{"id":8536,"date":"2020-07-14T11:44:29","date_gmt":"2020-07-14T08:44:29","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8536"},"modified":"2020-07-14T11:44:29","modified_gmt":"2020-07-14T08:44:29","slug":"devops-security-hybrid","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/devops-security-hybrid\/8536\/","title":{"rendered":"DevOps g\u00fcvenli\u011fi nas\u0131l sa\u011flan\u0131r"},"content":{"rendered":"<p>Ge\u00e7ti\u011fimiz Nisan ay\u0131nda BT haber siteleri Ruby programlama dilinin k\u00fct\u00fcphanelerinin resmi da\u011f\u0131t\u0131m kanal\u0131 olan RubyGems\u2019in <a href=\"https:\/\/arstechnica.com\/information-technology\/2020\/04\/725-bitcoin-stealing-apps-snuck-into-ruby-repository\/\" target=\"_blank\" rel=\"noopener nofollow\">zehirlendi\u011fi haberini yay\u0131nlad\u0131<\/a>. Habere g\u00f6re bir sald\u0131rgan, i\u00e7erisinde k\u00f6t\u00fc ama\u00e7l\u0131 bir komut dosyas\u0131 bulunan sahte paketler y\u00fckledi ve bu kodu projelerinde kullanan programc\u0131lar fark\u0131nda olmadan kullan\u0131c\u0131lar\u0131n bilgisayar\u0131na kripto para birimi c\u00fczdan adreslerini de\u011fi\u015ftiren k\u00f6t\u00fc ama\u00e7l\u0131 bir yaz\u0131l\u0131m bula\u015ft\u0131rd\u0131.<\/p>\n<p>Elbette bu sald\u0131r\u0131 herkese a\u00e7\u0131k bir kayna\u011f\u0131n istismar edildi\u011fi ilk tedarik zinciri sald\u0131r\u0131s\u0131 de\u011fil. Ama g\u00f6r\u00fcn\u00fc\u015fe g\u00f6re bu t\u00fcr senaryolar pop\u00fcler olmaya ba\u015flad\u0131 ve bu sald\u0131r\u0131lardan birinin ba\u015far\u0131l\u0131 olmas\u0131, on binlerce ya da y\u00fcz binlerce kullan\u0131c\u0131n\u0131n tehlikeye at\u0131lmas\u0131 anlam\u0131na geliyor. Bu tehlikenin b\u00fcy\u00fckl\u00fc\u011f\u00fc, zehirlenen kaynaktan al\u0131nan kodu kullanan yaz\u0131l\u0131m\u0131n ne kadar pop\u00fcler oldu\u011funa ba\u011fl\u0131.<\/p>\n<h2>K\u00f6t\u00fc ama\u00e7l\u0131 paketler kaynaklara nas\u0131l giriyor?<\/h2>\n<p>RubyGems olay\u0131n\u0131n sorumlusu olan siber su\u00e7lu, ilgili kaynakta yay\u0131nlanan pop\u00fcler me\u015fru paketlere benzer isimde bir s\u00fcr\u00fc proje olu\u015fturmu\u015f. Alan ad\u0131 benzerli\u011fi (typosquatting) olarak bilinen bu y\u00f6ntem, geli\u015ftiricilerin paketin ad\u0131n\u0131 yanl\u0131\u015f yazmas\u0131na ve yanl\u0131\u015fl\u0131kla k\u00f6t\u00fc ama\u00e7l\u0131 bir paket indirmesine ya da arama sonu\u00e7lar\u0131nda \u00e7\u0131kan bir dizi paket isminden hangisinin ger\u00e7ek pakete ait oldu\u011funu bilmemesine dayan\u0131yor. Genel olarak en yayg\u0131n siber zehirleme y\u00f6ntemlerinden biri olarak kabul edilen bu taktik, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-python-package-available-in-pypi-repo-for-a-year\/\" target=\"_blank\" rel=\"noopener nofollow\">Python Package Index<\/a>\u2018e yap\u0131lan sald\u0131r\u0131larda ve <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/17-backdoored-docker-images-removed-from-docker-hub\/\" target=\"_blank\" rel=\"noopener nofollow\">Docker Hub<\/a>\u2018a sahte g\u00f6rseller y\u00fcklemek i\u00e7in kullan\u0131ld\u0131.<\/p>\n<p><a href=\"https:\/\/www.kaspersky.com.tr\/blog\/copay-supply-chain-attack\/5472\/\" target=\"_blank\" rel=\"noopener\">Copay kripto para birimi c\u00fczdan\u0131 olay\u0131nda<\/a> ise sald\u0131rganlar, kayna\u011f\u0131 GitHub\u2019da bulunan bir k\u00fct\u00fcphane kulland\u0131. K\u00fct\u00fcphanenin yarat\u0131c\u0131s\u0131 hevesini kaybedince y\u00f6netici haklar\u0131n\u0131 devretti ve dolay\u0131s\u0131yla bir\u00e7ok geli\u015ftiricinin \u00fcr\u00fcnlerinde kulland\u0131\u011f\u0131 bu pop\u00fcler k\u00fct\u00fcphaneyi tehlikelere a\u00e7\u0131k hale getirdi.<\/p>\n<p>Baz\u0131 olaylarda siber su\u00e7lular me\u015fru bir geli\u015ftiricinin hesab\u0131n\u0131 kendisinin haberi olmadan kullanabiliyor ve ger\u00e7ek paketleri sahteleriyle de\u011fi\u015ftiriyor. Bunun bir \u00f6rne\u011fi, k\u00fct\u00fcphaneleri npm (Node Package Manager) \u00e7evrimi\u00e7i veri taban\u0131nda bar\u0131nd\u0131r\u0131lan <a href=\"https:\/\/eslint.org\/blog\/2018\/07\/postmortem-for-malicious-package-publishes\" target=\"_blank\" rel=\"noopener nofollow\">ESLint<\/a>\u2018e d\u00fczenlenen sald\u0131r\u0131da ya\u015fanm\u0131\u015ft\u0131.<\/p>\n<h2>Derleme ortam\u0131n\u0131n zay\u0131f b\u0131rak\u0131lmas\u0131<\/h2>\n<p>Yaz\u0131l\u0131m \u00fcr\u00fcnleri geli\u015ftiren \u015firketler de APT sald\u0131rganlar\u0131n\u0131n ilgisini \u00e7ekebiliyor. Bu sald\u0131rganlar\u0131n yaz\u0131l\u0131m geli\u015ftiren \u015firketlerin m\u00fc\u015fterilerini hedef ald\u0131\u011f\u0131 olaylar zaman zaman g\u00fcvenlik uzmanlar\u0131n\u0131n dikkatini \u00e7ekiyor:<\/p>\n<ul>\n<li>A\u011fustos 2017\u2019de birka\u00e7 APT sald\u0131rgan\u0131, NetSarang taraf\u0131ndan geli\u015ftirilen yaz\u0131l\u0131ma <a href=\"https:\/\/securelist.com\/shadowpad-in-corporate-networks\/81432\/\" target=\"_blank\" rel=\"noopener\">k\u00f6t\u00fc ama\u00e7l\u0131 mod\u00fcller eklemi\u015fti<\/a>. Ara\u015ft\u0131rmac\u0131lara g\u00f6re sald\u0131rganlar yaz\u0131l\u0131m olu\u015fturma sunucular\u0131na da ula\u015fabiliyordu.<\/li>\n<li>2018\u2019de siber su\u00e7lular Piriform uygulama olu\u015fturma sunucusunu ele ge\u00e7irdi ve sonras\u0131nda temiz bir kaynak kodu olan CCleaner program yap\u0131lar\u0131 derleme s\u00fcrecinde <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/ccleaner-supply-chain\/4819\/\" target=\"_blank\" rel=\"noopener\">k\u00f6t\u00fc ama\u00e7l\u0131 unsurlarla donat\u0131ld\u0131<\/a>.<\/li>\n<li>2019\u2019da ise uzmanlar\u0131m\u0131z su\u00e7lular\u0131n \u00e7e\u015fitli \u015firketlerin yaz\u0131l\u0131m \u00fcr\u00fcnlerine gizli bir giri\u015f yerle\u015ftirdi\u011fi <a href=\"https:\/\/www.kaspersky.com.tr\/blog\/details-shadow-hammer\/5914\/\" target=\"_blank\" rel=\"noopener\">ShadowHammer APT kampanyas\u0131n\u0131 ke\u015ffetti<\/a>. Yap\u0131lan ara\u015ft\u0131rmada sald\u0131rganlar\u0131n kaynak koduna eri\u015fimi oldu\u011fu veya k\u00f6t\u00fc ama\u00e7l\u0131 kodu derleme a\u015famas\u0131nda yerle\u015ftirdikleri sonucuna ula\u015f\u0131ld\u0131.<\/li>\n<\/ul>\n<p>Derleme ortam\u0131n\u0131n zay\u0131f b\u0131rak\u0131lmas\u0131 sadece nihai \u00fcr\u00fcn\u00fcn \u201cenfekte olmas\u0131na\u201d neden olmakla kalmaz, k\u00f6t\u00fc ama\u00e7l\u0131 kodun yerle\u015ftirildi\u011fi yaz\u0131l\u0131m\u0131n g\u00fcvenilir bir geli\u015ftiricinin me\u015fru imzas\u0131 alt\u0131nda da\u011f\u0131t\u0131lmas\u0131na da yol a\u00e7ar. Bu nedenle geli\u015ftirme s\u00fcrecinin d\u0131\u015f m\u00fcdahalelere kar\u015f\u0131 geli\u015fmi\u015f \u00f6zelliklerle korunmas\u0131 gerekir.<\/p>\n<h2>Sorunun \u00f6z\u00fc<\/h2>\n<p>Buradaki as\u0131l tehlike, herkese a\u00e7\u0131k kaynaklar\u0131n kullan\u0131lmas\u0131 de\u011fil, g\u00fcn\u00fcm\u00fczde yaz\u0131l\u0131m geli\u015ftirme alan\u0131nda benimsenen yakla\u015f\u0131mdaki, yani DevOps y\u00f6ntemlerindeki hatalard\u0131r. DevOps, program geli\u015ftirme d\u00f6ng\u00fcs\u00fcn\u00fc k\u0131saltmay\u0131 ama\u00e7layan bir dizi uygulamadan olu\u015fur. Geli\u015ftirme s\u0131ras\u0131nda g\u00fcvenlik ve kullan\u0131labilirlik daima dengeli bir \u015fekilde sunulmal\u0131d\u0131r. G\u00fcn\u00fcm\u00fcz\u00fcn k\u0131yas\u0131ya rekabet ortam\u0131nda tutunabilmek i\u00e7in geli\u015ftiricilerin yeni program s\u00fcr\u00fcmlerini m\u00fcmk\u00fcn oldu\u011funca h\u0131zl\u0131 bir \u015fekilde yay\u0131nlamas\u0131 gerekir. Ancak program\u0131n kullan\u0131labilirli\u011fini artt\u0131rmak genellikle kalitenin d\u00fc\u015fmesine veya piyasaya s\u00fcr\u00fclme s\u00fcresinin (TTM) uzamas\u0131na neden olur. Bu nedenle geli\u015ftiriciler g\u00fcvenlik personelinin yapt\u0131klar\u0131 i\u015fe dahil olma oran\u0131n\u0131 en aza indirmeye veya tamamen ortadan kald\u0131rmaya \u00e7al\u0131\u015f\u0131r.<\/p>\n<p>Sonu\u00e7 olarak bilgi g\u00fcvenli\u011finin alt yap\u0131n\u0131n bu b\u00f6l\u00fcm\u00fcnde hi\u00e7bir kontrol\u00fc kalmaz. Ancak geli\u015ftirme, BT ve g\u00fcvenlik tek bir ortak amaca hizmet eder: Makul bir s\u00fcrede sunulan kaliteli ve g\u00fcvenli bir \u00fcr\u00fcn. \u0130\u00e7erisinde gizli bir giri\u015f veya casusluk mod\u00fcl\u00fc bulunan program g\u00fcncellemesinin kimseye faydas\u0131 olmayacakt\u0131r. Bu nedenle sekt\u00f6r\u00fcn bir DevSecOps metodolojisi i\u00e7erecek \u015fekilde evrilmesi gerekti\u011fini d\u00fc\u015f\u00fcn\u00fcyoruz.<\/p>\n<p>DevSecOps, yaz\u0131l\u0131m geli\u015ftirme s\u00fcresinin t\u00fcm a\u015famalar\u0131nda pratik bir kontrol uygulamas\u0131 ve siber g\u00fcvenlik k\u00fclt\u00fcr\u00fc sunarak esneklik ve h\u0131zdan \u00f6d\u00fcn vermeden DevOps ve g\u00fcvenlik aras\u0131nda bir k\u00f6pr\u00fc olu\u015fturur. Biz de bu s\u00fcrecin teknik y\u00f6n\u00fcne destek olacak ara\u00e7lar sunuyoruz.<\/p>\n<h2>\u00c7\u00f6z\u00fcm\u00fcm\u00fcz<\/h2>\n<p>Piyasada \u00f6zellikle yaz\u0131l\u0131m geli\u015ftirme s\u00fcrecinin g\u00fcvenli\u011fini sa\u011flayacak yeterli say\u0131da ara\u00e7 bulunmuyor. Bu nedenle Kaspersky Hybrid Cloud Security \u00fcr\u00fcn\u00fcm\u00fcz\u00fc g\u00fcncellerken programc\u0131lar\u0131n ihtiya\u00e7lar\u0131n\u0131 dikkate ald\u0131k ve \u00e7\u00f6z\u00fcm\u00fcm\u00fcz\u00fc, performans\u0131 etkilemeden geli\u015ftirme s\u00fcrecine g\u00fcvenlik ara\u00e7lar\u0131 entegre edecek teknolojilerle donatt\u0131k. Bu teknolojiler \u00f6zellikle tedarik zinciri sald\u0131r\u0131lar\u0131n\u0131 \u00f6nlemek i\u00e7in taranmas\u0131 gereken kaynaklar\u0131, g\u00f6rselleri ve kapsay\u0131c\u0131lar\u0131 taramaya yar\u0131yor.<\/p>\n<p>Kaspersky Hybrid Cloud Security; TeamCity ve Jenkins gibi s\u00fcrekli entegrasyon (CI) ve s\u00fcrekli da\u011f\u0131t\u0131m (CD) platformlar\u0131yla birlikte \u00e7al\u0131\u015fma aray\u00fczlerine sahiptir. \u00c7\u00f6z\u00fcm\u00fcm\u00fcz komut sat\u0131r\u0131 veya bir uygulama programlama aray\u00fcz\u00fcyle geli\u015ftirme s\u00fcrecine entegre edilebilir.<\/p>\n<p>Tabii, \u00e7\u00f6z\u00fcm\u00fcm\u00fczdeki yenilikler bunlarla s\u0131n\u0131rl\u0131 de\u011fil. <a href=\"https:\/\/www.kaspersky.com.tr\/small-to-medium-business-security\/virtualization-hybrid-cloud?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____khcs___\" target=\"_blank\" rel=\"noopener\">Kaspersky Hybrid Cloud Security<\/a> ve <a href=\"https:\/\/www.kaspersky.com.tr\/enterprise-security\/devops-security?icid=tr_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">DevOps<\/a> s\u00fcrecinin korunmas\u0131 hakk\u0131nda daha fazla bilgi almak i\u00e7in \u00fcr\u00fcn sayfas\u0131n\u0131 ziyaret edin.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Herkese a\u00e7\u0131k kaynaklar yoluyla yap\u0131lan tedarik zinciri sald\u0131r\u0131lar\u0131 son zamanlarda daha da s\u0131kla\u015ft\u0131. \u0130\u015fte bu sald\u0131r\u0131larla ba\u015fa \u00e7\u0131kma yollar\u0131.<\/p>\n","protected":false},"author":1475,"featured_media":8537,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[2227,2228,1861,551],"class_list":{"0":"post-8536","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-devops","10":"tag-gelistirme","11":"tag-hybrid-cloud","12":"tag-urunler-2"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/devops-security-hybrid\/8536\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/devops-security-hybrid\/21484\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/devops-security-hybrid\/16953\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/devops-security-hybrid\/22680\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/devops-security-hybrid\/20778\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/devops-security-hybrid\/30030\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/devops-security-hybrid\/36021\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/devops-security-hybrid\/16577\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/devops-security-hybrid\/13625\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/devops-security-hybrid\/29789\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/devops-security-hybrid\/23505\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/devops-security-hybrid\/27767\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/devops-security-hybrid\/27608\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/hybrid-cloud\/","name":"hybrid cloud"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/1475"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8536"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8536\/revisions"}],"predecessor-version":[{"id":8580,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8536\/revisions\/8580"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/8537"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}