated value 1 in content above.
Step 309: according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and pre- imputation Method determines the risk conditioned factor.
Wherein, the risk conditioned factor=high risk regulated value 2*0.6+ risk regulated value 2*0.3+ low-risk regulated value 2* 0.1, certainly, therein 0.6,0.3,0.1 etc. can have different realizations, such as 0.7,0.2,0.1 or 0.5,0.3,0.2, tool Body according to enterprise can need be adjusted, it is only necessary to guarantee 3 numerical value and be 1, and the ratio that high risk regulated value 2 is multiplied Example parameter is maximum, and the scale parameter that low-risk regulated value 2 is multiplied is minimum.
In the present embodiment, loophole situation and rectification time of the risk conditioned factor based on historic responsibility development company, in conjunction with Current loophole quantity dynamic in real time and current rectification time dynamic determine have comprehensive examination and evaluation.It can be by risk tune The section factor is published to related responsibility development company, is conducive to that it is supervised to reduce loophole quantity and is rectified and improved in time, is mentioned on the whole Rise enterprise security maturity.
For the various method embodiments described above, for simple description, therefore, it is stated as a series of action combinations, but Be those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because according to the present invention, certain A little steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know that, it is retouched in specification The embodiment stated belongs to preferred embodiment, and related actions and modules are not necessarily necessary for the present invention.
Method is described in detail in aforementioned present invention disclosed embodiment, diversified forms can be used for method of the invention Device realize that therefore the invention also discloses a kind of devices, and specific embodiment is given below and is described in detail.
Fig. 4 is that the risk of application oriented system disclosed by the embodiments of the present invention handles the structural schematic diagram of determining device, ginseng As shown in Figure 4, the risk processing determining device 40 of application oriented system may include:
Safety detection module 401 determines safety detection project, and execution and institute for the assets information based on application system State the corresponding safety detection of safety detection project.
In the present embodiment, the assets information of application system can be first collected, specifically, can be by way of manual entry Or the existing asset management system that links, the collection of assets information is carried out from application system dimension.The assets information can with but It is not limited to comprising assets ip, source code, operating system, middleware, database, open source component, application system access address/answer With the main informations such as system app, and the related information with the system, such as application developers, application developer, operating system The information such as administrator, database administrator, middleware administrator.
It, can be according to enterprises safety management requirement and application system after being collected into the assets information of application system Attribute change and export different testing requirements values, main body output whether carry out and carry out which dimension safety inspection scheduling. (selection of app safety detection need not be carried out if no app, no web page is just not necessarily to carry out web inspection safely by adaptive attribute Survey, no source code is just not necessarily to carry out source code safety detection etc.), (such as 3 grades or more must carry out which to system-level protection level The detection etc. of dimension), whether Internet provide service (such as towards development app web class detection, not towards interconnection Net only carries out the detection such as basic environment and source code) etc. conditions determine safety detection project, that is, determine and need to do which is examined safely It surveys.Corresponding security tool engine is then called to execute safety detection process.
The safety detection can with but be not limited to include source code safety detection, basic environment vulnerability scanning, foundation ring The contents such as the verification of border security configuration, component safety detection, the test of web safety detection, APP safety detection, service logic.
In a schematical example, the safety detection module 401 is particularly used in: the assets based on application system Information determines safety detection project, and executes safety detection corresponding with the safety detection project using a variety of security tools. Including: safety detection is carried out to the same safety detection project using different types of security tool.Using different type Security tool to the same safety detection project carry out safety detection, comprehensively consider the testing result of all security tools, can To reduce or correct safety detection result, the confidence level of testing result is improved on the whole.
Information generating module 402, for generating system based on the testing result of the assets information and the safety detection Specification risk information.
In the present embodiment, the fusion of multi-vendor safety detection tool system can be realized by the abstract of function and interface. But because the usage scenario of each dimension detection function is different with input and output item, it is therefore desirable to the detection instrument of each dimension It is integrated that (such as web layer) individually carries out standardization.Specifically, system specifications risk information can by abstract common interface ability and Input item is realized with input report (report) value.The system specifications risk information is in addition to including that the items safety of standardization is examined The testing result of survey can also include some assets informations.The system specifications risk information may include such as systematic name, leakage The information such as hole title, loophole rank, Hole Detection time, loophole point position, improving suggestions.
Loophole determining module 403, for determining that practical security breaches, the practical security breaches are based on the system specifications Risk information determines.
In actual conditions, due to the problem of standard of safety detection technology is different or accuracy rate, it is also possible to safe work occur Have the security breaches detected to be not present in a practical situation, therefore before handling security breaches, need first really Fixed practical security breaches.
It determines practical security breaches, can there is different implementations, for example, in the above content using different types of Under the premise of security tool carries out safety detection to the same safety detection project, the loophole determining module 403 is specifically available In: it will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.If at least two peaces A possibility that full tool all determines the same security breaches, then illustrates this security breaches necessary being is bigger.
