test environment intranet

Posted by punzalan at 2020-03-02

After a long time of risk exploration and analysis, the security risks faced by enterprises have gradually become clear and have a more comprehensive vision. From the perspective of input-output ratio, combined with the current hazards and implementation difficulties, the safety projects planned in the early stage can be put into the implementation plan cycle and promoted. According to the priority, it can be divided into P0 ~ P3 from left to right, landing successively:

P0: suffering loss

P1: great impact and easy to do

P2: it is difficult to make a big impact

P3: little impact and difficult to do

1 General

In order to reduce the exposure of external assets and external malicious attacks, we should first open the test environment to the Internet for intranet. In the process of project promotion, it is again proved that the implementation of safety work cannot be separated from the cooperation and support of all departments. In addition to the business departments directly affected, there are two other departments that play a very important role - operation and maintenance department & testing department, which will fully show its importance in this project.

2. Promote the process

In the process of project promotion, many detours have been taken due to the lack of Party A's safety experience (pay more and produce small projects with slow progress). Under the guidance of the department leader, fine tune again to find the key points of the project and get good results. The following is a brief recap of the entire project:

<1> External white hat submission vulnerability

At present, the company has not established SRC, but also encourages the external white hat to submit relevant vulnerabilities. Therefore, the company has registered the enterprise account in the vulnerability box and mend the day (Note: the white hat on the vulnerability box is more active so far), and began to receive vulnerabilities from the outside.

<2> Internal vulnerability analysis and risk research

After a period of time of vulnerability analysis, it is found that the test environment accounts for the majority; and when mining the internal security problems of the company, it is found that the test environment management is not attentive enough, or even messy.

<3> Organize safety interface person to hold meeting

Just take the external white hat submission vulnerability as the driving force, convene the security interface person (generally composed of members of the security group and leaders of each business department) to hold a meeting for discussion and project approval.

<4> Email collection assets (poor effect)

This should be the first all staff promotion project after entering Party A. ideally, it is easier to organize a special meeting first, and then collect the test environment and impact scope of the business that each business leader is responsible for by email. However, the result is not ideal. Perhaps because of the new relationship, no friendship, their busy business, no safety habits and other factors, only a small number of people feedback.

<5> Correct asset sorting

At the beginning of the project, it is necessary to sort out the company's test environment assets completely. At this time, the most reliable way is to find the application group of the operation and maintenance department and ask them to assist in providing the test environment list. Generally, they go to check the configuration file of nginx to obtain the relevant assets.

<6> QQ group communication (poor effect)

The efficiency of e-mail communication is too slow, so a special QQ group "test environment Intranet" is established to specifically communicate matters related to test environment intranet. For the content and progress of the email, timely feedback and release to the group.

Although it is more targeted and improves the communication efficiency, the promotion effect is not ideal, and the number of people who give feedback is gradually increasing but still less than expected and planned.

<7> Optimize and promote ideas

So far, the project has followed the "not ideal" approach:

Sort out the warowners under each test domain name (basically, there are multiple war packages under each test domain name. Although each war package has a corresponding owner, the owner often changes it), and communicate with the owner one by one.

At the beginning of implementation, I felt that the cost was too large, time-consuming and inefficient, so I changed my thinking to promote the intranet

Directly find the leader of each test department to sort out the interface, war and test domain name that must interact with the outside, and then move the test domain name not mentioned into the intranet. (the importance of the testing department has been highlighted, which is a crucial turning point of the project! No one is more familiar with the business system environment than the test department

According to this idea, we will soon collect the open test environment for the Internet, and there is basically no omission or false alarm.

<8> Distributed Intranet

First, you need to determine the test domain names that can be intranet enabled:

Intranet test domain name = test domain name provided by O & M - domain name provided by test must be open to the public

Secondly, determine the time of Intranet testing domain name: inform users (business departments and testing departments) to enter the intranet scope and time:

At the same time, it should also state the access mode after intranet, with the basic principle of not affecting normal business:

At this point, the push of test environment intranet is coming to an end. What's unexpected: find out a lot of test environments that are no longer in use, just take advantage of this rectification to shut down.

<9> Continuously optimize test environment management and control

This part is mainly for the environment that must be open to the Internet (such as the interface with bank debugging, display system provided to users, etc.). Before opening to the Internet, the security test must be put forward to the information security group in advance, and the Internet can only be opened after passing the strict security test. Generally speaking, it needs the cooperation of relevant operation and maintenance students to control the test environment application and online.

3. Key points of the project

【1】 Project promotion ideas

Key words: testing department

After the early steps, I understood that the project should be promoted from the testing department, and no one is more familiar with the company's testing environment than them. Jump out of the project to think, do a good job in the project keypoint or "thinking".

【2】 New environment communication

Key words: brave initiative

From the first meeting, the next email communication, follow-up QQ group or telephone special communication, until the later face-to-face communication, I feel quite deep. If you want to be efficient, communicate directly face to face; if you want everyone to know you and do a good job, you should communicate face to face and take the initiative.

【3】 Consider business experience

Key words: red line does not affect normal operation

If the development use test environment and test use test environment affect everyone, then there may be no one to play with safely.

【4】 Test environment sorting and Intranet operation

Key words: operation and maintenance department

From the beginning of the project to the implementation of the intranet operation, the support of the operation and maintenance department is indispensable.

4. Problem collection

1) Some people don't know about the intranet, and the system access fails

Cause analysis:

(1) Although the safety contact person has been informed by email in advance, the effect is not good, and it should be copied to all teams;

(2) QQ should also be informed in time, even if some people may block group messages;

(3) The targeted intensity is not enough. It should be dominated by test group and business technology group, and the messages should be sent three times in a row.

2) Test students find that a business interface is affected

The test students feedback that the interface of a test environment is provided to UnionPay for calling. After the test environment is intranet, the communication has failed.

For the interface problem, there are mainly the following two solutions (the first one is chosen finally):

(1) The operation and maintenance students help to put the interface under the domain name of the test environment that must be open. They only need to modify the callback interface address in the source code and ask if IP / domain name is used in the UnionPay white list to solve the problem.

(2) Develop and do mock (but the feedback is not good), feedback the expected results, so that the test students can continue to test.

5. Summary and reflection

In the intranet promotion project of the whole test environment, the concept of Intranet was put forward at the beginning, and then the test domain name assets were obtained through communication with the operation and maintenance department, and then the external interaction interfaces were sorted out through communication with each war owner and test leader, and the promotion ideas were optimized, until finally the intranet was successfully moved in and the sequelae was solved. So far, I think there are the following difficulties:

I am not familiar with the company's environment and colleagues;

Because there are other projects, many things to promote together, energy is a little scattered;

The key points were not identified before the promotion (thought: directly find the test leader to communicate), which led to the slow promotion;

In the process of communication, the attitude is too "polite" and the intention should be explained directly. If no one answers, the instant messaging tool will directly find someone to communicate face to face.

----------------------------Previous review-----------------------------

【1】 [security test] local storage of sensitive information of Android App security test

【2】 [penetration skills] collect "technical work" in SRC information

【3】 [penetration skill] on the bottleneck of conventional penetration and the breakthrough of divergent thinking through examples

【4】 [vulnerability appreciation] holes for security operation and maintenance

【5】 [vulnerability appreciation] holes in security business

【6】 [emergency response] remote implanting mining script due to unauthorized access of redis (Defense part)

【7】 [emergency response] remote implanting mining script due to unauthorized access of redis (attack)

【8】 [emergency response] remote implanting mining script due to unauthorized access of redis (end)

【9】 [enterprise safety] requirements for enterprise safety construction

【10】 Brief introduction of enterprise security threat

【11】 [enterprise security] construction of enterprise security framework