Uma ungenza ukudala isicelo ukucubungula amakhadi, akufanele ukuhlanganiswa kwe-PayPal, kodwa njenge-PayPal. Uyakwazi ukhangela ku-PCI DSS. 
 
 I-Payment Card Industry Data Security Standard (i-PCI DSS) iyisisombululo se-Information Security Standard ye-Organizations ezivela ku-branded credit cards kusuka ku-card schemes ezinkulu. I-Payment Card Industry Data Security Standard (i-PCI DSS) iyisisombululo se-Information Security Standard ye-Organizations ezivela ku-branded credit cards kusuka ku-card schemes ezinkulu. Ngokuvamile, it is a checklist enhle elithi: "Hey, uma ufuna ukugcinwa noma ukuphathwa imali abantu, mhlawumbe awukwazi ukugcina database yakho ongaphakeme emhlabeni." Why Am I Even Writing This? Ngaba Ngithanda Ngithande Ngithande Ngithande? Ngemva kokufaka isicelo PCI-DSS-compliant, ngifanele isixazululo se-existencial futhi ngithombe, "Kungako akufanele zonke izicelo zihlole izindlela ze-PCI DSS encoding?" Yenziwe, PCI DSS akuyona enhle njengokungabonakali. I-Compliance ne-privacy abantu kukhona indlela yokwenza wonke inqubo enhle ukujabulela enhle ngokufanele. Ingabe ufuna ukujabulela ngosuku? Hlola kwabo ukubhuka ku-PIA, DPIA, DSAR, noma ROPA. Ukunciphisa izinto, ukuhlangabezana kungabangela. Kodwa uma kusiza ukhuseleko idatha yakho futhi ukunceda ukufinyelela ku- "Have I Been Pwned". Tips Ukuvikelwa kwe-Coding Uma unayo ukwakha uhlelo lokukhokha noma nje ucwaningo ukunambitheka okungenani, lapha izindlela eziningana zokuphefumula okuhlobisa ukuthi uzokufinyelela PCI DSS ukuhlangabezana. Sishayele! Subnets, NAT Gateways, and the Drama of Networking Uma idatha ye-app yakho iyatholakala ku-subnet ye-publish, ngithanda ukuba ushiye ukufunda futhi ushiye. Manje! Qinisekisa ukuthi usebenzisa i-subnet ye-private ngezinye izinto ezithakazelisayo, bese uqhagamshelane i-traffic yayo ngokusebenzisa i-NAT Gateway ukuze akwazi ukufinyelela kwi-internet (ngokufaka ama-patches, ama-updates, ama-memes, njll) ngaphandle kokuphumelela ngokuqondile. Qinisekisa lokhu njengoba ukunika i-app yakho i-VPN ukufinyelela kwelizwe, kodwa ukhangela ukuba akufanele ukuxhumana nabesifazane. Ukuze "The Matrix" abalandeli, i-Matrix world kuyinto subnet private, i-real world kuyinto subnet public, futhi i-telephone evulekile i-Neo kanye nezindiza zokusebenzisa ukuhambisa phakathi kwelizwe i-NAT Gateway. Abanikwazi ukuhambisa, kodwa izinjini akufanele! Ngithanda le ncwadi, Ngithanda ukuthi uye. Imininingwane. Encrypt All the Things Uyazi lokhu ngaphambi. Uyazi bese. 
 
 
 
 Ukubuyekezwa ngempumelelo. Ukubhalisa transit. Ukubhalisa i-logs, i-backups, nokunye kuma-variables ye-environment uma ungenza i-spicy. Ukuze i-cloud services, ukuphathwa kwe-encryption kuyinto elula. Ungathola kuphela. Futhi sicela, Base64 ayikho encryption. It is for people who lie to themselves. You know who you are. Okwakheka, it has its uses, kodwa ukhuseleko ayinayo. Security Headers I-Security Headers iyinhlangano ye-HTTP ye-response that instructs the browser on how to handle security-related aspects of a website. Lezi ziza kukunceda ama-attacks ezifana ne-Cross-Site Scripting (XSS), i-clickjacking, ne-man-in-the-middle attacks. Set It and Forget It Okungenani, ukongeza: 
 
 
 
 
 Strict-ukudluliselwa zokuhamba I-X-Content-Type-Options Ukubuyekezwa I-Content-ukhuseleko Policy X-Frame-Options Ukukhetha Thina lula ukuguqulwa kwi-frameworks ezininzi kanye namasevisi ze-cloud. Yenza nje, futhi uzothola imizuzu eminingi. Firewalls? Definitely Firewalls Ukuhamba izicelo zakho ze-application ngokusebenzisa i-firewall. Kuyinto efana nokufaka i-bouncer ngaphambi kwe-app yakho. Ngaphandle kwezinsuku ze-boomers, lapho ukulungiselela i-firewall kuyinto njengama-assembly ye-mobile yakho nge-instructions kusuka ku-Asgard. Ungathola kungenziwa ukusebenza, kodwa ngempumelelo? Izicelo ezidumile zenza inkqubo enhle kakhulu. Ngcono uma u-cloud. Izinsizakalo ze-cloud, njenge-AWS WAF ne-Azure Firewall, zihlanganisa izinsizakalo ezivamile ezivamile; kufuneka ukuguqulwa kuphela, futhi ziye zokusebenza. I-Firewall nge-effort ye-minimum ngeke kukunceda ukucubungula izindlela ezaziwayo ze-attack, ukucubungula ama-IP ezingenalutho, kanye nokuvimbela ukuthi umuntu akuyona i-injection ye-SQL kusuka ku-2008. Access Control I-app yakho ayikho ibhizinisi yomphakathi. Ungabeka zonke izinsizakalo ukufinyelela ngokuphelele konke ngoba kulula kuphela. Uyazi i-Oprah Winfrey: “You get admin! You get admin! Everyone gets admin!” Ukulandela "I-Principle of Less Privilege", okuyinto ivumela wonke abasebenzisi kuphela okufakiwe kakhulu. Qinisekisa ukulayisha kanye ne-keys ngokuvamile futhi usebenzisa ama-rolls phezu kuma-keys ye-static lapho kunokwenzeka. Ngaphandle kwe-cloud services akufanele lokhu. Futhi zithole i-cloud. Staging Is Not Production I-environment yakho yokuhlala kufanele ibonise ukukhiqizwa kwamasakhiwo, futhi akuyona emangalisayo. 
 
 
 
 Ukubhalisa idatha yokuhlala futhi. Ama-attackers akufanele ukuthi idatha etholakalayo. Ukukhipha i-production secrets ku-stage. Ukuvula ukubhuka kanye nezinsizakalo ze-WAF lapha futhi. I-Hackers uyakuthanda indawo yokuhlala nge-alarms engaphansi. Yini indawo engcono ukuhlola izinhlelo zayo? Change Management I-PCI DSS inikeza ukuba unayo izinhlelo zokuhamba izinguquko ku-code, isakhiwo, kanye ne-policies zokhuseleko. Ngokuvamile, usebenzisa i-Git, usebenzisa i-Infrastructure-as-code (i-Serverless Framework, i-Terraform, i-AWS CDK, njll) nokufaka ama-alerts. Ufuna ukwazi lapho umuntu (ngokuthi unayo) ukuthatha isifo sokukhiqiza. Logging Saves Lives I-logs iyinhlanganisela kakhulu. Ufuna ukuba akuyona, kodwa uma uye, ufuna kakhulu. Hlola i-logs ephilayo futhi ephilayo kuzo zonke izinto ezibalulekile: 
 
 
 