In other implementations, it determines that practical security breaches can be inputted according to user and determines practical security breaches.Specifically , it may is that the security breaches detected for only one security tool, according to the determination information that user inputs, really by it It is set to practical security breaches.Under some cases, relevant staff is after security tool detects some security breaches, according to peace The type combination experience of full loophole, can determine this security breaches necessary being, determine this peace by correlated inputs Full loophole is practical security breaches.
Loophole reinforces module 404, for carrying out loophole reinforcing to the determining practical security breaches.
In the present embodiment, for determining practical security breaches, automatic/hand progress loophole reinforcing one by one is needed, if plus Gu success, returns to the safety detection module 401, re-starts safety detection and export new system specifications risk information.If It reinforces failure or does not reinforce, then the value-at-risk for needing to carry out application system calculates, to determine subsequent processing according to calculated result.
Value-at-risk computing module 405, for reinforcing in the loophole after module reinforces failure or not to practical safety leakage When hole reinforces, the present risk value of the application system is calculated.
The present risk value can be carried out according to the practical security breaches situation of application system currently according to preset algorithm It calculates and determines.
Determining module 406 is handled, for determining that risk handles type according to the present risk value and preset rules.
According to enterprise practical needs, several risk processing types can be divided.In one implementation, the processing determines mould Block 406 is particularly used in: according to the comparison result of the present risk value and preset threshold, determining risk processing type to avoid Risk is reduced risks, shifts risk or received to risk.In this implementation, risk processing Type division is avoidance risk, subtracted Few risk shifts risk and receives 4 class of risk, then corresponding preset threshold may include threshold value 1, threshold value 2 and threshold value 3, in institute When stating present risk value more than or equal to threshold value 1, risk processing type is determined to avoid risk;It is less than in the present risk value Threshold value 1 and be greater than or equal to threshold value 2 when, determine risk processing type be reduce risks;It is less than threshold value 2 in the present risk value And when being greater than or equal to threshold value 3, determine that risk processing type is to shift risk;When the present risk value is less than threshold value 3, really Risk processing type is determined to receive risk.
In the present embodiment, the risk of the application oriented system handles determining device, can be realized in application system level The safety detection and unified risk processing for carrying out various dimensions, in the process by the discovery of application system security problem, rectification, tracking one Body meets requirement of the enterprise development to the comprehensive of safety detection, globality and procedure.
Fig. 5 is the structural schematic diagram of value-at-risk computing module disclosed by the embodiments of the present invention, as shown in figure 5, the risk Value computing module 405 may include:
Residual risk computing module 501, for according to the risk class of practical security breaches, loophole object carrier numerical value and Application system etc. protects the residual risk of application system described in level calculation.
Specifically, the residual risk for calculating application system may include: that the value-at-risk of each practical security breaches is summed, The residual risk of the application system is obtained, wherein the value-at-risk=(loophole risk class * loophole object carrier numerical value * is answered It is other with safeguarding grades such as systems).Such as, loophole risk class: the score value of high risk, risk and low-risk is respectively 4,2,1;Loophole pair As carrier: service application, basic environment and program in machine code score value are respectively 3,2,1;Other 4 grades, 3 grades and 2 of the safeguarding grades such as application system The score value of grade is respectively 3,2 and 1;If during the risk class of a practical security breaches is, loophole object carrier is service application, The safeguarding grades such as application system are not 2, then its value-at-risk is 2*3*1=6.
Value-at-risk computational submodule 502 is answered described in determination for being calculated according to the residual risk and the risk conditioned factor With the present risk value of system.
Specifically, can be according to formula value-at-risk=residual risk * risk conditioned factor, calculates and determine the application system The present risk value of system.
In the present embodiment, loophole situation and rectification time of the risk conditioned factor based on historic responsibility development company, in conjunction with Current loophole quantity dynamic in real time and current rectification time dynamic determine have comprehensive examination and evaluation.It can be by risk tune The section factor is published to related responsibility development company, is conducive to that it is supervised to reduce loophole quantity and is rectified and improved in time, is mentioned on the whole Rise enterprise security maturity.
The risk processing determining device of any one application oriented system in above-described embodiment includes processor And memory, safety detection module, information generating module, loophole determining module in above-described embodiment, loophole reinforce module, wind Danger value computing module, processing determining module etc. store in memory as program module, are stored in institute by processor execution The above procedure module in memory is stated to realize corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program module by kernel.Kernel can be set one Or it is multiple, the processing of return visit data is realized by adjusting kernel parameter.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/ Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited Store up chip.
The embodiment of the invention provides a kind of storage mediums, are stored thereon with program, real when which is executed by processor The risk of application oriented system described in existing above-described embodiment handles the method for determination.
The embodiment of the invention provides a kind of processor, the processor is for running program, wherein described program operation The risk of application oriented system described in Shi Zhihang above-described embodiment handles the method for determination.
Further, a kind of electronic equipment, including processor and memory are present embodiments provided.Wherein memory is used for The executable instruction of the processor is stored, the processor is configured to execute above-mentioned reality via the executable instruction is executed The risk for applying application oriented system described in example handles the method for determination.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with other The difference of embodiment, the same or similar parts in each embodiment may refer to each other.For device disclosed in embodiment For, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is said referring to method part It is bright.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of risk of application oriented system handles the method for determination characterized by comprising
