Today, the destructive power of security threats is growing at an unprecedented rate with the deepening of informatization. Expanding and building digital businesses usually leads to a larger attack surface. To deal with current and future security threats, it is insufficient to rely solely on traditional investment in security products. In addition to purchasing security products, what is more important is the enhancement of security awareness and the construction of security processes.
In various security construction plans, "security capabilities front-loaded" is an obvious trend. Just like a house with an unstable foundation, weak walls, and collapsed floors when it was built cannot stand with the support of a few pillars after completion. Without the application of a safe development process, it will inevitably be full of loopholes in later operations.
We believe that safe development practices have the following 5 important principles:
1. Security training
Safety skills training is very important to bridge the gap in technical capabilities and Managing security at every step of the product lifecycle is critical. Companies need to invest explicitly in security awareness and security skills training to improve developers' awareness and ability to code securely, and to understand the recommendations and actions made by the security department, which is essential for efficient collaboration between business teams and security teams. Very important.
According to the SANS Institute’s Security Status Report, as early as 2016, more than half of the surveyed company samples in the United States had made security training one of the company’s main tasks. To this day, there are only a handful of Chinese companies that understand the importance of safety training, and even fewer companies that can transform training intentions into training behaviors.
2. Secure application development
At present, the security of applications has attracted widespread attention from enterprises. In order to ensure the security of development, there are two important practical methods:
(1) Use a security-centered process framework.
(2) Incorporate feedback from the security team into developer workflow and demo reviews for each iteration cycle.
For process frameworks, we believe it is best to choose a proven and appropriate security-focused framework based on best practices, software libraries, standards, and your organization's industry-specific regulations. The following two well-known frameworks are collections of rules, techniques, and processes that guide development organizations and provide applicable resources. Although there are different concerns, they are all fundamentally safety-oriented.
Microsoft Security Development Lifecycle (SDL) : This process fits well into existing DevOps environments and provides a more general structure that integrates security well throughout the process sex. In our experience, it is not limited to any specific code type or operating environment.
Open Source Web Application Security Project (OWASP): This community website provides data on vulnerabilities, related impacts, and risks; as well as best-practice guidance for developing and detecting secure web applications.
Enterprises need to proactively bring security teams into the development process to get their feedback early and include them throughout the development workflow and iterative prototype demos. The benefit of this is that it allows teams to address security risks concurrently during the development phase to avoid introducing costly risks into the development process.
Compared with the development stage, the cost of eliminating risks in the product operation and maintenance stage will be at least dozens of times higher. However, many development teams are not comfortable collaborating with security teams. Taking the first step and persevering is key. Ultimately, a security-based development workflow will become a huge advantage in the overall security strategy.
3. Security DevOps=DevSecOps
DevSecOps is an emerging trend that fully integrates security into the DevOps workflow, thereby creating a unified the process of. Just as DevOps was proposed to solve development and operation and maintenance problems at the same time, now it is also necessary to solve security issues at the same time.
Security DevOp or DevSecOps not only involves expanding the work content of each stage to include security elements, but also includes cross-stage, cross-department training to ensure that the development process is complete Reduce risk while coding.
4. Application Security Testing (AST)
Continuous testing is very important, and the Application Security Testing (AST) tool should become a must-have in every developer’s tool chain. components of the equipment. There are many excellent tools available today, including open source tools. When considering application security testing tools, it's a good idea to pre-determine the set of tools you want to use in order to optimize the steps and processes for code instrumentation. Otherwise, the tool may not be able to instrument the code completely and efficiently.
AST tools are divided into several basic categories:
(1) Static Application Security Testing (SAST)
(2) Dynamic Application Security Testing (DAST)
(3) Interactive Application Security Testing (IAST)
Gartner’s 2017 report stated that “most enterprises developing applications have adopted some form of AST. But different technologies have different maturity levels. DAST and SAST are currently the most widely used product types, but the market demand for IAST is showing rapid growth."
5. Continuous monitoring and analysis
Continuous monitoring and analysis help protect applications during the operation and maintenance phase. Get continuous feedback from monitoring and feed it back into the development process. The application of monitoring and analyzing the operation and maintenance phase is a basic common sense operation. It can provide enterprises with valuable information and data, help them intercept potential loopholes and reduce potential risks.
Just as security in the operation and maintenance phase cannot be achieved without development security, development security cannot be achieved independently of operation and maintenance security. A process without a feedback mechanism is definitely not a good process.
Recommended related articles: web security tutorial
The above is the detailed content of Safe Development Practice Principles. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
