Does rapid software delivery really need to be at the cost of security?

Abstract ：DevSecOps yes “ Development （development）、 Security （security） And operations （operations）” Abbreviation , It is through a set that contains the Humanities 、 technological process 、 The framework and method of technology , Seamlessly and gently integrate security capabilities into agile and DevOps In processes and tools .

This article is shared from Huawei cloud community 《 Does rapid software delivery really need to be at the cost of security ？》, author ： Hua Wei Yun PaaS Little helper .

Software security is crucial

With the rapid development of global economy and science and Technology , Software has been applied to almost all walks of life , While software products bring us convenience , It has also become the target of hacker attacks . The reason why software security is very important , It is because of the particularity of software that it cannot be quantified when it fails , A small mistake can be magnified infinitely in a specific environment . Hackers are always looking for exploitable vulnerabilities in application software , imagine , If they insert malware into an application during the software build process , And after the application goes online , Gather information about thousands of users , In today's highly developed media society , This will undoubtedly cause great damage to the customer system and the company's reputation .

The contradiction between R & D speed and safety

In today's society , Rapid response has become the most basic requirement of all walks of life , The software industry is no exception , A software product , Fast function update iteration , It indicates that the development Party attaches great importance to the product and the needs of users , It can improve the user experience ; At the same time, it also reflects the overall strength of the company , Show product advantages externally , Enhance the core competitiveness of enterprises .

Once upon a time , Software security is generally the responsibility of a specific security team , Only in the final stage of development , This form is under the traditional waterfall development mode with a long development cycle , There seems to be no problem . But as the market demand changes , Software products are required to respond to changes in real time , Constantly deliver updated software products quickly and frequently , If the post security intervention is also used , Even the most efficient DevOps plan , Development will also be slowed down .

And for a long time , Many enterprises are trying to speed up application development to deploy new software as soon as possible , Often at the expense of security . Unfortunately , If the application has a security problem , It not only makes the enterprise fall into a crisis of trust , It also means rewriting a lot of code , This is undoubtedly a very complex task for developers 、 Difficult and time-consuming work .

Does rapid software delivery really need to be at the cost of security ？

2012 year ,Gartner First put forward DevSecOps idea . Four years later , He published a report called 《DevSecOps: How toSeamlessly integrate Security into DevOps》 The report of . The core idea of the report is ： Safety is the whole IT The responsibility of all members of the team , It should go through every step of the business life cycle . Corresponding DevOps Fast delivery and flexibility to respond to change ,DevSecOps The value of security is that without sacrificing security , Fast landing and implementation safety .

DevSecOps yes “ Development （development）、 Security （security） And operations （operations）” Abbreviation , It is through a set that contains the Humanities 、 technological process 、 The framework and method of technology , Seamlessly and gently integrate security capabilities into agile and DevOps In processes and tools .

DevSecOps What can be done ？

• It does not affect the product iteration and upgrading speed

DevSecOps The security of applications and infrastructure should be considered from the beginning , At the same time, select appropriate tools to continuously integrate security protection , Automate security gateways , To prevent DevOps Workflow slows down .

• Early identification of security vulnerabilities

DevSecOps It can be done during the development phase rather than after the release , Discover potential security vulnerabilities , And correct them before they are exploited by network attackers , Build business driven software with built-in security services .

• Reduce vulnerability repair costs

DevSecOps Helps identify security issues early in the development process rather than after product release , Avoid losses caused by network attacks , At the same time, it also avoids modifying a lot of code to fix the vulnerabilities found after the product release . It can be easier 、 Faster 、 Solve... At a lower cost （ Before putting it into production ） safety problem .

• More secure

DevSecOps stay DevOps By focusing on security at every level of the software development process , Ensure that everyone in the software development pipeline , Each link has the responsibility to ensure that the maximum IT Security .

DevSecOps How do you do it? ？

DevOps The pipeline contains plans 、 Code 、 structure 、 test 、 Release 、 Deploy 、 Several stages of operation and monitoring ,DevSecOps Stay the same at these stages , It's just that security concerns apply to every phase .

• Threat modeling

In the planning phase of software development , Conduct threat modeling , The development team brainstormed the most likely attack scenarios , Identify potential security vulnerabilities and threats , Determine the severity and priority of each threat , And propose possible solutions . Threat modeling has an additional benefit , It can let everyone in the team know the common security problems .

• Security testing

Establish a code review system , stay CI Automatically run security tests in the process , To ensure that it is not affected by common vulnerabilities . Generally, automatic code static vulnerability scanning tool is used for detection , Such as static analysis and security test (SAST) And dynamic application security testing (DAST) Tools .

• Safety function test

Add automatic testing of safety functions during acceptance testing , Through stable and reliable testing practice, the powerful automated testing framework is fully introduced into the pipeline .

• Safety operation and maintenance

DevSecOps adopt IaC Tools quickly and efficiently protect the enterprise's own infrastructure . meanwhile , Need to use powerful and continuous monitoring tools , This is used to detect whether the security system can operate in the expected form .

These are just DevSecOps Some basic steps in implementation . According to the specific scale and complexity of the project , The roadmap may also need to cover certain additional steps .

DevSecOps How to land ？

• All personnel shall share the safety responsibility

To control potential safety hazards at the source , Need team members to maintain safety awareness at all times , Take safety as the primary consideration of decision-making in daily work .

• People in need ： You need to fully understand the security requirements of your application 、 Safety features 、 Business characteristics 、 Special needs for security and major security risks .

• Developer ： It is necessary to develop good safety development habits and safety awareness , Improve the ability of secure coding .

• Testers ： Need to have the ability of penetration testing and sensitivity to safety issues , And intervene as early as possible .

• Operations staff ： It is necessary to fully understand the security requirements in the operation and maintenance stage , Safety features , And throughout the development process , Participate fully in discussions and decisions .

• automation

And DevOps equally ,DevSecOps Whether it can be implemented on the ground , It strongly depends on the degree of automation of the enterprise's R & D process . In order to match the security guarantee speed with the code delivery speed in the scenario of continuous integration and continuous delivery , Security must be automated , otherwise , There is no guarantee that developers can submit code every day .

• Continuous safety training

Safety habits cannot be cultivated and formed overnight , There is no shortcut to find , Only through constant guidance , Constant publicity and learning , Set a positive example , Step by step . Final , Cultivate safety culture imperceptibly , achieve DevSecOps The highest realm pursued .

Conclusion

We live in a world highly dependent on technology , The software development team is responsible for software security , When we create software that involves things like medical , Finance and other fields containing personal sensitive information , Will face a high risk .

Fortunately, ,DevSecOps Our system is becoming more and more mature , Relevant methodology 、 Technology and practical experience have been significantly improved , The supporting tool chain and technology are also becoming more and more perfect , While ensuring rapid and frequent delivery of software , To ensure maximum software security , In addition, as every member of the development team , Need to maintain safety awareness at all times ,DevSecOps The emphasis is on everyone's participation in security , Everyone is responsible for safety , Safety is everyone's business .

Click to follow , The first time to learn about Huawei's new cloud technology ~