Method, device, server, medium and product for security detection of cloud-native application

By implementing a security scanning and automated remediation solution for cloud-native applications on the cloud platform, the problem of insufficient manpower and resources in cloud platform security risk assessment has been solved, enabling efficient security remediation and assessment.

CN116226865BActive Publication Date: 2026-06-23TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2023-01-18
Publication Date
2026-06-23

Smart Images

  • Figure CN116226865B_ABST
    Figure CN116226865B_ABST
Patent Text Reader

Abstract

The application discloses a kind of cloud native application security detection method, device, server, medium and product, involve cloud security technical field.The method comprises: in the case where it is determined that cloud native application exists security detection demand, the application operation log of cloud native application is determined, and cloud configuration component accessed by cloud native application;Based on security scanning rule, the application operation log of cloud native application and cloud configuration component are scanned, and the security scanning result of cloud native application is obtained;In the case where security scanning result indicates that there is security risk item, determine the cloud service data threatened by security risk item, cloud native application can call cloud service data in running process;Determine the security repair scheme related to cloud service data, to make based on security repair scheme repair security risk item.Can realize the security risk review process of automation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cloud security technology, and in particular to a security detection method, device, server, medium and product for cloud-native applications. Background Technology

[0002] Cloud platforms deploy a variety of cloud products and core business systems, and ensuring the security of cloud platforms is a necessary requirement for the development of cloud platform technology.

[0003] In the process of maintaining cloud platform security, the operational security of the cloud platform by internal personnel is particularly important. In related technologies, the security assessment of cloud platform security is often carried out using security audit methods during the management of cloud platform security risks. This requires a dedicated security team to conduct assessments and security tests. The entire security risk review process typically requires 7 working days and 3.5 person-days of manpower.

[0004] Clearly, the security risk assessment process in related technologies requires significant human and material resources, resulting in high manual operation costs for security assessments. Summary of the Invention

[0005] This application provides a security detection method, apparatus, server, medium, and product for cloud-native applications. The technical solution is as follows:

[0006] According to one aspect of this application, a security detection method for cloud-native applications is provided, the method comprising:

[0007] If it is determined that the cloud-native application has security detection requirements, the application operation log of the cloud-native application and the cloud configuration components accessed by the cloud-native application are determined. The cloud-native application is deployed on a cloud platform and calls the cloud configuration components on the cloud platform during the operation of the cloud-native application.

[0008] Based on security scanning rules, a security scan is performed on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0009] If the security scan results indicate the presence of a security risk item, the cloud service data threatened by the security risk item is determined, and the cloud-native application will call the cloud service data during operation;

[0010] Determine a security remediation plan related to the cloud service data, so as to remediate the security risk items based on the security remediation plan.

[0011] According to another aspect of this application, a security detection device for cloud-native applications is provided, the device comprising:

[0012] The determination module is used to determine the application operation logs of the cloud-native application and the cloud configuration components accessed by the cloud-native application when it is determined that the cloud-native application has security detection requirements. The cloud-native application is deployed on a cloud platform and calls the cloud configuration components on the cloud platform during the operation of the cloud-native application.

[0013] The scanning module is used to perform security scans on the application operation logs and cloud configuration components of the cloud-native application based on security scanning rules, and obtain the security scan results of the cloud-native application.

[0014] The determining module is further configured to determine the cloud service data threatened by the security risk item when the security scan result indicates that there is a security risk item, and the cloud-native application will call the cloud service data during operation;

[0015] The determining module is further configured to determine a security remediation plan related to the cloud service data, so as to remediate the security risk item based on the security remediation plan.

[0016] According to another aspect of this application, a server is provided, the server including a processor and a memory, the memory storing at least one program, the at least one program being loaded and executed by the processor to implement the security detection method for cloud-native applications as described above.

[0017] According to another aspect of this application, a computer-readable storage medium is provided, wherein at least one instruction, at least one program, code set, or instruction set is stored therein, wherein the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by a processor to implement the security detection method for cloud-native applications as described above.

[0018] According to another aspect of this application, a computer program product is provided, comprising computer instructions stored in a computer-readable storage medium. A server's processor reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the server to perform the security detection method for cloud-native applications provided in the above-described optional implementation.

[0019] The beneficial effects of the technical solutions provided in this application include at least the following:

[0020] This application provides a security detection method for cloud-native applications: when a cloud platform detects security risks in a cloud-native application deployed on the platform, the threat can be focused on specific cloud service data. A security remediation scheme (cloud security technology) related to that cloud service data can then be adopted to remediate the cloud service data, thereby resolving or mitigating the security risks of the cloud-native application. Compared to related technologies where security risks require modification of the application itself and re-release of the application version, this application eliminates the need for manual security remediation by the business side. It can automatically remediate security risks based on existing cloud service data security remediation schemes, thereby improving the efficiency of security remediation and security risk assessment for cloud-native applications, and achieving an automated security risk assessment process. Attached Figure Description

[0021] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0022] Figure 1 This is a schematic diagram of a computer system illustrated in an exemplary embodiment of this application;

[0023] Figure 2 A flowchart illustrating a security detection method for cloud-native applications provided in an exemplary embodiment of this application is shown.

[0024] Figure 3 A flowchart illustrating a security detection method for cloud-native applications provided in another exemplary embodiment of this application is shown;

[0025] Figure 4 A flowchart illustrating a security detection method for cloud-native applications provided in another exemplary embodiment of this application is shown;

[0026] Figure 5 A flowchart illustrating a security detection method for cloud-native applications provided in another exemplary embodiment of this application is shown;

[0027] Figure 6 A flowchart illustrating a security detection method for cloud-native applications provided in another exemplary embodiment of this application is shown;

[0028] Figure 7 This application illustrates a schematic diagram of the complete security detection process according to an exemplary embodiment.

[0029] Figure 8A flowchart illustrating a security detection method for cloud-native applications, as shown in another exemplary embodiment of this application, is presented.

[0030] Figure 9 This is a structural block diagram of a security detection device for cloud-native applications provided in an exemplary embodiment of this application;

[0031] Figure 10 A schematic diagram of the structure of a server provided in one embodiment of this application is shown. Detailed Implementation

[0032] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.

[0033] First, a brief introduction to the terms used in the embodiments of this application:

[0034] 1) Cloud Technology: Cloud technology refers to the collective term for network technology, information technology, integration technology, management platform technology, and application technology based on cloud computing business models. It can form resource pools, providing flexible and convenient on-demand access. Cloud computing technology will become a crucial support. Backend services of technical network systems require substantial computing and storage resources, such as video websites, image websites, and many portal websites. With the rapid development and application of the internet industry, every item may have its own identification mark in the future, requiring transmission to backend systems for logical processing. Data at different levels will be processed separately, and various industry data will all require robust system support, which can only be achieved through cloud computing.

[0035] 2) Cloud Security: Cloud security refers to the general term for security software, hardware, users, organizations, and security cloud platforms based on cloud computing business models. Cloud security integrates emerging technologies and concepts such as parallel processing, grid computing, and unknown virus behavior judgment. It monitors abnormal software behavior in the network through a large number of clients in a network, obtains the latest information on Trojans and malicious programs in the Internet, and sends it to the server for automatic analysis and processing. Then, it distributes the solutions for viruses and Trojans to each client. Cloud security mainly includes: (1) Cloud computing security, which refers to ensuring the security of the cloud itself and various applications on the cloud, including cloud computer system security, secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance auditing, etc.; (2) Cloudification of security infrastructure, which refers to the use of cloud computing to build and integrate security infrastructure resources and optimize security protection mechanisms, including building a large-scale security event, information collection and processing platform through cloud computing technology to realize the collection and correlation analysis of massive information and improve the ability to control security events and risks across the entire network; (3) Cloud security services, which refers to security services provided to users based on cloud computing platforms, such as anti-virus services. The various embodiments disclosed in this application are applications at the cloud security level.

[0036] Figure 1 This is a schematic diagram of a computer system illustrating an exemplary embodiment of this application. Figure 1 As shown, the computer system includes a cloud platform 101 and a computer device 102.

[0037] Cloud platform 101 is a cloud computing resource pool in the cloud technology field, deploying various types of virtual resources for external customers to choose from. The cloud computing resource pool mainly includes: computing devices (virtualized machines containing operating systems), storage devices, and network devices. These can be independent physical servers, server clusters or distributed systems composed of multiple physical servers, or cloud servers providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (CDN), and big data and artificial intelligence platforms. In this embodiment, cloud-native applications are deployed on cloud platform 101. These cloud-native applications can use other cloud products, cloud services, or cloud databases within the cloud platform during operation. In one possible application scenario, the developer of the cloud-native application rents cloud platform 101 to deploy its cloud-native application on it.

[0038] Computer device 102 is directly or indirectly connected to cloud platform 101 via wired or wireless communication.

[0039] Computer device 102 can be a business server for cloud-native applications, or a business terminal for business personnel corresponding to cloud-native applications; it can be a server, or a smartphone, tablet, laptop, desktop computer, etc., and this application embodiment does not constitute a limitation. It should be noted that in this application embodiment, business personnel can log in to the cloud platform through a webpage on computer device 102 and manually or automatically perform security checks on cloud-native applications.

[0040] Please refer to Figure 2 This document illustrates a flowchart of a security detection method for cloud-native applications provided in an exemplary embodiment of this application. This embodiment uses a cloud platform as an example to illustrate the method, which includes:

[0041] Step 201: If it is determined that the cloud-native application has security detection requirements, determine the application operation log of the cloud-native application and the cloud configuration components accessed by the cloud-native application. The cloud-native application is deployed on the cloud platform and will call the cloud configuration components on the cloud platform during the operation of the cloud-native application.

[0042] Cloud-native applications are applications designed, developed, deployed, and run on cloud platforms. Because they are deployed on cloud platforms, cloud-native applications can be developed based on existing cloud configuration components, allowing them to call these integrated cloud configuration components during runtime. For example, these cloud configuration components may include: cloud databases, object storage components, key components, configuration management components, middleware, etc. Optionally, different cloud-native applications can access different cloud configuration components.

[0043] Unlike traditional applications, cloud-native applications deployed on cloud platforms also need to call cloud configuration components during operation, such as the databases they access. Therefore, during security scanning, in addition to scanning the application's own operation logs to determine if they meet log field requirements, it is also necessary to scan the cloud configuration components accessed by the cloud-native application to determine if their security configuration options meet the requirements. Accordingly, when there is a need for security testing of cloud-native applications, the cloud platform first needs to determine the application's operation logs and the cloud configuration components accessed by the cloud-native application. This allows the cloud platform to perform security scans on both the application's operation logs and the cloud configuration components accessed by the cloud-native application, such as databases, object storage, middleware, configuration management, and key components, to determine if their security configuration options meet the requirements.

[0044] Optionally, regarding how to determine whether a cloud-native application has security testing requirements (or security scanning requirements), if the cloud-native application is configured with a scheduled testing task, then when the cloud platform determines that the time difference between the last security testing time and the current time of the cloud-native application meets the scheduling requirements, it is determined that the cloud-native application has security testing requirements. This scheduled task can perform security testing every two days. Optionally, when the cloud platform determines that there is sensitive data and sensitive accounts, it is determined that the cloud-native application has security testing requirements. Optionally, when the cloud platform receives a manual triggering of a security testing operation on the cloud-native application by a cloud tenant (cloud tenant's account), it is determined that the cloud-native application has security testing requirements.

[0045] Step 202: Based on security scanning rules, perform security scans on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0046] Security scanning rules, also known as security policies or security detection rules, specify the security rules that cloud-native applications or other services deployed on the cloud platform should follow during operation, along with corresponding judgment expressions to determine whether they comply with the security requirements. In this embodiment, the cloud platform's security maintenance personnel set up security scanning rules across seven dimensions, primarily including: network security, identity management, privileged access, data protection, asset management, logging and threat detection, vulnerability management, and backup and recovery. Each dimension has corresponding detailed security rule requirements and judgment / analysis expressions.

[0047] In one possible implementation, when the cloud platform determines that there is a need for security testing of cloud-native applications, it can determine the application operation logs and connected cloud configuration components of the cloud-native application, and obtain security scanning rules matching the cloud-native application. Based on these rules, a security scan is performed on the application operation logs and cloud configuration components to determine whether the cloud-native application itself (application operation logs) and related services (cloud configuration components) comply with the security scanning rules. After the security scan is completed, the security scan results for the cloud-native application are obtained. These results include the security scan results for the application operation logs and the security scan results for the cloud configuration components. The security scan results include whether there are security risks in the cloud-native application, and if so, the security risk items. These security risk items can also be rule entries corresponding to security scanning rules that the cloud-native application does not comply with.

[0048] Optionally, different cloud-native applications may correspond to different security levels, and different security scanning rules can be configured for different security levels.

[0049] Optionally, if a security engine is deployed in the cloud platform, the security scanning process for cloud-native applications can be performed by the security engine in the cloud platform.

[0050] Step 203: If the security scan results indicate the presence of security risk items, determine the cloud service data threatened by the security risk items. Cloud-native applications will call cloud service data during operation.

[0051] Unlike related technologies where security risks in an application may require manual remediation by the application's business side, in this embodiment, since cloud-native applications are deployed on a cloud platform and may need to access cloud service data during operation (e.g., existing databases or other cloud services), if a security scan indicates a security risk in the cloud-native application, the security remediation scheme of the cloud service data itself can be directly used to fix the security risk. In other words, security technologies on the cloud platform are used to address or mitigate the security risks of the cloud-native application. To determine the necessary remediation scheme, the cloud platform can first identify the cloud service data threatened by the security risk of the cloud-native application, and then determine whether a corresponding remediation scheme exists based on that cloud service data.

[0052] Optionally, if the cloud configuration component has security risks, the cloud service data can be the cloud configuration component itself or related cloud service data. For example, if the cloud configuration component is a key component, the corresponding cloud service data can be encryption service data. Optionally, if the application operation log has security risk items, the cloud service data can be the cloud service data associated with the application operation log.

[0053] Step 204: Determine the security remediation plan related to cloud service data so that security risk items can be remediated based on the security remediation plan.

[0054] Optionally, each cloud service data (cloud products, cloud databases, cloud services) has its own security remediation solutions. If a security risk in a cloud-native application threatens that cloud service data, there is no need to modify the cloud-native application itself or re-release the application version. The cloud platform can directly resolve and mitigate the security risk using relevant cloud security technologies. In one possible implementation, the cloud platform focuses the security risks of cloud-native applications on threats to specific cloud service data, and then adopts a security remediation solution related to that cloud service data. By remediating the cloud service data, the security risks of the cloud-native application are thus mitigated.

[0055] In an exemplary example, if the security risk item refers to the security risk of a cloud-native application calling a cloud database, then there is no need to modify the cloud-native application itself. It is only necessary to obtain the security remediation solution corresponding to the cloud database, such as a security encryption remediation solution on the cloud. Then, the security remediation solution can be used to fix the security risk item.

[0056] In summary, this application provides a security detection method for cloud-native applications: when a cloud platform detects security risks in a cloud-native application deployed on the cloud platform, the threat of the security risk can be focused on the threat to specific cloud service data. A security remediation scheme (cloud security technology) related to that cloud service data can then be adopted to remediate the cloud service data, thereby resolving or mitigating the security risks of the cloud-native application. Compared to related technologies where security risks require modification of the application itself and re-release of the application version, this application eliminates the need for manual security remediation by the business side. It can automatically remediate security risks based on existing cloud service data security remediation schemes, thus improving the efficiency of security remediation for cloud-native applications. Furthermore, since cloud-native applications are deployed on cloud platforms, security scanning of cloud-native applications requires not only scanning the application operation logs of the cloud-native application itself but also scanning the cloud configuration components accessed by the cloud-native application to achieve a comprehensive security scan of the cloud-native application.

[0057] Because cloud platforms deploy numerous applications and services, frequent security scans of cloud-native applications would increase the platform's processing load. Furthermore, in some scenarios, security scans of cloud-native applications are unnecessary. For example, if a cloud-native application's associated database stores highly sensitive data, but no sensitive account accesses that data, the data is considered secure and a security scan is unnecessary. Therefore, to avoid ineffective security scans, one possible implementation is for the cloud platform to perform a security scan on the cloud-native application associated with a sensitive account only when access to sensitive data by that account is detected, in order to assess the application's security risks.

[0058] Please refer to Figure 3 This document illustrates a flowchart of a security detection method for cloud-native applications provided in another exemplary embodiment of this application. This embodiment uses a cloud platform as an example to illustrate the method, which includes:

[0059] Step 301: Upon receiving an account login operation to the cloud platform, obtain the login log of the account login operation.

[0060] When a business entity (cloud tenant) logs into the cloud platform via the login page, the cloud platform can receive the account login operation and obtain the login logs corresponding to the account login operation. For example, the account information entered by the business entity when logging in, as well as the relevant input information entered after logging in, including but not limited to architecture descriptions, software design documents, APIs, specifications, end-user documents, source code, and related third-party components, etc.

[0061] Step 302: If the login log indicates the presence of sensitive data and sensitive accounts, determine that the cloud-native application has security testing requirements, and that the cloud-native application is an application associated with the sensitive account.

[0062] Optionally, to avoid increasing the processing pressure on the cloud platform by frequently performing security checks on cloud-native applications, a security check is set to be performed when it is determined that a cloud-native application has a security check requirement. In this embodiment, when the login log indicates the presence of sensitive data and sensitive accounts, it means that there is a sensitive account accessing sensitive data, and the security of the cloud-native application associated with the sensitive account needs to be evaluated. That is, when the cloud platform determines that there are sensitive accounts and sensitive data, it determines that the cloud-native application associated with the sensitive account has a security check requirement.

[0063] Optionally, if the login logs indicate that although sensitive data exists, there is no access operation of sensitive data by sensitive accounts, or there is no sensitive data, then considering the security processing performance of the cloud platform, it is not necessary to perform a security scan on the cloud-native application.

[0064] Optionally, since the data associated with different account information may differ, meaning different accounts may have access permissions to different data, it is necessary to determine the sensitivity level of the data accessible to the account when determining whether sensitive data exists. In an exemplary example, step 302 may include steps 302A to 302C.

[0065] Step 302A: Based on the account information in the login log, determine the accessible data associated with the account information.

[0066] Step 302B: If the sensitivity level of the accessible data reaches the sensitivity level threshold, the accessible data is identified as sensitive data.

[0067] Login logs can include account information for business users, and this account information corresponds to certain allocation information (which indicates the data that the account has access to), which can then identify the accessible data associated with that account information. Whether the accessible data is sensitive data is determined by its sensitivity level, which corresponds to the sensitivity level of the accessible data obtained by the cloud platform. If the sensitivity level reaches a certain threshold, the accessible data is determined to be sensitive data.

[0068] Optionally, data sensitivity levels can be categorized into C1-unrestricted, C2-restricted, and C3-confidential, with a sensitivity level threshold of C3. When the cloud platform determines that the sensitivity level of accessible data reaches C3 or above, the accessible data is then classified as sensitive data.

[0069] Optionally, the cloud platform is configured with a classification and grading service to automatically classify the databases stored on the cloud platform according to their sensitivity levels.

[0070] Step 302C: If the login log indicates that the account information needs to access sensitive data, determine that a sensitive account exists and that the cloud-native application has security detection requirements.

[0071] Optionally, even if sensitive data is associated with the account information, it is considered secure if the sensitive data is not accessed. Security vulnerabilities arise only when access to the sensitive data is performed, requiring a security scan. In this embodiment, if the login log indicates that the account information requires access to sensitive data, it signifies that the account is a sensitive account. This satisfies the condition of both sensitive data and a sensitive account existing. Therefore, the cloud-native application associated with the sensitive account requires security testing. Subsequent security scans of the cloud-native application are necessary to assess whether there are security risks associated with the cloud-native application associated with the sensitive account, enabling timely remediation of identified security risks and maintaining the security of the cloud platform.

[0072] Optionally, if the cloud platform determines that there are both sensitive accounts and sensitive data, it is necessary to match the corresponding security scanning rules to perform security scans on the cloud-native applications associated with the sensitive accounts and obtain the security scan results of the cloud-native applications.

[0073] Step 303: If there is a need for security testing of cloud-native applications, determine the application operation logs of the cloud-native applications and the cloud configuration components accessed by the cloud-native applications.

[0074] The implementation method of step 303 can be referred to the above embodiment, and will not be repeated here.

[0075] Step 304: Based on security scanning rules, perform security scans on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0076] Optionally, since security scanning of cloud-native applications requires security risk assessment from two dimensions—application operation logs and cloud configuration components—the security scanning methods used for these two aspects differ. For application operation logs, the cloud platform primarily performs a security scan based on the log field requirements in the security scanning rules to determine whether each log entry meets the requirements. If it does, the application operation log is free of security risks; otherwise, it contains security risks. During the security scan, the status of each application operation log entry (including compliance and non-compliance) needs to be marked to obtain the security scan results. For cloud configuration components, the cloud platform primarily performs a security scan based on the security configuration options in the security scanning rules. These security configuration options include at least one of authentication, authorization, encryption, and auditing. Specifically, it determines whether each cloud configuration component has these security configuration options enabled. If all are enabled, the cloud configuration component is free of security risks; otherwise, it contains security risks. During the security scan of cloud configuration components, it is necessary to identify the enabled status of the corresponding security configuration options for each cloud configuration component in order to obtain the security scan results of the cloud configuration components.

[0077] In one exemplary example, the requirements for application operation log logging specifications can be shown in Table 1.

[0078] Table 1

[0079]

[0080] Optionally, during the security scanning of cloud-native applications based on security scanning rules, the security engine (also known as the baseline judgment engine) can abstract the security scanning rules into a series of state machines, and label and judge the state machines, with states categorized as compliant / non-compliant, pending / not involved, etc. For example, if a cloud-native application complies with a certain security scanning rule, the state corresponding to that security scanning rule is set to compliant; if it does not comply, the state corresponding to that security scanning rule is set to non-compliant.

[0081] Optionally, since this application provides corresponding security remediation solutions after identifying security risk items, the status of each security scanning rule can be divided into two dimensions or two stages. The first stage is used to set whether the security scanning rule is met, with the status set to "compliant / non-compliant," or "pending / not involved." The second stage can set the status based on whether a security remediation solution is matched. For example, if a security scanning rule's status is "non-compliant," indicating a security risk item, and a security remediation solution is matched, the status can be set to "risk addressed and solution available." If no security remediation solution is matched, the status can be set to "no solution." Optionally, the second stage can be set to the following statuses: not resolved / risk addressed and solution available / no solution / business self-service solution / no solution required, etc.

[0082] Step 305: If the security scan results indicate the presence of security risk items, determine the cloud service data threatened by the security risk items. Cloud-native applications will call cloud service data during operation.

[0083] Step 306: Determine the security remediation plan related to cloud service data so that security risk items can be remediated based on the security remediation plan.

[0084] The implementation methods for steps 305 and 306 can be referred to the above embodiments, and will not be repeated here.

[0085] Step 307: If a security risk item is matched with a security remediation solution, the security risk item and the security remediation solution are associated and stored in the security detection result database.

[0086] To facilitate subsequent review of security remediation solutions, in one possible implementation, when the cloud platform matches a security remediation solution to a detected security risk item, the security remediation solution and the security risk item can be associated and stored in the security detection result database for subsequent review of the security remediation solution.

[0087] Step 308: If the security scan results indicate the existence of security risk items, and no cloud service data is matched for the security risk items, it is determined that no security remediation solution is matched for the security remediation items.

[0088] Step 309: Set an unrepaired label for the security risk item, and associate the security risk item and the unrepaired label in the security detection result library.

[0089] Optionally, in other possible implementations, if the security scan results indicate the existence of a security risk item, but no corresponding cloud service data is matched, and therefore no security remediation solution can be matched for the security risk item, the cloud platform can set an unremediated label for the security remediation item and associate the unremediated label with the security risk item in the security detection result database for subsequent review.

[0090] Optionally, if no security risk item is matched, a security remediation plan related to the security scanning rule can be determined from the security knowledge base to determine whether the security remediation plan can mitigate the security risk item; if it can mitigate the risk, the security remediation plan can also be identified as a mitigation plan and associated with the security risk item for storage.

[0091] In this embodiment, by determining whether sensitive accounts and sensitive data exist, and when such existence is confirmed, a security scan is performed on the cloud-native applications associated with the sensitive accounts based on security scanning rules. This avoids invalid security scanning operations and reduces the pressure on cloud platform security processing. Furthermore, by storing security risk items and corresponding security remediation solutions in the security detection result library, it is beneficial to review the security remediation solutions subsequently and improve the accuracy of security remediation.

[0092] Because accessible data has different sensitivity levels, and these different sensitivity levels have different security requirements, different baseline security rules are set for each sensitivity level. In one possible implementation, before performing a security scan on a cloud-native application, it is first necessary to match it with the corresponding security scan rules.

[0093] Please refer to Figure 4 This document illustrates a flowchart of a security detection method for cloud-native applications provided in another exemplary embodiment of this application. This embodiment uses a cloud platform as an example to illustrate the method, which includes:

[0094] Step 401: If it is determined that the cloud-native application has security detection requirements, determine the application operation logs of the cloud-native application and the cloud configuration components accessed by the cloud-native application.

[0095] The implementation method of step 401 can be referred to the above embodiment, and will not be repeated here.

[0096] Step 402: Based on the sensitivity level of the sensitive data, match the baseline security rules corresponding to the sensitivity level. Different sensitivity levels correspond to different baseline security rules.

[0097] To meet the different security requirements of data with different sensitivity levels, in one possible implementation, cloud platform security personnel have formulated different baseline security rules for different sensitivity levels. This allows the baseline security rules corresponding to the sensitivity level of the sensitive data to be matched during actual security scanning.

[0098] Optionally, the higher the sensitivity level, the more rule items may be included in the baseline security rules; conversely, if the sensitivity level is low, the baseline security rules may contain fewer rule items.

[0099] It should be noted that the baseline security rules are uniform security scanning rules applicable to data of the same sensitivity level.

[0100] Optionally, when developing baseline security rules, security personnel edit the corresponding judgment and analysis expressions, enable and disable rules, and define the organizational scope for rule application. Rules include organization-defined threat types. Baseline security rules primarily cover network security, identity management, privileged access, data protection, asset management, logging and threat detection, vulnerability management, and backup and recovery.

[0101] Optionally, the method for determining the sensitivity level of sensitive data can refer to the above embodiment, which will not be repeated here.

[0102] Step 403: Determine the baseline security rules as security scanning rules for cloud-native applications.

[0103] Optionally, once the baseline security rule matching the cloud-native application is obtained, the baseline security rule can be determined as the security scanning rule for the cloud-native application, so that the security scanning rule (baseline security rule) can be used to perform a security scan on the cloud-native application.

[0104] Step 404: Based on security scanning rules, perform security scans on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0105] Step 405: If the security scan results indicate the presence of security risk items, determine the cloud service data threatened by the security risk items. Cloud-native applications will call cloud service data during operation.

[0106] Step 406: Determine the security remediation plan related to cloud service data so that security risk items can be remediated based on the security remediation plan.

[0107] The implementation methods for steps 404 to 406 can be referred to the above embodiments, and will not be repeated here.

[0108] In this embodiment, by matching different baseline security rules to different sensitivity levels, differentiated scanning can be performed during the security scan process. Matching higher-level baseline security rules to cloud-native applications with higher sensitivity levels can improve their security. Furthermore, when performing security scans on cloud-native applications, not only are the application's log fields scanned, but the cloud configuration components accessed by the application are also scanned to ensure the security of the cloud platform.

[0109] In other possible application scenarios, security scanning rules also have specific rule sets set for cloud-native applications in different security domains. For example, if the cloud-native application is an external network application, it may be necessary to enable a rule set specifically set for external network applications.

[0110] exist Figure 4 On the basis of, such as Figure 5 As shown, the method may further include step 501, and step 403 may include steps 502 and 503.

[0111] Step 501: Determine the application security domain of the cloud-native application. The application security domain refers to whether the cloud-native application is an external network application or an internal network application.

[0112] In this context, the application security domain refers to whether the cloud-native application is an external network application or a content application. Cloud-native applications that provide services to the outside world can be called external network applications, while those that do not provide services to the outside world can be called internal network applications. Optionally, the type of application can be determined based on its IP (Internet Protocol) address.

[0113] Step 502: When the application security domain refers to the cloud-native application as an external network application, match the application scanning rules corresponding to the external network application; determine the application scanning rules and baseline security rules as the security scanning rules for the cloud-native application.

[0114] Because external network applications require more security scanning rules, while content may require relatively fewer, a dedicated set of rules (application scanning rules) is set up specifically for external network applications. When a cloud platform determines that a cloud-native application is an external network application, it can add application scanning rules corresponding to the external network application to the baseline security rules. These application scanning rules and baseline security rules are then combined to form a single security scanning rule, allowing for security scanning of the cloud-native application based on this rule.

[0115] Step 503: When the application security domain refers to the cloud-native application as an intranet application, the baseline security rules are determined as the security scanning rules for the cloud-native application.

[0116] Optionally, if the cloud platform determines that the cloud-native application is an intranet application, the cloud-native application can be security scanned using only baseline security rules.

[0117] Optionally, specific rule sets can be set for intranet applications. This allows for the addition of rule sets corresponding to intranet applications to the baseline security rules, enabling security scans of cloud-native applications based on both the baseline security rules and the rule sets corresponding to intranet applications, provided that the cloud-native application is identified as an intranet application.

[0118] In this embodiment, by determining whether the cloud-native application is an intranet application or an extranet application, it is determined whether to add a rule set corresponding to the extranet application on the basis of the baseline security rules, so as to increase the number of security scans for the extranet application and thus improve the security of the cloud-native application.

[0119] In other possible application scenarios, this application can not only automatically match the corresponding security remediation solutions for the security risk items obtained by scanning, but also automatically assess and modify the manpower and time required for the security risk item after the security scan is completed, so as to provide users with reference.

[0120] Please refer to Figure 6 This document illustrates a flowchart of a security detection method for cloud-native applications provided in another exemplary embodiment of this application. This embodiment uses a cloud platform as an example to illustrate the method, which includes:

[0121] Step 601: If it is determined that the cloud-native application has security detection requirements, determine the application operation logs of the cloud-native application and the cloud configuration components accessed by the cloud-native application.

[0122] Optionally, before step 601, the cloud platform can also perform deduplication based on the URL address and account information under the account login operation to avoid repeated security scans.

[0123] Optionally, the process of determining whether a cloud-native application has security testing requirements may also include steps 601A to 601C.

[0124] Step 601A: Upon receiving an account login operation to the cloud platform, obtain the operation time, account information, and URL (Uniform Resource Locator) address corresponding to the account login operation.

[0125] Step 601B: Determine the last security scan time based on account information and URL address.

[0126] Step 601C: If the interval between the scanning time and the operation time is greater than a time threshold, perform a security scan on the cloud-native application based on security scanning rules to obtain the security scan results of the cloud-native application.

[0127] Repeated security scans of the same cloud-native application within a short period would obviously increase the processing pressure on the cloud platform. Therefore, in one possible implementation, when an account login operation to the cloud platform is received, the operation time, account information, and URL address corresponding to the login operation can be obtained. The account information and URL address are then used for deduplication. If it is determined that under the same URL address and the same account information, the time interval between the last security scan and the current operation time is less than a time threshold, then no further security scan steps are required. Conversely, if the time interval is greater than the time threshold, a security scan of the cloud-native application can be performed based on security scan rules, and the security scan results of the cloud-native application can be obtained.

[0128] As an example, the time threshold can be set by the cloud platform's security personnel. For example, the time threshold could be 1 hour.

[0129] Step 602: Based on security scanning rules, perform security scans on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0130] Step 603: If the security scan results indicate the presence of security risk items, determine the cloud service data threatened by the security risk items. Cloud-native applications will call cloud service data during operation.

[0131] Step 604: Determine the security remediation plan related to cloud service data so that security risk items can be remediated based on the security remediation plan.

[0132] The implementation methods for steps 602 to 604 can be referred to the above embodiments, and will not be repeated here.

[0133] Step 605: Obtain the number of security risk items.

[0134] Step 606: Based on the number of projects, safety risk factors, and average repair time, determine the predicted working time required to repair safety risk projects.

[0135] In an exemplary example, the predicted working time (the working hours required to repair a risky project) can be calculated as shown in formula (1).

[0136] Estimated working time (estimated man-hours) = Safety risk factor * Average repair time * Number of items (1)

[0137] In one possible implementation, the cloud platform can obtain the number of security risk items from the security detection result library, and then, based on the number of items, security risk factors, and average repair time, substitute them into formula (1) to determine the predicted working time required to repair the security risk items.

[0138] For example, safety personnel can set the safety risk factor to 0.5 based on experience, and the average repair time can be 0.5.

[0139] Please refer to Figure 7 This document illustrates a complete security detection process according to an exemplary embodiment of this application. The cloud platform first determines whether sensitive data and personnel exist. If sensitive data and personnel are present, it matches the corresponding baseline security rules. Then, it determines whether the cloud-native application is an external network application, and if so, activates the corresponding rule set. After determining the security scanning rules, the platform can perform a security scan on the cloud-native application to identify security risks. Once security risks are detected, a corresponding security remediation plan can be matched, and the required remediation time can be determined.

[0140] In this embodiment, by obtaining the number of security risk items, the predicted working time (estimated man-hours) required to resolve the aforementioned security risk items can be calculated. This predicted working time is then fed back to the user, allowing the user to rationally allocate the necessary remediation personnel based on the estimated man-hours. Furthermore, deduplication based on URL and account information can avoid performing multiple security scans on the same cloud-native application within a short period, preventing invalid security scan operations and reducing the processing pressure on the cloud platform.

[0141] Please refer to Figure 8 The diagram illustrates a flowchart of a security detection method for cloud-native applications, as shown in another exemplary embodiment of this application. The method includes:

[0142] Step 801: Upon receiving an account login operation to the cloud platform, obtain the operation time, account information, and URL address corresponding to the account login operation.

[0143] Step 802: Deduplicate account login operations based on account information and URL address.

[0144] Cloud tenants can log in to the cloud platform by entering login information on the cloud platform webpage. The cloud platform can then obtain login logs, which may include the operation time, account information, and URL address of the account login operation.

[0145] Optionally, after logging into the cloud platform, cloud tenants can also upload other input information related to cloud-native applications via the web interface, such as architecture descriptions, software design documents, API specifications, end-user documentation, source code, and related third-party components.

[0146] Optionally, if the time interval between the current operation time and the last operation time is small, less than the time threshold, then task creation will only be performed once.

[0147] Step 803: Determine whether the security scan task is a high-priority task.

[0148] If the cloud platform receives a manual trigger operation for a security scan task from a cloud tenant (user), it determines that the security scan task is a high-priority task. If the security scan task is triggered on a schedule, it determines that the security scan task is not a high-priority task.

[0149] Step 804, execute at a set time.

[0150] When the cloud platform determines that a task is not a high-priority task, it will trigger a security scan task at a pre-configured time interval. For example, the time interval can be 1 hour or 1 day, and the security scan task will be executed once every 1 hour or 1 day.

[0151] Step 805, execute manually.

[0152] When the cloud platform determines that a task is of high priority, it will manually trigger the security scan task when it receives a user's manual triggering operation for the security scan task (e.g., triggering the security scan control).

[0153] Step 806, Historical Results Report Management.

[0154] The historical results report management system stores the historical security scan results of this cloud-native application.

[0155] In the task management module: the cloud platform can create tasks based on input information (information entered through the web system). Input items include, but are not limited to, architecture descriptions, software design documents, API specifications, end-user documentation, source code, account information, and relevant third-party components. The evaluation system determines the sub-account allocation information, deduplicates the input sub-account and URL domain, and then determines whether it is a high-priority task. If it is high-priority, it needs to be manually executed, with a manually triggered scenario, and the metadata module is scheduled based on the task status. Non-high-priority tasks are transferred to the scheduled task sub-module. Scheduled tasks are generally set to be longer than 1 hour to avoid data collection delays and out-of-order processing in high-concurrency scenarios.

[0156] Step 807, Metadata Collection.

[0157] Step 808: Load host CVM information, relational database information, and cloud audit login logs.

[0158] Step 809: Based on the account information in the cloud audit login logs, classify and grade the accessible data associated with the account information.

[0159] Optionally, the cloud platform can automatically classify and classify the accessible data associated with account information to determine the sensitivity level of the accessible data.

[0160] Optionally, the accessible data can be pre-set with a sensitivity level. The cloud platform can determine the accessible data associated with the account information based on the account information in the cloud audit login log, and then determine the sensitivity level associated with the accessible data.

[0161] Step 810: Determine if any sensitive accounts exist.

[0162] If the account information is associated with sensitive data, but the sensitive data has not been accessed, then the sensitive data is secure, and no further security scan is required to confirm that there are no sensitive accounts (i.e., no high-risk sensitive personnel have accessed it). If the account information is associated with sensitive data, and access to the sensitive data needs to be performed, then the sensitive data poses a security threat, and a further security scan is required to confirm that there are sensitive accounts (i.e., high-risk sensitive personnel have accessed it).

[0163] Step 811: Determine whether the accessible data contains sensitive data at level C3 or above.

[0164] Optionally, the sensitivity level classification can include three or more levels, such as C1, C2, C3, and C4. The sensitivity level threshold is level 3 (C3). If the sensitivity level of the accessible data reaches C3 or above, it is determined that sensitive data exists. Conversely, if the sensitivity level of the accessible data is below C3, it is determined that there is no sensitive data.

[0165] In the metadata management module: the cloud platform can collect and analyze application information recorded by the task management module. Metadata collection includes host IP addresses, attribution information, and the relational databases used. It connects to a classification and grading service to classify the information stored in the relational databases by sensitivity level. It matches host login and official website login logs to determine if sensitive personnel have logged in or accessed the system, and to determine the execution queue and schedule the matching security control policy baseline. Systems with both sensitive data and sensitive personnel are then transferred to the rule judgment module.

[0166] Step 812: Match baseline security rules for cloud-native applications.

[0167] Step 813: Determine the application security domain of the cloud-native application, and determine whether to enable application scanning rules based on the application security domain.

[0168] Optionally, when matching security scanning rules for cloud-native applications, the cloud platform can, on the one hand, match corresponding baseline security rules for the cloud-native applications based on the sensitivity level of the sensitive data, with different sensitivity levels corresponding to different baseline security rules; on the other hand, it also needs to determine the application security domain of the cloud-native application in order to determine whether to enable additional application scanning rules based on different application security domains. Specifically, if the application security domain of the cloud-native application refers to the application being an external network application, additional application scanning rules for external network applications need to be enabled to perform additional application security scans beyond the baseline security rules; if the application security domain of the cloud-native application refers to the application being an internal network application, then only security scans based on the baseline security rules are needed, and no additional application scanning rules need to be enabled.

[0169] Security control baseline rule management: Edit rule details and judgment analysis expressions; enable and disable rules; define the organizational scope for rule application, including organization-defined threat types. Baseline security rules mainly include network security, identity management, privileged access, data protection, asset management, logging and threat detection, vulnerability management, and backup and recovery.

[0170] Security domain management: Divide the security domains into corresponding rules, and enable different rule sets depending on whether the internal network or the external network needs to use them.

[0171] Step 814: Determine whether the application operation logs of the cloud-native application meet the log field requirements, and whether the cloud configuration components accessed by the cloud-native application have enabled the security configuration option.

[0172] In the baseline assessment and judgment process (security scanning process), security scanning is mainly performed on two aspects of cloud-native applications. On the one hand, the application operation logs of cloud-native applications are scanned to see if they meet the log field requirements. On the other hand, it is determined whether the cloud configuration components accessed by the cloud-native applications have enabled security configuration options.

[0173] Step 815: Determine if there is a repair solution.

[0174] In cases where security risks exist, it's possible to determine whether there are mitigation solutions for the specific security risks associated with a particular security risk project, based on existing security remediation solutions available on the cloud platform. These remediation solutions target the security of cloud service data on the cloud platform. In other words, when determining the availability of a remediation solution, the threat posed by the security risk project needs to be focused on the threat to specific cloud service data. For such data, a security remediation solution for cloud service data can be directly applied to remediate the security risk project with a single click.

[0175] Step 816: Record items as either "No repair needed" or "To be resolved".

[0176] If no security remediation solution exists to mitigate the security risk, add a pending status marker or a no-remediation status marker to the security risk item.

[0177] Step 817: Determine if there are any risks to be addressed under the account information.

[0178] During this security scan, not only can security risks identified in the scan be repaired, but it can also be determined whether there are any historical security risks under the account information that need to be repaired during previous security scans. If so, it can be determined whether there are any mitigating security remediation solutions for those historical security risks.

[0179] Step 818: Records that do not require repair or are pending resolution.

[0180] If there is still no mitigating security remediation solution for a historical security risk item, continue to add a "pending resolution" or "no need for remediation" status label to the historical security risk item.

[0181] Step 819: Match the security repair solution.

[0182] If a security risk item has a security remediation plan, then the security risk item and the security remediation plan can be associated and stored in the results database.

[0183] Step 820: Match the security repair solution.

[0184] If a security remediation plan exists for a historical security risk item, the historical security risk item and the security remediation plan can be associated and stored in the results database. Optionally, the scan time of the historical security risk item can be saved when storing values ​​in the results database to distinguish it from the scan results of the current security scan.

[0185] Step 821: Enter the results into the database.

[0186] In the baseline engine's judgment module, the baseline abstracts the rules in the process into a series of state machines. These state machines are then labeled and judged, with states categorized as compliant / non-compliant, pending / not involved, etc. Stage 1 states are compliant / non-compliant, pending / not involved, while Stage 2 states are not resolved / risk is handled, and solutions are available / no solutions are available / business self-service solutions are not required / no solutions are needed. The system analysis engine makes corresponding decisions based on the progress of the state machines.

[0187] Optionally, if a security risk item matches a security remediation solution, the security risk item and the security remediation solution can be associated and stored in the results database (security detection results database); if a security risk item does not match a security remediation solution, an unremediated label can be set for the security risk item, and the unremediated label and the security risk item can be associated and stored in the results database (security detection results database).

[0188] Step 822, Solution review.

[0189] Step 823, Solution Knowledge Management.

[0190] For each rule, a corresponding solution is provided, and the security knowledge base is updated and accumulated based on the results of this threat assessment. In other words, if a security risk item has a security remediation plan, the security remediation plan and the corresponding security risk item can be associated and stored in the security knowledge base.

[0191] Step 824: Determine the time required for a safe repair.

[0192] To quantify the manpower and time required to resolve risks, we set the factor for each risk to 0.5 and the average resolution time to 3 days. Then, the estimated time = factor * time * number of risks in the results database.

[0193] Step 825, Work Order Management.

[0194] The system integrates with the work order process, manages risks based on the issues and priorities identified during reviews, connects with the task flow and human resources system, and displays the threat vector security review results. The work order output report includes: priority, threat ID, title, technical details, potential threat measures, selected threat measures, and whether there are mitigation measures (yes / no).

[0195] Step 826: Record the review results and label them.

[0196] The final stage of the threat modeling process is to record all models, system descriptions, potential risks, actual risks and their related probabilities and impacts, which is called the threat matrix. After handling assessment and risk application, it flows to the security certification module to record the review results and mark the identifiers.

[0197] The following are device embodiments of this application. For details not described in detail in the device embodiments, please refer to the above method embodiments.

[0198] Figure 9 This is a structural block diagram of a security detection device for cloud-native applications provided in an exemplary embodiment of this application. The device includes:

[0199] The determination module 901 is used to determine the application operation log of the cloud-native application and the cloud configuration component accessed by the cloud-native application when it is determined that the cloud-native application has a security detection requirement. The cloud-native application is deployed on a cloud platform and calls the cloud configuration component on the cloud platform during the operation of the cloud-native application.

[0200] The scanning module 902 is used to perform a security scan on the application operation logs and cloud configuration components of the cloud-native application based on security scanning rules, and obtain the security scan results of the cloud-native application.

[0201] The determining module 901 is used to determine the cloud service data threatened by the security risk item when the security scan result indicates that there is a security risk item. The cloud-native application will call the cloud service data during operation.

[0202] The determining module 901 is further configured to determine a security repair scheme related to the cloud service data, so as to repair the security risk item based on the security repair scheme.

[0203] Optionally, the device further includes:

[0204] The determination module is used to determine that the security remediation item does not match a security remediation solution when the security scan result indicates the existence of the security risk item and the security risk item does not match the cloud service data.

[0205] The storage module is used to set an unrepaired label for the security risk item and to associate the security risk item and the unrepaired label in the security detection result library.

[0206] Optionally, the device further includes:

[0207] The storage module is used to associate and store the security risk item and the security remediation solution in the security detection result database when the security risk item matches the security remediation solution.

[0208] Optionally, the device further includes:

[0209] The acquisition module is used to acquire the number of items in the security risk project;

[0210] The determination module is used to determine the predicted working time required to repair the safety risk items based on the number of items, safety risk factors, and average repair time.

[0211] Optionally, the device further includes:

[0212] The acquisition module is used to acquire the login log of the account login operation when an account login operation to the cloud platform is received.

[0213] If the login log indicates the presence of sensitive data and sensitive accounts, it is determined that the cloud-native application has the security detection requirement, and the cloud-native application is an application associated with the sensitive account.

[0214] Optionally, the scanning module 902 is further configured to:

[0215] Based on the account information in the login log, determine the accessible data associated with the account information;

[0216] If the sensitivity level of the accessible data reaches the sensitivity level threshold, the accessible data will be identified as the sensitive data.

[0217] If the login log indicates that the account information needs to access the sensitive data, it is determined that a sensitive account exists, and that the cloud-native application has the security detection requirement.

[0218] Optionally, the scanning module 902 is further configured to:

[0219] Based on the sensitivity level of the sensitive data, a baseline security rule corresponding to the sensitivity level is matched, with different sensitivity levels corresponding to different baseline security rules;

[0220] The baseline security rule is determined as the security scanning rule for the cloud-native application;

[0221] Based on the security scanning rules, a security scan is performed on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

[0222] Optionally, the device further includes:

[0223] The determination module is used to determine the application security domain of the cloud-native application, wherein the application security domain refers to whether the cloud-native application is an external network application or an internal network application.

[0224] The scanning module 902 is also used for:

[0225] When the application security domain refers to the cloud-native application as an external network application, the application scanning rules corresponding to the external network application are matched; the application scanning rules and the baseline security rules are determined as the security scanning rules for the cloud-native application.

[0226] When the application security domain refers to the cloud-native application as an intranet application, the baseline security rule is determined as the security scanning rule for the cloud-native application.

[0227] Optionally, the device further includes:

[0228] The acquisition module is used to acquire the operation time, account information and URL address corresponding to the account login operation when the account login operation is received on the cloud platform.

[0229] The determination module is used to determine the last security scan time based on the account information and the URL address;

[0230] The scanning module is configured to perform a security scan of the cloud-native application based on security scanning rules, and obtain the security scan results of the cloud-native application, when the interval between the scanning time and the operation time is greater than a time threshold.

[0231] Optionally, the scanning module 902 is further configured to:

[0232] Based on the log field requirements in the security scanning rules, a security scan is performed on the application operation logs to obtain the security scan results of the application operation logs.

[0233] Based on the security configuration options in the security scanning rules, a security scan is performed on the cloud configuration component to obtain the security scan result of the cloud configuration component. The security configuration options include at least one of authentication, authorization, encryption, and auditing.

[0234] In summary, this application provides a security detection method for cloud-native applications: when a cloud platform detects security risks in a cloud-native application deployed on the cloud platform, the threat of the security risk can be focused on the threat to specific cloud service data. A security remediation scheme (cloud security technology) related to that cloud service data can then be adopted to remediate the cloud service data, thereby resolving or mitigating the security risks of the cloud-native application. Compared to related technologies where security risks require modification of the application itself and re-release of the application version, this application eliminates the need for manual security remediation by the business side. It can automatically remediate security risks based on existing cloud service data security remediation schemes, thus improving the efficiency of security remediation for cloud-native applications.

[0235] Please refer to Figure 10 This illustration shows a schematic diagram of a server provided in one embodiment of this application. This server can be used to implement the security detection method for cloud-native applications executed by the cloud platform provided in the above embodiments. The server 1000 includes a central processing unit (CPU) 1001, a system memory 1004 including random access memory (RAM) 1002 and read-only memory (ROM) 1003, and a system bus 1005 connecting the system memory 1004 and the central processing unit 1001. The server 1000 also includes a basic input / output system (I / O) 1006 to facilitate information transfer between various devices within the computer, and a large-capacity storage device 1007 for storing the operating system 1013, application programs 1014, and other program modules 1015.

[0236] The basic input / output system 1006 includes a display 1008 for displaying information and an input device 1009 for user input, such as a mouse or keyboard. Both the display 1008 and the input device 1009 are connected to the central processing unit 1001 via an input / output controller 1010 connected to the system bus 1005. The basic input / output system 1006 may also include the input / output controller 1010 for receiving and processing input from multiple other devices such as a keyboard, mouse, or electronic stylus. Similarly, the input / output controller 1010 also provides output to a display screen, printer, or other types of output devices.

[0237] The mass storage device 1007 is connected to the central processing unit 1001 via a mass storage controller (not shown) connected to the system bus 1005. The mass storage device 1007 and its associated computer-readable media provide non-volatile storage for the server 1000. That is, the mass storage device 1007 may include computer-readable media (not shown) such as a hard disk or a CD-ROM (Compact Disc Read-Only Memory) drive.

[0238] Without loss of generality, the computer-readable medium may include computer storage media and communication media. Computer storage media include volatile and non-volatile, removable and non-removable media implemented using any method or technology for storing information such as computer-readable instructions, data structures, program modules, or other data. Computer storage media include RAM, ROM, EPROM (Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash memory or other solid-state storage technologies, CD-ROM, DVD (Digital Video Disc) or other optical storage, magnetic tape cassettes, magnetic tape, disk storage, or other magnetic storage devices. Of course, those skilled in the art will recognize that the computer storage media are not limited to the above-mentioned types. The system memory 1004 and the mass storage device 1007 described above can be collectively referred to as memory.

[0239] According to various embodiments of this application, the server 1000 can also be connected to a remote computer on a network, such as the Internet. That is, the server 1000 can be connected to the network 1012 via the network interface unit 1011 connected to the system bus 1005, or the network interface unit 1011 can be used to connect to other types of networks or remote computer systems (not shown).

[0240] The memory also includes one or more programs stored in the memory and configured to be executed by one or more central processing units 1001.

[0241] This application also provides a computer-readable storage medium storing at least one program, which is loaded and executed by a processor to implement the security detection method for cloud-native applications provided in any of the above exemplary embodiments.

[0242] This application provides a computer program product including computer instructions stored in a computer-readable storage medium. A server's processor reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the server to perform the security detection method for cloud-native applications provided in the optional implementation described above.

[0243] Those skilled in the art will understand that all or part of the steps of the above embodiments can be implemented by hardware or by a program instructing related hardware. The program can be stored in a computer-readable storage medium, such as a read-only memory, a disk, or an optical disk.

[0244] The above description is merely an optional embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

Claims

1. A security detection method for cloud-native applications, characterized in that, The method includes: Upon receiving an account login operation to the cloud platform, obtain the login log of the account login operation; Based on the account information in the login log, determine the accessible data associated with the account information; If the sensitivity level of the accessible data reaches the sensitivity level threshold, the accessible data will be identified as sensitive data. If the login log indicates that the account information needs to access the sensitive data, it is determined that a sensitive account exists and that the cloud-native application has a security detection requirement. If it is determined that the cloud-native application has security detection requirements, the application operation log of the cloud-native application and the cloud configuration components accessed by the cloud-native application are determined. The cloud-native application is deployed on a cloud platform and calls the cloud configuration components on the cloud platform during the operation of the cloud-native application. Based on security scanning rules, a security scan is performed on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application. If the security scan results indicate the presence of a security risk item, the cloud service data threatened by the security risk item is determined, and the cloud-native application will call the cloud service data during operation; Determine a security remediation plan related to the cloud service data, so as to remediate the security risk items based on the security remediation plan.

2. The method according to claim 1, characterized in that, The method further includes: If the security scan results indicate the existence of the security risk item, and the security risk item does not match the cloud service data, it is determined that the security risk item does not match a security remediation solution. Set an unrepaired label for the security risk item, and associate the security risk item and the unrepaired label in the security detection result database.

3. The method according to claim 2, characterized in that, The method further includes: If a security risk item matches a security remediation solution, the security risk item and the security remediation solution are associated and stored in the security detection result database.

4. The method according to any one of claims 1 to 3, characterized in that, The method further includes: Obtain the number of items related to the security risk; Based on the number of projects, safety risk factors, and average repair time, the predicted working time required to repair the safety risk projects is determined.

5. The method according to claim 1, characterized in that, The security scan of the cloud-native application's operation logs and cloud configuration components, based on security scanning rules, yields the following security scan results: Based on the sensitivity level of the sensitive data, a baseline security rule corresponding to the sensitivity level is matched, with different sensitivity levels corresponding to different baseline security rules; The baseline security rule is determined as the security scanning rule for the cloud-native application; Based on the security scanning rules, a security scan is performed on the application operation logs and cloud configuration components of the cloud-native application to obtain the security scan results of the cloud-native application.

6. The method according to claim 5, characterized in that, The method further includes: Determine the application security domain of the cloud-native application, where the application security domain refers to whether the cloud-native application is an external network application or an internal network application; The step of determining the baseline security rule as the security scanning rule for the cloud-native application includes: When the application security domain refers to the cloud-native application as an external network application, the application scanning rules corresponding to the external network application are matched; the application scanning rules and the baseline security rules are determined as the security scanning rules for the cloud-native application. When the application security domain refers to the cloud-native application as an intranet application, the baseline security rule is determined as the security scanning rule for the cloud-native application.

7. The method according to claim 1, characterized in that, The method further includes: Upon receiving an account login operation on the cloud platform, obtain the operation time, account information, and URL address corresponding to the account login operation; The last security scan time is determined based on the account information and the URL address; If the interval between the scan time and the operation time is greater than a time threshold, the step of obtaining the login log of the account login operation is performed.

8. The method according to any one of claims 1 to 3, characterized in that, The security scan of the cloud-native application's operation logs and cloud configuration components, based on security scanning rules, yields the following security scan results: Based on the log field requirements in the security scanning rules, a security scan is performed on the application operation logs to obtain the security scan results of the application operation logs. Based on the security configuration options in the security scanning rules, a security scan is performed on the cloud configuration component to obtain the security scan result of the cloud configuration component. The security configuration options include at least one of authentication, authorization, encryption, and auditing.

9. A security detection device for cloud-native applications, characterized in that, The device includes: The acquisition module is used to acquire the login log of the account login operation when an account login operation to the cloud platform is received. The scanning module is used to determine accessible data associated with the account information based on the account information in the login log; if the sensitivity level of the accessible data reaches the sensitivity level threshold, the accessible data is determined to be sensitive data; if the login log indicates that the account information needs to access the sensitive data, the module determines that there is a sensitive account and that the cloud-native application has a security detection requirement. The determination module is used to determine the application operation logs of the cloud-native application and the cloud configuration components accessed by the cloud-native application when it is determined that the cloud-native application has security detection requirements. The cloud-native application is deployed on a cloud platform and calls the cloud configuration components on the cloud platform during the operation of the cloud-native application. The scanning module is also used to perform security scans on the application operation logs and cloud configuration components of the cloud-native application based on security scanning rules, and obtain the security scan results of the cloud-native application. The determining module is further configured to determine the cloud service data threatened by the security risk item when the security scan result indicates that there is a security risk item, and the cloud-native application will call the cloud service data during operation; The determining module is further configured to determine a security remediation plan related to the cloud service data, so as to remediate the security risk item based on the security remediation plan.

10. A server, characterized in that, The server includes a processor and a memory, the memory storing at least one program, which is loaded and executed by the processor to implement the security detection method for cloud-native applications as described in any one of claims 1 to 8.

11. A computer-readable storage medium, characterized in that, The readable storage medium stores at least one program, which is loaded and executed by a processor to implement the security detection method for cloud-native applications as described in any one of claims 1 to 8.

12. A computer program product comprising computer instructions stored in a computer-readable storage medium, wherein a processor reads from and executes the computer instructions to implement the security detection method for cloud-native applications as described in any one of claims 1 to 8.