I. Introduction
The company belongs to the tourism industry and needs to integrate tourism, hotels, and shopping into an online mall. By aggregating member data, a large membership system is formed to provide a unified customer window.
2. The business scenario
focuses on the overall work goal of acquiring users more effectively and improving the user's LTV (Life Time Value). When the cost of attracting new users is getting higher and higher, the business is online and the technology scenario is ization, customer digitization, and refinement of traffic operations have become the main measures for enterprises to improve operating effectiveness and efficiency. Combined with the company's industry characteristics, it is necessary to provide members with more accurate information on relevant products and services during the "before, during and after the trip" process, provide a more convenient and one-stop consumer experience, and better meet their needs. Consumer demand for quality and personalization.
3. System Business Architecture
4. Problems faced after going online
1. Network security issues
- Cross-site scripting attack (CSS or xSS, Cross Site Scripting)
- SQL injection attack
- Remote command execution (Code execution, I personally feel that it is not accurate to translate it into code execution)
- Directory traversal
- File inclusion
- Script source code disclosure
- Cross Frame Scripting
- Cookie manipulation
- URL redirection
2. Disaster recovery issues
Deploy a remote disaster recovery center, and synchronize data between the production environment and the disaster recovery center in real time.
3. System security and data compliance issues
Without affecting the normal operation of the system, set the account password policy: Maximum password usage period: 90 days.
Without affecting the normal operation of the system, limit the number of illegal login attempts with account passwords and the lockout time: Account lockout threshold: 5 times; Account lockout time: 30 minutes. Set login connection timeout: 10 minutes.
Use two or more combinations of identification technologies such as dynamic passwords, digital certificates, encrypted USB-Keys, biotechnology, and device fingerprints to authenticate user identities.
Divide roles, strictly control access permissions, and achieve separation of three powers; allocate separate system accounts on the operating system to all users who can log in to the database, and the allocation of account permissions should follow the minimum account permissions within their scope of responsibilities to achieve management Separation of user permissions.
Use verification technology or cryptography technology to compare and verify the integrity of transmitted data, such as SSL/TLS encryption protocol.
Encryption algorithms are used to compare the integrity of configuration files, log files, important business data and other operations to generate verification codes, or file integrity is monitored through monitoring tools.
Develop a personal information protection system to declare the system’s collection and storage of users’ personal information.
4. Web vulnerability issues
Apache Commons Text StringLookup Remote Code Execution Vulnerability
Spring Cloud Gateway spel Remote Code Execution
Apache Spark Administrator backend is not authorized to access
Apache Spark Administrator backend is not authorized to access
Spring Data MongoDB SpEL expression injection vulnerability
fastjson <= 1.2.68 Deserialize remote code Execution vulnerability
fastjson <= 1.2.80 Deserialization arbitrary code execution vulnerability
Apache Spark RPC protocol deserialization vulnerability
Apache Spark administrator background unauthorized access to
Apache POI <= 4.1.0 XSSFExportToXml XXE vulnerability
Jackson Latest deserialization vulnerability