Safety detection project is determined based on the assets information of application system, and executes safety corresponding with the safety detection project Detection;
System specifications risk information is generated based on the testing result of the assets information and the safety detection;
Determine that practical security breaches, the practical security breaches are determined based on the system specifications risk information;
Loophole reinforcing is carried out to determining practical security breaches;
If reinforcing successfully, return is described to determine safety detection project based on the assets information, and executes and the safety detection The step of project corresponding safety detection;
If reinforcing failure or not reinforcing, the present risk value of the application system is calculated;
Determine that risk handles type according to the present risk value and preset rules.
2. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described to be based on answering Safety detection project is determined with the assets information of system, and executes safety detection corresponding with the safety detection project, comprising:
Safety detection project is determined based on the assets information of application system, and is executed using a variety of security tools and examined with the safety The corresponding safety detection of survey project;
Including: safety detection is carried out to the same safety detection project using different types of security tool;
The then practical security breaches of determination, comprising:
It will have at least the same security breaches that 2 security tools detect and be determined as practical security breaches.
3. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described determining real Border security breaches, comprising:
Reality is determined it as according to the determination information that user inputs for the security breaches that only one security tool detects Border security breaches.
4. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that the calculating institute State the present risk value of application system, comprising:
It is applied according to guarantor's level calculation such as the risk class of practical security breaches, loophole object carrier numerical value and application system The residual risk of system;
The present risk value for determining the application system is calculated according to the residual risk and the risk conditioned factor.
5. the risk of application oriented system according to claim 4 handles the method for determination, which is characterized in that described according to reality Risk class, loophole object carrier numerical value and application system of border security breaches etc. protect the remnants of application system described in level calculation Risk, comprising:
The value-at-risk of each practical security breaches is summed, the residual risk of the application system is obtained, wherein the value-at-risk =(safeguarding grades such as loophole risk class * loophole object carrier numerical value * application system are other).
6. the risk of application oriented system according to claim 4 handles the method for determination, which is characterized in that described according to institute It states residual risk and the risk conditioned factor calculates the present risk value for determining the application system, comprising:
According to formula value-at-risk=residual risk * risk conditioned factor, the present risk value for determining the application system is calculated;
The determination of the risk conditioned factor includes:
Determine the average and standard deviation value of the loophole quantity of each responsibility development company of history;
Determine the current loophole quantity of the affiliated responsibility development company of the application system;
Calculate current loophole difference, the current loophole difference=(average value of current loophole quantity-loophole quantity);
Regulated value 1 is determined according to the ratio of the current loophole difference and the standard deviation of the loophole quantity;
Determine respectively the rectification time of the high risk of each responsibility development company of history, risk and low-risk loophole average value and Standard deviation;
The current rectification of the high risk, risk and low-risk loophole of the affiliated responsibility development company of the application system is determined respectively Time;
Calculate separately the current rectification time difference of high risk, risk and low-risk, the current rectification time difference=(when The average value of m- rectification time when preceding rectification);
According to the ratio of the current rectification time difference of different risk classes and the standard deviation of the rectification time of corresponding risk class Value and the regulated value 1 determine the regulated value 2 of different risk classes, respectively high risk regulated value 2, risk regulated value 2 With low-risk regulated value 2;
Risk tune is determined according to the high risk regulated value 2, risk regulated value 2 and low-risk regulated value 2 and preset algorithm Save the factor.
7. the risk of application oriented system according to claim 1 handles the method for determination, which is characterized in that described according to institute It states present risk value and preset rules determines that risk handles type, comprising:
According to the comparison result of the present risk value and preset threshold, risk processing type is determined to avoid risk, reducing wind Danger shifts risk or receives risk.
8. a kind of risk of application oriented system handles determining device characterized by comprising
Safety detection module determines safety detection project for the assets information based on application system, and executes and the safety The corresponding safety detection of detection project;
Information generating module, for generating system specifications risk based on the testing result of the assets information and the safety detection Information;
Loophole determining module, for determining that practical security breaches, the practical security breaches are believed based on the system specifications risk Breath determines;
Loophole reinforces module, for carrying out loophole reinforcing to the determining practical security breaches;
Value-at-risk computing module, for reinforcing after module reinforces failure in the loophole or not reinforced to practical security breaches When, calculate the present risk value of the application system;
Determining module is handled, for determining that risk handles type according to the present risk value and preset rules.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor Realize that the risk of the described in any item application oriented systems of claim 1~7 handles the method for determination when row.
10. a kind of electronic equipment characterized by comprising
Processor;And
Memory, for storing the executable instruction of the processor;
Wherein, the processor be configured to via execute the executable instruction come perform claim require it is 1~7 described in any item The risk of application oriented system handles the method for determination.
CN201811244378.0A 2018-10-24 2018-10-24 Application system-oriented risk processing method and device Active CN109214192B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811244378.0A CN109214192B (en) 2018-10-24 2018-10-24 Application system-oriented risk processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811244378.0A CN109214192B (en) 2018-10-24 2018-10-24 Application system-oriented risk processing method and device

Publications (2)

Publication Number Publication Date
CN109214192A true CN109214192A (en) 2019-01-15
CN109214192B CN109214192B (en) 2021-01-29

Family

ID=64996544

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811244378.0A Active CN109214192B (en) 2018-10-24 2018-10-24 Application system-oriented risk processing method and device

Country Status (1)

Country Link
CN (1) CN109214192B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112699090A (en) * 2020-12-23 2021-04-23 北京北信源软件股份有限公司 Log auditing method and device, electronic equipment and storage medium
CN113037766A (en) * 2021-03-23 2021-06-25 中通服创发科技有限责任公司 Comprehensive evaluation method for asset safety and health degree under multiple scenes
CN113343243A (en) * 2021-04-29 2021-09-03 浙江乾冠信息安全研究院有限公司 Organization risk assessment method and device, electronic equipment and medium
CN116522350A (en) * 2023-07-05 2023-08-01 中电科新型智慧城市研究院有限公司 Application program detection method, device, terminal equipment and readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809404A (en) * 2015-04-17 2015-07-29 广东电网有限责任公司信息中心 Data layer system of information security attack-defense platform
CN106598842A (en) * 2016-11-10 2017-04-26 乐视控股(北京)有限公司 Code detection method and device and electronic equipment
CN107122664A (en) * 2016-02-24 2017-09-01 阿里巴巴集团控股有限公司 Safety protecting method and device
CN107766728A (en) * 2017-08-28 2018-03-06 国家电网公司 Mobile application security managing device, method and mobile operation safety protection system
US20180124094A1 (en) * 2016-10-31 2018-05-03 Acentium Inc. Methods and systems for ranking, filtering and patching detected vulnerabilities in a networked system
CN108494727A (en) * 2018-02-06 2018-09-04 成都清华永新网络科技有限公司 A kind of security incident closed-loop process method for network security management

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809404A (en) * 2015-04-17 2015-07-29 广东电网有限责任公司信息中心 Data layer system of information security attack-defense platform
CN107122664A (en) * 2016-02-24 2017-09-01 阿里巴巴集团控股有限公司 Safety protecting method and device
US20180124094A1 (en) * 2016-10-31 2018-05-03 Acentium Inc. Methods and systems for ranking, filtering and patching detected vulnerabilities in a networked system
CN106598842A (en) * 2016-11-10 2017-04-26 乐视控股(北京)有限公司 Code detection method and device and electronic equipment
CN107766728A (en) * 2017-08-28 2018-03-06 国家电网公司 Mobile application security managing device, method and mobile operation safety protection system
CN108494727A (en) * 2018-02-06 2018-09-04 成都清华永新网络科技有限公司 A kind of security incident closed-loop process method for network security management

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112699090A (en) * 2020-12-23 2021-04-23 北京北信源软件股份有限公司 Log auditing method and device, electronic equipment and storage medium
CN112699090B (en) * 2020-12-23 2024-05-14 北京北信源软件股份有限公司 Log auditing method and device, electronic equipment and storage medium
CN113037766A (en) * 2021-03-23 2021-06-25 中通服创发科技有限责任公司 Comprehensive evaluation method for asset safety and health degree under multiple scenes
CN113343243A (en) * 2021-04-29 2021-09-03 浙江乾冠信息安全研究院有限公司 Organization risk assessment method and device, electronic equipment and medium
CN116522350A (en) * 2023-07-05 2023-08-01 中电科新型智慧城市研究院有限公司 Application program detection method, device, terminal equipment and readable storage medium

Also Published As

Publication number Publication date
CN109214192B (en) 2021-01-29

Similar Documents

Publication Publication Date Title
CN109214192A (en) A kind of risk processing method and processing device of application oriented system
US8312549B2 (en) Practical threat analysis
US6311166B1 (en) Method for analyzing effectiveness of internal controls in a model of an accounting system
US9052980B2 (en) Exception based quality assessment
US20090182593A1 (en) Automated risk assessments using a contextual data model that correlates physical and logical assets
CN108092981B (en) Data security protection method, device and storage medium
Felderer et al. Integrating manual and automatic risk assessment for risk-based testing
WO2016018286A1 (en) Product risk profile
Shamsaei et al. A systematic review of compliance measurement based on goals and indicators
Bai et al. On risk management with information flows in business processes
US20130030860A1 (en) Managing inspection, test, analys, and acceptance criteria (itaac) activities, systems and methods
JP2011165118A (en) Project support method and device, and execution program therefor
Izurieta et al. A position study to investigate technical debt associated with security weaknesses
CN113535546A (en) Open source component evaluation method and device and computer readable storage medium
Felderer et al. A risk assessment framework for software testing
US20160162813A1 (en) Integration of big-data analysis into audit engagement software
Boubaker et al. Event-b based approach for verifying cloud resource allocation in business process
Garg et al. When to stop testing: a study from the perspective of software reliability models
Bhattacharjee et al. A two-phase quantitative methodology for enterprise information security risk analysis
Menzies et al. Model-based tests of truisms
Yücalar et al. Regression analysis based software effort estimation method
Pathari et al. Deriving an information security assurance indicator at the organizational level
Varela-Vaca et al. Opbus: Risk-aware framework for the conformance of security-quality requirements in business processes
Arima et al. A study on inappropriately partitioned commits: How much and what kinds of ip commits in java projects?
Conforti et al. Automated risk mitigation in business processes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant