|
|
|
|
|
|
|
¸ñÂ÷ |
|
Part 01 ½ÃÅ¥¾îÄÚµù ŽÁö ¹× ÄÚµå¼öÁ¤
Section 01 ¼Ò½ºÄÚµå Ãë¾àÁ¡ Á¡°Ë±âÁØ
1. CWE/SANS Top 25
Section 02 Ŭ¶ó¿ìµå ±â¹ÝÀÇ ½ÃÅ¥¾îÄÚµù ȯ°æ ÀÌÇØ
1. CI/CD ÆÄÀÌÇÁ¶óÀÎ
2. µ¥ºê¼½¿É½º(DevSecOps)
Section 03 Ŭ¶ó¿ìµå ±â¹ÝÀÇ ½ÃÅ¥¾îÄÚµù ȯ°æ ±¸¼º
1. ¼³Ä¡ ¹× ȯ°æ¼³Á¤
2. CI/CD ÆÄÀÌÇÁ¶óÀÎ ±¸¼º
Section 04 ¸ðÀÇ°ø°Ý ¹× ½ÃÅ¥¾îÄÚµù ½Ç½À
1. SQL Injection
2. Path traversal
3. CRLF Injection
4. JWT(Json web token) º¯Á¶
5. Áß¿ä µ¥ÀÌÅÍ Æò¹®Àü¼Û Ãë¾àÁ¡
6. XXE
7. Insecure Direct Object References º¯Á¶
8. XSS
9. Inseure deserialization
10. Vulnerable Components
11. Ãë¾àÇÑ ¾ÏÈ£È ¾Ë°í¸®Áò
12. ¿À·ù ¸Þ½ÃÁö¸¦ ÅëÇÑ Á¤º¸ ³ëÃâ
Part 02 À¥ Ãë¾àÁ¡ ŽÁö ¹× ¸ðÀÇÇØÅ·
Section 01 À¥ Ãë¾àÁ¡ Á¡°Ë±âÁØ
1. A1-Injection
2. A2-Broken authentication
3. A3-Sensitive data exposure
4. A4-XML External entities
5. A5-Broken access control
6. A6-Security misconfiguration
7. A7-XSS
8. A8-Insecure deserialization
9. A9-Using components with known vulnerabilities
10. A10-Insufficient logging & monitoring |
|
|
|
ÀúÀÚ
|
|
ÃÖ°æö
ÇöÀç º¸¾ÈÃʺ¸½ºÅ͵ð(http://cafe.naver.com/sec)¿¡¼ ¿î¿µÀÚ·Î È°µ¿ÁßÀ̸ç, ÁÖ¿ä°ü½ÉºÐ¾ß´Â Ãë¾àÁ¡ºÐ¼®ÅøÀÇ ÆÐÅÏ°ú ŽÁö±Ù°Å¿¡ ´ëÇÑ Á¶»çÀ̸ç, °ü·Ã ¿¬±¸¸¦ ÇмúÁö µî¿¡ ¹ßÇ¥ÇÏ¿´´Ù. °ü·ÃÀú¼·Î´Â (À¥ ÇØÅ·°ú ¹æ¾î), (À¥ ¸ðÀÇÇØÅ· ¹× ½ÃÅ¥¾îÄÚµù Áø´Ü°¡À̵å), (½Ã½ºÅÛ ÇØÅ·ÀÇ ¿ø¸®¿Í ÀÌÇØ), (³×Æ®¿öÅ© ÆÐŶ Æ÷·»½Ä) ¹× (¾Èµå·ÎÀÌµå ¾Û Ãë¾àÁ¡ ºÐ¼®)ÀÌ ÀÖ´Ù.