 
 I-Application Logs: Ukuhlaziywa kwama-application kanye nezinye imininingwane ebalulekile ukuze kusiza ukuguqulwa. Qinisekisa ukuthi akuyona ulwazi oluthile. Izincwadi ze-Access: Izincwadi ze-Who did what and when. I-DataBase Logs: Hlola izibuyekezo ezinzima, izibuyekezo ezinzima zokufinyelela, kanye nezimo zokufinyelela. I-Audit Logs: I-Log changes to permissions, firewall rules, and code deployments. Izixhobo ezifana ne-AWS CloudTrail, i-GuardDuty, ne-Config angakwazi ukunceda lokhu. Prefer ORMs Kuyinto ibhizinisi lakho lokuqala (ne-sanity). Fumana i-SQL ebomvu uma unomdlavuza we-database ne-death wish. Sebenzisa i-ORM. Ewe, ungahambisa i-SQL yakho ebomvuza kanye nokuphuza ukhuseleko; kunjalo, kunezinto enkulu ukuthi wena noma umlingani wakho uyaziqhathanisa ukufakelwa kwebhizinisi ngokufanelekileyo, futhi ngokufanayo, uyaziqhathaniswa. I-ORM ibonisa ukuxhumana kwe-database yakho, okwenza ikhodi ngokushesha ukugcina futhi engaphansi kokuphendula ama-injection attacks. Iningi le-ORM eyenziwe ngempathemikhali ngaphandle kwebhizinisi. Lokhu kubalulekile ukunciphisa amathuba yokufika ngempumelelo Ngesikhathi esifundeni esifundeni. DROP TABLE users; In Conclusion Ukuphakamisa Ngiyazi, ngokufanelekileyo, kungcono kakhulu? Kuyinto uhlu elide, kodwa Ngingathanda ukuthi iyatholakala nezinto ukuthi ungayenza. Ngezinye izincazelo ezimbalwa lapha futhi lapha, futhi uye uxhumane! I-Compliance iyimfuneko, kodwa futhi iyimfuneko yedatha. I-PCI DSS ingatholakala njengesithombe esikhulu se-"No, you can't" kodwa i-PCI DSS ikakhulukazi ukugcina wena nabasebenzisi bakho ngokushesha. Kwi-cloud platforms ezifana ne-AWS, i-Azure ne-GCP, akukho isibuko yokufunda lezi zokusebenza ezinhle. Uyazi izixhobo, uyazi i-docs, futhi manje uyazi i-blog enhle kakhulu. Qinisekisa. Qinisekisa. Futhi for the love of everything that’s good, akuyona inombolo amakhadi ongaphakeme ku-database column ebizwa ngokuthi . card_number

Software and DevOps engineer. I write about my software development experiences.

2021 - HackerNoon Contributor of the Year - CODING

2022 - HackerNoon Contributor of the Year - Amazon

2022 - HackerNoon Contributor of the Year - Aws

2022 - HackerNoon Contributor of the Year - Coding Skills

2022 - No No No Nodejs

Portfolio

2021 - HackerNoon Contributor of the Year - NODEJS

2021 - HackerNoon Contributor of the Year - TESTING

Nominated for 2022 - HackerNoon Contributor of the Year - Coding Skills

Nominated for 2022 - HackerNoon Contributor of the Year - Aws

Nominated for 2022 - HackerNoon Contributor of the Year - Amazon

Nominated for 2022 - No No No Nodejs

Lo msindo ukhiqizwa ngolimi lokuqala lwendaba!

Kude kakhulu; Uzofunda

Uma PCI-DSS Compliance Yenza I-Apps Yenziwe Ngangaphakathi, Ngaba Ngaba Ngaba Ngangena Ngangaphakathi?

Uma PCI-DSS Compliance Yenza I-Apps Yenziwe Ngangaphakathi, Ngaba Ngaba Ngaba Ngangena Ngangaphakathi?

About Author

IMIBONO

HANG TAGS

LESI SIHLOKO SETHULWE NGAPHAKATHI

Related Stories

The Billionaires F*cked Up

Zulu Network: Moving The Bitcoin Economy Forward With a Two-Tiered Bitcoin Layer 2 Architecture

The Billionaires F*cked Up

Zulu Network: Moving The Bitcoin Economy Forward With a Two-Tiered Bitcoin Layer 2 Architecture

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps