{"id":13877,"date":"2025-12-12T18:48:18","date_gmt":"2025-12-12T15:48:18","guid":{"rendered":"https:\/\/cengez.com\/?p=13877"},"modified":"2025-12-12T18:50:02","modified_gmt":"2025-12-12T15:50:02","slug":"yazilim-tedarik-zinciri-guvenligi-owasp-2025","status":"publish","type":"post","link":"https:\/\/cengez.com\/en\/yazilim-tedarik-zinciri-guvenligi-owasp-2025\/","title":{"rendered":"Tedarik Zinciri Sald\u0131r\u0131lar\u0131na Kar\u015f\u0131 Yaz\u0131l\u0131m\u0131n\u0131z\u0131 Nas\u0131l Z\u0131rhlar\u0131z? (OWASP 2025 Analizi)"},"content":{"rendered":"<p><em>OWASP 2025: Yaz\u0131l\u0131m Tedarik Zinciri G\u00fcvenli\u011fi Rehberi<\/em><\/p>\n\n\n\n<p>Modern yaz\u0131l\u0131m geli\u015ftirme s\u00fcreci, art\u0131k s\u0131f\u0131rdan tu\u011fla \u00f6rmeye benzemiyor; daha \u00e7ok devasa ve karma\u015f\u0131k bir LEGO in\u015fas\u0131n\u0131 and\u0131r\u0131yor. H\u0131z\u0131 ve verimlili\u011fi art\u0131rmak i\u00e7in, d\u00fcnya genelindeki geli\u015ftiricilerin \u00fcretti\u011fi a\u00e7\u0131k kaynak kodlu k\u00fct\u00fcphaneleri (Open Source Libraries), API&#8217;lar\u0131 ve haz\u0131r mod\u00fclleri kullan\u0131yoruz. Ancak bu muazzam h\u0131z, beraberinde \u00f6l\u00fcmc\u00fcl bir riski de getiriyor: Ya kulland\u0131\u011f\u0131n\u0131z o k\u00fc\u00e7\u00fck, masum g\u00f6r\u00fcnen LEGO par\u00e7as\u0131n\u0131n i\u00e7ine birileri zehir enjekte ettiyse?<\/p>\n\n\n\n<p>\u0130\u015fte bu senaryo, <strong>Yaz\u0131l\u0131m Tedarik Zinciri G\u00fcvenli\u011fi<\/strong> (Software Supply Chain Security) kavram\u0131n\u0131, 2025 y\u0131l\u0131nda her CTO&#8217;nun ve \u015firket sahibinin ajandas\u0131n\u0131n ilk s\u0131ras\u0131na ta\u015f\u0131d\u0131. <a href=\"https:\/\/www.linkedin.com\/company\/cengez-yazilim\" data-type=\"link\" data-id=\"https:\/\/www.linkedin.com\/company\/cengez-yazilim\" target=\"_blank\" rel=\"noopener\">Cengez Yaz\u0131l\u0131m <\/a>olarak biz, yazd\u0131\u011f\u0131m\u0131z kodun her sat\u0131r\u0131ndan sorumlu oldu\u011fumuz gibi, projenize dahil etti\u011fimiz her d\u0131\u015f bile\u015fenden de sorumluyuz.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Truva At\u0131 Art\u0131k &#8220;npm install&#8221; Komutunda Gizli<\/h2>\n\n\n\n<p>Ge\u00e7mi\u015fte siber sald\u0131rganlar, \u015firketin ana g\u00fcvenlik duvarlar\u0131n\u0131 (Firewall) zorlayarak i\u00e7eri girmeye \u00e7al\u0131\u015f\u0131rd\u0131. Art\u0131k bu kadar zahmete girmiyorlar. SolarWinds veya Log4j krizlerinde g\u00f6rd\u00fc\u011f\u00fcm\u00fcz gibi, sald\u0131rganlar hedef \u015firketin <em>tedarik\u00e7isine<\/em> veya <em>kulland\u0131\u011f\u0131 y<a href=\"https:\/\/cengez.com\/en\/zero-trust-mimarisi-kurumsal-guvenlik-2025\/\" data-type=\"link\" data-id=\"https:\/\/cengez.com\/zero-trust-mimarisi-kurumsal-guvenlik-2025\/\">az\u0131l\u0131m k\u00fct\u00fcphanesine<\/a><\/em> s\u0131z\u0131yorlar.<\/p>\n\n\n\n<p>Siz kap\u0131n\u0131z\u0131 en son teknolojiyle kilitledi\u011finizi san\u0131rken, tehdit zaten geli\u015ftiricinizin projeye ekledi\u011fi pop\u00fcler bir paketin &#8220;g\u00fcncellemesi&#8221; k\u0131l\u0131\u011f\u0131nda i\u00e7eri girmi\u015f oluyor. Bu y\u00fczden, <strong>Yaz\u0131l\u0131m Tedarik Zinciri G\u00fcvenli\u011fi<\/strong>, sadece bir siber g\u00fcvenlik sorunu de\u011fil, bir i\u015f s\u00fcreklili\u011fi sorunudur.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Cengez Yaz\u0131l\u0131m&#8217;\u0131n Savunma Stratejisi: 3 Katmanl\u0131 Z\u0131rh<\/h2>\n\n\n\n<p>OWASP 2025 (Open Web Application Security Project) y\u00f6nergeleri \u0131\u015f\u0131\u011f\u0131nda, m\u00fc\u015fterilerimizin projelerini bu sinsi sald\u0131r\u0131lara kar\u015f\u0131 korumak i\u00e7in askeri disiplinde bir s\u00fcre\u00e7 i\u015fletiyoruz.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. SBOM (Software Bill of Materials) &#8211; Yaz\u0131l\u0131m\u0131n Kimlik Kart\u0131<\/h3>\n\n\n\n<p>Nas\u0131l ki marketten ald\u0131\u011f\u0131n\u0131z bir g\u0131da \u00fcr\u00fcn\u00fcn\u00fcn arkas\u0131nda &#8220;\u0130\u00e7indekiler&#8221; listesi varsa ve alerjen uyar\u0131s\u0131 yap\u0131l\u0131yorsa, biz de teslim etti\u011fimiz her proje i\u00e7in bir <strong>SBOM<\/strong> olu\u015fturuyoruz. Bu liste, yaz\u0131l\u0131m\u0131n i\u00e7inde hangi k\u00fct\u00fcphanenin, hangi s\u00fcr\u00fcm\u00fcn\u00fcn (Version), hangi lisansla kullan\u0131ld\u0131\u011f\u0131n\u0131 detayland\u0131r\u0131r. Yar\u0131n bir g\u00fcn &#8220;Apache Commons k\u00fct\u00fcphanesinin 2.4 s\u00fcr\u00fcm\u00fcnde kritik a\u00e7\u0131k var&#8221; haberi \u00e7\u0131kt\u0131\u011f\u0131nda, biz paniklemeyiz. Saniyeler i\u00e7inde hangi projelerimizde bu s\u00fcr\u00fcm\u00fcn kullan\u0131ld\u0131\u011f\u0131n\u0131 SBOM sayesinde tespit eder ve cerrah hassasiyetiyle m\u00fcdahale ederiz.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. SCA (Software Composition Analysis) ve Otomasyon<\/h3>\n\n\n\n<p>\u0130nsan g\u00f6z\u00fc, binlerce sat\u0131r kodun aras\u0131ndaki ba\u011f\u0131ml\u0131l\u0131k zincirini takip edemez. Bu y\u00fczden CI\/CD (S\u00fcrekli Entegrasyon \/ S\u00fcrekli Da\u011f\u0131t\u0131m) s\u00fcre\u00e7lerimize <strong>SCA<\/strong> ara\u00e7lar\u0131n\u0131 entegre ediyoruz. Bir yaz\u0131l\u0131mc\u0131m\u0131z projeye yeni bir k\u00fct\u00fcphane eklemek istedi\u011finde, sistem bu k\u00fct\u00fcphaneyi k\u00fcresel zafiyet veritabanlar\u0131nda (CVE) otomatik olarak tarar.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>K\u00fct\u00fcphane g\u00fcvenli mi?<\/li>\n\n\n\n<li>Bak\u0131m\u0131 yap\u0131l\u0131yor mu?<\/li>\n\n\n\n<li>Geli\u015ftiricisi g\u00fcvenilir mi? E\u011fer yan\u0131t &#8220;Hay\u0131r&#8221; ise, sistem kodun derlenmesini (Build) reddeder. G\u00fcvensiz kod, asla canl\u0131 sisteme (Production) \u00e7\u0131kamaz.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. \u00d6zel Depolar (Private Repositories) ve Karantina<\/h3>\n\n\n\n<p>Kritik finansal veya kurumsal projelerde, halka a\u00e7\u0131k paket y\u00f6neticilerine (npm, PyPI, Maven Central) do\u011frudan g\u00fcvenmeyiz. Bunun yerine, Cengez Yaz\u0131l\u0131m&#8217;\u0131n kendi kontrol\u00fcndeki &#8220;Nexus&#8221; veya &#8220;Artifactory&#8221; sunucular\u0131n\u0131 kullan\u0131r\u0131z. D\u0131\u015far\u0131dan gelen bir k\u00fct\u00fcphane \u00f6nce buraya al\u0131n\u0131r, g\u00fcvenlik testlerinden ge\u00e7irilir, &#8220;Onayl\u0131&#8221; damgas\u0131 vurulur ve ancak ondan sonra geli\u015ftiricilerin kullan\u0131m\u0131na a\u00e7\u0131l\u0131r. Bu, dijital bir karantina s\u00fcrecidir.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">G\u00fcven, Denetime Mani De\u011fildir<\/h2>\n\n\n\n<p>&#8220;A\u00e7\u0131k kaynak d\u00fcnyas\u0131 g\u00fcvenlidir, \u00e7\u00fcnk\u00fc herkes kodu g\u00f6r\u00fcyor&#8221; varsay\u0131m\u0131, 2025 d\u00fcnyas\u0131nda romantik bir yan\u0131lg\u0131d\u0131r. Biz, Cengez Yaz\u0131l\u0131m olarak &#8220;Paranoyak M\u00fchendislik&#8221; prensibini benimsiyoruz. Her sat\u0131r koda, her k\u00fct\u00fcphaneye \u015f\u00fcpheyle yakla\u015f\u0131yor ve do\u011fruluyoruz.<\/p>\n\n\n\n<p>Sizin veriniz, bizim itibar\u0131m\u0131zd\u0131r. <strong>Yaz\u0131l\u0131m Tedarik Zinciri G\u00fcvenli\u011fi<\/strong> standartlar\u0131na uygun, z\u0131rhl\u0131 ve dayan\u0131kl\u0131 bir altyap\u0131 i\u00e7in do\u011fru adrestesiniz.<\/p>","protected":false},"excerpt":{"rendered":"<p>OWASP 2025: Yaz\u0131l\u0131m Tedarik Zinciri G\u00fcvenli\u011fi Rehberi Modern yaz\u0131l\u0131m geli\u015ftirme s\u00fcreci, art\u0131k s\u0131f\u0131rdan tu\u011fla \u00f6rmeye benzemiyor; daha \u00e7ok devasa ve karma\u015f\u0131k bir LEGO in\u015fas\u0131n\u0131 and\u0131r\u0131yor. H\u0131z\u0131 ve verimlili\u011fi art\u0131rmak i\u00e7in, d\u00fcnya genelindeki geli\u015ftiricilerin \u00fcretti\u011fi a\u00e7\u0131k kaynak kodlu k\u00fct\u00fcphaneleri (Open Source Libraries), API&#8217;lar\u0131 ve haz\u0131r mod\u00fclleri kullan\u0131yoruz. Ancak bu muazzam h\u0131z, beraberinde \u00f6l\u00fcmc\u00fcl bir riski de [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":13878,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[202,61,63],"tags":[206,209,208,207],"class_list":["post-13877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-yazilim","category-is-gelistirme","category-teknolojik-gelismeler","tag-hacker","tag-siber-guvenlik-2","tag-siber-saldiri","tag-yazilim-guvenligi"],"_links":{"self":[{"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/posts\/13877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/comments?post=13877"}],"version-history":[{"count":2,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/posts\/13877\/revisions"}],"predecessor-version":[{"id":13881,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/posts\/13877\/revisions\/13881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/media\/13878"}],"wp:attachment":[{"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/media?parent=13877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/categories?post=13877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cengez.com\/en\/wp-json\/wp\/v2\/tags?post=13877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}