|
IT ¿£Áö´Ï¾î·Î »ç´Â ¹ý 1 | ÃÖ°æö | ºñÆҺϽº
½±°Ô ¹è¿ì´Â ¾Èµå·ÎÀÌµå ¾Û Ãë¾àÁ¡ Áø´Ü | ÃÖ°æö | SECU BOOK
|
|
±èÂùÁß
¾ÆÁÖ´ëÇб³ ¼®»çÁ¹¾÷(Á¤º¸º¸¾È Àü°ø) ÈÄ º¸¾ÈÀü¹®¾÷ü¿¡¼ º¸¾È°üÁ¦, ¸ðÀÇÇØÅ· µîÀ» °æÇè ÇÏ¿´À¸¸ç ÇöÀç´Â SI¿Í °ü·ÃµÈ ¾÷¹«¸¦ ÁøÇàÇÏ¸é¼ ´Ù¾çÇÑ Áö½ÄÀ» ³ÐÇô°¡°í ÀÖ´Â ÁßÀÌ´Ù. ÇöÀç Ŭ¶ó¿ìµå, ¸ðÀÇÇØÅ·, AIµî¿¡ °ü½ÉÀ» °¡Áö°í ÀÖÀ¸¸ç, ´Ù¾çÇÑ °æÇèÀ» ÅëÇØ ÀÚ½ÅÀÇ °¡Ä¡¸¦ ³ÐÇô°¡·Á°í »ý°¢ÇÏ°íÀÖ´Ù. º¸¾È Ãʺ¸½ºÅ͵ð(https://cafe.naver.com/sec) ºÎ¸Þ´ÏÀú¸¦ ¸Ã°íÀÖ´Ù.
|
ÆÐŶ Æ÷·»½Ä | ±èÂùÁß | SECU BOOK
|
|
ÀÌÀºÁø
1993³â °øÀåÀÚµ¿È °³¹ßÀÚ·Î ½ÃÀÛÇØ 2000³â ½ã¸¶ÀÌÅ©·Î½Ã½ºÅÛÁî Instructor·Î Àο¬À» ¸Î¾î J2EE ±â¹Ý ±â¼ú·ÎÀÇ º¯È´Â Áö±Ý±îÁö IT ¾÷°è¿¡¼ ÀÏÇÏ´Â ±â¹ÝÀÌ µÈµíÇÏ´Ù. 2015³â Æ®¸®´ÏƼ ¼ÒÇÁÆ®¿¡¼ ¼ÒÇÁÆ®¿þ¾î º¸¾È Áø´Ü ÄÁ¼³Æà ¾÷¹«´Â °³ÀÎÀûÀÎ ±â¼úº¯ÈÀÇ °è±â°¡ µÇ¾ú°í °ü·Ã ¾÷¹«¿Í °ÀǸ¦ ÇÏ¸é¼ ¼ÒÇÁÆ®¿þ¾î º¸¾ÈÀº ¼ÒÇÁÆ®¿þ¾î °ü·ÃµÈ ¾ÆÅ°ÅØ, ¼³°èÀÚ, °³¹ßÀÚ, Å×½ºÅÍ, ¿î¿µÀÚ °¢ °¢ÀÌ Ãë¾àÁ¡À» ÀÌÇØÇÏ°í º¸¾ÈÀ» À§ÇÑ ¿ªÇÒÀ» ´ã´çÇÏ´Â °ÍÀÌ °¡Àå È¿À²ÀûÀ̶ó´Â »ý°¢Àº È®½ÇÇØÁø´Ù. Áö±ÝÀº Ŭ¶ó¿ìµå ±â¹ÝÀÇ MSA(Micro Service Architecture) °³¹ß¿¡ °ü½ÉÀ» °¡Áö°í °ü·ÃµÈ ¼ÒÇÁÆ®¿þ¾î º¸¾ÈÀ» °í¹ÎÇÏ°í ÀÖ´Ù. ÀúÀÚ¿ÍÀÇ Àο¬À¸·Î º¸¾È¿¡ ´ëÇÑ ºÎÁ·ÇÑ ºÎºÐÀ» ä¿ì°í °³¹ß¿¡ ´ëÇÑ ³ëÇϿ츦 °øÀ¯ÇÒ ¼ö ÀÖ¾úÀ¸¸ç, ±â¼ú º¯ÈÀÇ È帧¿¡ ¸ÂÃç ²÷ÀÓ¾øÀÌ °í¹ÎÇÏ°í °øºÎÇÏ°í ÃâÆÇÀ» ÅëÇØ °øÀ¯ÇÏ´Â ÀúÀÚ¿Í ÇÔ²² ÀÏÇÒ ¼ö ÀÖ´Â ±âȸ°¡ ÁÖ¾îÁ® °¨»çÇÏ´Ù. ÀÌ Ã¥Àº ¼ÒÇÁÆ®¿þ¾î ¾ÆÅ°ÅØ, ¼³°èÀÚ, °³¹ßÀÚ, Å×½ºÅÍ, ¿î¿µÀÚ¿¡°Ô Ãë¾àÁ¡À» ÀÌÇØÇϴµ¥ Å« µµ¿òÀÌ µÉ °ÍÀ̶ó »ý°¢Çϸç, ¼ÒÇÁÆ®¿þ¾î º¸¾È ´ã´çÇÏ´Â º¸¾È ´ã´çÀڵ鿡°Ô´Â º¸¾È ¾àÁ¡¿¡ ´ëÇÑ ÄÚµå ¼³¸í°ú ´ëÀÀ¹æ¾ÈÀÌ µµ¿òÀÌ µÉ °ÍÀ̶ó »ý°¢ÇÑ´Ù.
|
|
|
ÃÖ°æö
ÃÖ°æöÀº ¼þ½Ç´ëÇб³¸¦ Á¹¾÷ÇÏ°í µ¿ ´ëÇпø¿¡¼ ¼®»çÇÐÀ§¸¦ ÃëµæÇÏ¿´À¸¸ç, ¾Æ½Ã¾Æ³ªÇ×°ø, Æ柽ÃÅ¥¸®Æ¼, STG½ÃÅ¥¸®Æ¼¸¦ °ÅÃÄ ÇöÀç Æ®¸®´ÏƼ¼ÒÇÁÆ®¿¡¼ º¸¾È¼Ö·ç¼Ç °³¹ß°ú ±âȹÀ» ÇÏ°í ÀÖ´Ù. ÁÖ¿ä °ü½ÉºÐ¾ß·Î´Â Ãë¾àÁ¡ ºÐ¼® ÅøÀÇ ÆÐÅÏ°ú ŽÁö±Ù°Å¿¡ ´ëÇÑ Á¶»ç ¹× °³¹ßÀ̸ç, °ü·ÃµÈ ¿¬±¸¸¦ LNCS µîÀÇ ÇмúÁö¿¡ ³í¹®À¸·Î ¹ßÇ¥ÇÏ¿´´Ù. Àú¼·Î´Â £¼À¥ º¸¾È£¾, £¼AutoInspect£¾, £¼À¥ ÇØÅ·°ú ¹æ¾î£¾, £¼½Ã½ºÅÛÇØÅ·ÀÇ ¿ø¸®¿Í ÀÌÇØ£¾µîÀÌ ÀÖ´Ù.
|
½±°Ô ¹è¿ì´Â ¾Èµå·ÎÀÌµå ¾Û Ãë¾àÁ¡ Áø´Ü | ÃÖ°æö | SECU BOOK
ÆÐŶ Æ÷·»½Ä | ÃÖ°æö | SECU BOOK
|
|
±èÂùÁß, ÀÌÀºÁø
|
|
|
|
|
|
|
|
Ãâ°í¾È³» |
|
|
Ãâ°í¶õ ÀÎÅÍÆÄÅ© ¹°·ùâ°í¿¡¼ µµ¼°¡ Æ÷ÀåµÇ¾î ³ª°¡´Â ½ÃÁ¡À» ¸»Çϸç, ½ÇÁ¦ °í°´´Ô²²¼ ¼ö·ÉÇϽô ½Ã°£Àº »óÇ°Áغñ¿Ï·áÇØ Ãâ°íÇÑ ³¯Â¥ + Åùè»ç ¹è¼ÛÀÏÀÔ´Ï´Ù. |
|
ÀÎÅÍÆÄÅ© µµ¼´Â ¸ðµç »óÇ°ÀÇ Àç°í°¡ ÃæÁ·ÇÒ ½Ã¿¡ ÀÏ°ý Ãâ°í¸¦ ÇÕ´Ï´Ù. |
|
ÀϺΠÀç°í¿¡ ´ëÇÑ Ãâ°í°¡ ÇÊ¿äÇÒ ½Ã¿¡´Â ´ã´çÀÚ¿¡°Ô Á÷Á¢ ¿¬¶ôÇϽðųª, °í°´¼¾ÅÍ(°í°´¼¾ÅÍ(1577-2555)·Î ¿¬¶ôÁֽñ⠹ٶø´Ï´Ù. |
|
¹è¼Ûºñ ¾È³» |
|
|
ÀÎÅÍÆÄÅ© µµ¼ ´ë·®±¸¸Å´Â ¹è¼Û·á°¡ ¹«·áÀÔ´Ï´Ù. |
|
´Ü, 1°³ÀÇ »óÇ°À» ´Ù¼öÀÇ ¹è¼ÛÁö·Î ÀÏ°ý ¹ß¼Û½Ã¿¡´Â 1°³ÀÇ ¹è¼ÛÁö´ç 2,000¿øÀÇ ¹è¼Ûºñ°¡ ºÎ°úµË´Ï´Ù. |
¾Ë¾ÆµÎ¼¼¿ä! |
|
|
°í°´´Ô²²¼ ÁÖ¹®ÇϽŠµµ¼¶óµµ µµ¸Å»ó ¹× ÃâÆÇ»ç »çÁ¤¿¡ µû¶ó Ç°Àý/ÀýÆÇ µîÀÇ »çÀ¯·Î Ãë¼ÒµÉ ¼ö ÀÖ½À´Ï´Ù. |
|
Åùè»ç ¹è¼ÛÀÏÀÎ ¼¿ï ¹× ¼öµµ±ÇÀº 1~2ÀÏ, Áö¹æÀº 2~3ÀÏ, µµ¼, »ê°£, ±ººÎ´ë´Â 3ÀÏ ÀÌ»óÀÇ ½Ã°£ÀÌ ¼Ò¿äµË´Ï´Ù.
(´Ü, Åä/ÀÏ¿äÀÏ Á¦¿Ü) |
|
|
|
|
ÀÎÅÍÆÄÅ©µµ¼´Â °í°´´ÔÀÇ ´Ü¼ø º¯½É¿¡ ÀÇÇÑ ±³È¯°ú ¹ÝÇ°¿¡ µå´Â ºñ¿ëÀº °í°´´ÔÀÌ ÁöºÒÄÉ µË´Ï´Ù.
´Ü, »óÇ°À̳ª ¼ºñ½º ÀÚüÀÇ ÇÏÀÚ·Î ÀÎÇÑ ±³È¯ ¹× ¹ÝÇ°Àº ¹«·á·Î ¹ÝÇ° µË´Ï´Ù.
±³È¯/¹ÝÇ°/º¸ÁõÁ¶°Ç ¹× Ç°Áúº¸Áõ ±âÁØÀº ¼ÒºñÀڱ⺻¹ý¿¡ µû¸¥ ¼ÒºñÀÚ ºÐÀï ÇØ°á ±âÁØ¿¡ µû¶ó ÇÇÇظ¦ º¸»ó ¹ÞÀ» ¼ö ÀÖ½À´Ï´Ù.
Á¤È®ÇÑ È¯ºÒ ¹æ¹ý ¹× ȯºÒÀÌ Áö¿¬µÉ °æ¿ì 1:1¹®ÀÇ °Ô½ÃÆÇ ¶Ç´Â °í°´¼¾ÅÍ(1577-2555)·Î ¿¬¶ô Áֽñ⠹ٶø´Ï´Ù.
¼ÒºñÀÚ ÇÇÇغ¸»óÀÇ ºÐÀïó¸® µî¿¡ °üÇÑ »çÇ×Àº ¼ÒºñÀÚºÐÀïÇØ°á±âÁØ(°øÁ¤°Å·¡À§¿øȸ °í½Ã)¿¡ µû¶ó ºñÇØ º¸»ó ¹ÞÀ» ¼ö ÀÖ½À´Ï´Ù.
|
±³È¯ ¹× ¹ÝÇ°ÀÌ °¡´ÉÇÑ °æ¿ì |
|
|
»óÇ°À» °ø±Þ ¹ÞÀ¸½Å ³¯·ÎºÎÅÍ 7ÀÏÀ̳» °¡´ÉÇÕ´Ï´Ù. |
|
°ø±Þ¹ÞÀ¸½Å »óÇ°ÀÇ ³»¿ëÀÌ Ç¥½Ã, ±¤°í ³»¿ë°ú ´Ù¸£°Å³ª ´Ù¸£°Ô ÀÌÇàµÈ °æ¿ì¿¡´Â °ø±Þ¹ÞÀº ³¯·ÎºÎÅÍ 3°³¿ùÀ̳», ±×»ç½ÇÀ» ¾Ë°Ô µÈ ³¯ ¶Ç´Â ¾Ë ¼ö ÀÖ¾ú´ø ³¯·ÎºÎÅÍ 30ÀÏÀ̳» °¡´ÉÇÕ´Ï´Ù. |
|
»óÇ°¿¡ ¾Æ¹«·± ÇÏÀÚ°¡ ¾ø´Â °æ¿ì ¼ÒºñÀÚÀÇ °í°´º¯½É¿¡ ÀÇÇÑ ±³È¯Àº »óÇ°ÀÇ Æ÷Àå»óÅ µîÀÌ ÀüÇô ¼Õ»óµÇÁö ¾ÊÀº °æ¿ì¿¡ ÇÑÇÏ¿© °¡´ÉÇÕ´Ï´Ù.
|
|
|
|
±³È¯ ¹× ¹ÝÇ°ÀÌ ºÒ°¡´ÉÇÑ °æ¿ì |
|
|
|
°í°´´ÔÀÇ Ã¥ÀÓ ÀÖ´Â »çÀ¯·Î »óÇ° µîÀÌ ¸ê½Ç ¶Ç´Â ÈÑ¼ÕµÈ °æ¿ì´Â ºÒ°¡´ÉÇÕ´Ï´Ù. (´Ü, »óÇ°ÀÇ ³»¿ëÀ» È®ÀÎÇϱâ À§ÇÏ¿© Æ÷Àå µîÀ» ÈѼÕÇÑ °æ¿ì´Â Á¦¿Ü) |
|
½Ã°£ÀÌ Áö³²¿¡ µû¶ó ÀçÆǸŰ¡ °ï¶õÇÒ Á¤µµ·Î ¹°Ç°ÀÇ °¡Ä¡°¡ ¶³¾îÁø °æ¿ì´Â ºÒ°¡´ÉÇÕ´Ï´Ù. |
|
Æ÷Àå °³ºÀµÇ¾î »óÇ° °¡Ä¡°¡ ÈÑ¼ÕµÈ °æ¿ì´Â ºÒ°¡´ÉÇÕ´Ï´Ù. |
|
|
´Ù¹è¼ÛÁöÀÇ °æ¿ì ¹ÝÇ° ȯºÒ |
|
|
|
´Ù¹è¼ÛÁöÀÇ °æ¿ì ´Ù¸¥ Áö¿ªÀÇ ¹ÝÇ°À» µ¿½Ã¿¡ ÁøÇàÇÒ ¼ö ¾ø½À´Ï´Ù. |
|
1°³ Áö¿ªÀÇ ¹ÝÇ°ÀÌ ¿Ï·áµÈ ÈÄ ´Ù¸¥ Áö¿ª ¹ÝÇ°À» ÁøÇàÇÒ ¼ö ÀÖÀ¸¹Ç·Î, ÀÌÁ¡ ¾çÇØÇØ Áֽñ⠹ٶø´Ï´Ù. |
|
|
|
|
|
|