当前位置:网站首页>Devsecops software R & D security practice - release
Devsecops software R & D security practice - release
2022-07-06 23:02:00 【Hua Weiyun】
Preface
When it comes to publishing , Will think of deployment , The deployment release discussed in this article is based on DevOps The background of . stay 《DevOps Practice Guide 》 These two words are clearly defined in , Deployment refers to installing a specified version of software in a specific environment , Publishing is to provide a feature or group of features to all customers or some customers . One is environment oriented technology operation , One is user oriented business decision . thus it can be seen , Deployment is the premise of release , Through continuous deployment , To support the on-demand release of business .
After software release , Software security problems caused by errors in the running phase account for a large proportion of all security problems . Release as The last line of defense before the software goes online , Have a pivotal position .
How to do a good job of safety release
Do a good job of safety release We focus on the incident response plan 、 Safety inspection 、 Look at the software signature certificate from three aspects .
Event response plan
In the software release stage , Enterprises need to establish a set of safety release Standards , There are corresponding release safety procedures and specifications , Safety incident response plan and release decision , Ensure that the release activities can be carried out safely and orderly .
Event response plan , Including but not limited to standard safety incident response process 、 Emergency safety incident response process , Person in charge of safety and contact information . Even products that do not contain any known vulnerabilities at the time of release , It may also face emerging threats in the future . It should be noted that , If the product contains third-party code , You also need to leave the contact information of the third party and join the event response plan , So that when a problem occurs, you can find the corresponding person .
Perfect safety incident response plan , After the software is released, the software supply chain security events 、 Software security vulnerability disclosure events can carry out rapid security response , Control and eliminate security threats and adverse effects caused by security incidents , Then trace and solve the root cause of the security incident .
Safety inspection
Before release , You need to use security analysis tools to conduct a comprehensive vulnerability scan , Execute the corresponding vulnerability repair plan according to the vulnerability scanning results . Vulnerability scanning can be done from the host 、 Mirror image 、Web、 Terminal applications 、 Scan multiple dimensions of network and database , Ensure full scene coverage .
Security check includes but is not limited to environment security deployment verification 、 Security configuration baseline detection 、 Image security scan 、 Virus scanning 、 Host vulnerability scanning and other activities , If possible, we can conduct a secondary review of all previous work , Conduct the final safety assessment according to the inspection results , Take the evaluation results as a precondition for release .
Release Stage The security problems solved are all security problems in the real production environment , Therefore, we should thoroughly check the configuration differences between the production environment and the development environment . Studies have shown that , Security vulnerabilities caused by security configuration errors in existing application systems have become one of the main sources of system vulnerabilities . Configuration management tools are a key factor in ensuring security during the release phase , Configuration management tools provide visibility into infrastructure configuration , Then you can audit and check the system configuration , Protect the runtime environment infrastructure . Common configuration management tools in the industry include Chef、Ansible、Puppet、Terraform and SaltStack.
During the release , Conduct security check at the security check node , There is a corresponding alarm mechanism , If you encounter problems and risks in the release, you can implement the security fallback and backup mechanism , Follow the safety incident response plan . At the same time, it is suggested to adopt a low-risk release strategy , Such as Canary release and blue-green release .
Software signatures and certificates
In order to prevent the software package from being maliciously tampered with during delivery or after release , Enterprises will add digital signatures to software codes , To ensure the authenticity and integrity of the code , Authenticity is to convince users of the source of this software , Integrity is to ensure that the software is not tampered with after it is released .
The code signing certificate is usually issued by a trusted third party CA Issued by , Compared with unsigned code , Code with certificates has higher reliability . Software developers can use code signing certificates to sign kernel code .sys file 、ActiveX file 、 .exe 、 and dll Documents and mobile application software developed by smart phones . Digital signatures protect users from viruses 、 By malicious code and spyware , It also protects the interests of software developers , So that the software can be released quickly and safely on the Internet .
After software release , Archive all kinds of problems and documents encountered , Help with emergency response and product upgrades .
Huawei cloud security release practice
Huawei cloud's multi scenario high-precision vulnerability scanning capability , It is a powerful guarantee to walk the last mile before the software goes online .
- Full scenario vulnerability coverage : Cover Web、 host 、 Mirror image 、 Binary system 、 Full scenario vulnerability scanning capability of terminal applications , Support for HUAWEI 、OWASP And so on , Support the insurance 0 Equal standard .
- Professional repair advice : Provide a typical Web Precise vulnerability detection , stay CVE Vulnerability assessment is closer to the real threat ; stay APK Open source component scanning and information leakage detection , With more accurate detection ability , Therefore, more professional repair suggestions can be provided .
- Scalable vulnerability detection capabilities : Focus on the latest security vulnerabilities , Dynamically expand scanning capabilities ; Flexible integration of third-party vulnerability scanning engine , Unified report presentation , Support loopholes to duplicate , It can also be integrated into third-party continuous integration / In the continuous release pipeline .
meanwhile , According to the release and deployment regulations of Huawei cloud , Developing 、 Deploy 、 In the process of going online , Self check must be completed , And promise to meet the operational requirements of online . For low-risk cloud services , Go online after passing the self inspection . The self inspection results are also submitted to the audit synchronously . Self inspection includes but is not limited to integrity verification 、 Engineering Baseline Review 、 Service self check 、 Promise safety and credibility 、 Container and infrastructure security, etc , At the same time, it will conduct retrospective analysis on safety problems , Rectify safety problems , Ensure the safety and credibility of the released products . For high-risk cloud services , Through more investment 、 In a short time to implement more stringent online testing and approval , Make sure it goes online in time and safely , Protect the interests of tenants .
At the end
Completing the security release is not the last step , Once the application is deployed in the online production environment and stabilized , It is necessary to start safety monitoring and operation and maintenance . As more and more development teams continue to improve their processes and adopt new tools , Security issues are becoming more and more important , Enterprises need to take it seriously .DevSecOps It's a circular process , It should be iterated continuously and applied to every new code deployment . Exploits and attackers are evolving , The development of security skills of software teams is also crucial .
Refer to appendix
1.《 Huawei cloud security white paper 》. Huawei Technology Co., Ltd .
2.《 R & D white paper on operational security 》. Cloud computing Open Source Industry Alliance .
3.《DevOps Practice Guide 》.Gene Kim,Jez Humble,Patrick Debois,John Willis. People's post and Telecommunications Press .
边栏推荐
- UVa 11732 – strcmp() Anyone?
- memcached
- dockermysql修改root账号密码并赋予权限
- three.js绚烂的气泡效果
- [compilation principle] LR (0) analyzer half done
- How to use flexible arrays?
- [step on pit collection] attempting to deserialize object on CUDA device+buff/cache occupy too much +pad_ sequence
- (shuttle) navigation return interception: willpopscope
- How to confirm the storage mode of the current system by program?
- Interview question: AOF rewriting mechanism, redis interview must ask!!!
猜你喜欢
[launched in the whole network] redis series 3: high availability of master-slave architecture
Financial professionals must read book series 6: equity investment (based on the outline and framework of the CFA exam)
Aardio - does not declare the method of directly passing float values
(flutter2) as import old project error: inheritfromwidgetofexacttype
Aardio - construct a multi button component with customplus library +plus
DR-Net: dual-rotation network with feature map enhancement for medical image segmentation
Custom swap function
mysql连接vscode成功了,但是报这个错
Signed and unsigned keywords
Method of canceling automatic watermarking of uploaded pictures by CSDN
随机推荐
BasicVSR_ Plusplus master test videos and pictures
Flutter life cycle
Windows auzre background operation interface of Microsoft's cloud computing products
Demonstration of the development case of DAPP system for money deposit and interest bearing financial management
Redis 持久化机制
ICLR 2022 | 基于对抗自注意力机制的预训练语言模型
Improving Multimodal Accuracy Through Modality Pre-training and Attention
#DAYU200体验官# 在DAYU200运行基于ArkUI-eTS的智能晾晒系统页面
NFTScan 开发者平台推出 Pro API 商业化服务
【全网首发】Redis系列3:高可用之主从架构的
DevSecOps软件研发安全实践——发布篇
视图(view)
Comparison between variable and "zero value"
memcached
Unified Focal loss: Generalising Dice and cross entropy-based losses to handle class imbalanced medi
Improving Multimodal Accuracy Through Modality Pre-training and Attention
UVa 11732 – strcmp() Anyone?
动作捕捉用于蛇运动分析及蛇形机器人开发
Is "applet container technology" a gimmick or a new outlet?
安全保护能力是什么意思?等保不同级别保护能力分别是怎样?