Devsecops: new to Jianghu

What is? DevSecOps

DevSecOps yes 2017 In the U.S. RSA A new concept emerged from the conference , The general assembly even set up topics and seminars specifically for this concept and direction .DecSecOps It's a new security concept and model , namely “ Everyone is responsible for safety ”, from DecOps From the extension and evolution of the concept of , The core idea of safety is the whole IT The team （ Including the development of 、 Operation, maintenance and safety team ） Everyone's responsibility , Effective guarantee can only be provided through every link of the whole business life cycle from development and operation , Through enhanced internal security testing , Actively search for security holes , Fix bugs in time 、 control risk , Achieve good integration with business processes . come from Garnter Research company analysts David Think , Today's CIO It should be revised DevOps The definition of , Make it include the safety concept into DevSecOps.DevSecOps It's a blend of development 、 Security and operations concepts to create new solutions ”.

This time DecSecOps Symposium sharing 《 The next generation of security needs you ！》 Of DecSecOps Organization director Shannon Lietz Yes DevSecOps The concept of is explained and explained in detail , She thinks DevSecOps It is to realize product value through initial creation and continuous improvement based on real and effective feedback 、 Operation and maintenance 、 A practice of security and other requirements , This practice can complete more secure software faster .DevSecOps It's a systematic methodology , Driven by strategy , A set of process and tool support , By developing 、 The O & M and security teams work together to embed security and compliance as attributes in the software .

chart 1

DevSecOps The background and significance of

The author thinks DevSecOps The emergence of will have a great impact on the application and IT The safety management of infrastructure has profound significance ,DevSecOps The wide application of IT The security management of basic settings has entered a new era , Take security as an attribute of the management object , From application and IT The infrastructure development starts to carry out the safety management of the whole life cycle , Build an application with high security attributes IT infrastructure , Not just through security for applications and IT Infrastructure provides security . The author thinks ,DevSecOps The application of will thoroughly improve the application and IT Security status of infrastructure .

In the past, safe development and safe operation were always separated , Review the past understanding of applications and IT Attitude and content of infrastructure safety management , We can simply divide it into two stages ——“ Safety accident management stage ” and “ Security risk and compliance management stage ”.

The first stage , Enterprises and organizations are very sensitive to the application and IT The safety management of infrastructure focuses on the safety disaster and accident management , By quickly discovering and responding to safety disasters and accidents, the impact of accidents can be restrained 、 Reduce the loss .

The second stage , The frequent safety disasters and accidents urge the competent authorities to 、 Enterprises and organizations are responsible for application systems and IT The infrastructure begins to manage security risks and compliance , I hope we can prevent the trouble before it happens . At present , Compliance and security risk management and control are still the main objectives of most enterprise information security businesses around the world .

Because most enterprises IT The Department will use the development team to be responsible for value delivery 、 The operation and maintenance team is responsible for availability assurance 、 The security team is responsible for the security guarantee IT Business management , Leading to the security of most enterprises and institutions 、 The business objectives of the development and operation and maintenance departments are independent of each other 、 Lacerate , Sometimes it is even confrontation and conflict , Finally, the closed-loop management of safety risk takes a long time 、 The high cost . To achieve complete closed-loop control of security risks , There must be DevSecOps Idea , Will develop 、 Operation and maintenance and security are effectively integrated , Do the safety problem , Everyone is responsible. .

DevSecOps The main content of practice

DevSecOps The practice of may subvert the existing IT Development and operation mode , Now DevSecOps Hopefully, the two will work together . To ensure that high security applications and IT infrastructure , The scope of work in the security field needs to run through the development and operation links , It may overturn the existing development and operation mode .RSA The conference DevSecOps Seminar keynote speaker Chris Carlson Made a more detailed introduction .

Pictured 2 Sum graph 3 Shown , Traditional safe operation work and DevSecOps The core difference of safe operation under the mode lies in two points ：

chart 2

chart 3

• The new model forces the safe work to move forward （Shift Left）. Reduce the cost of solving security problems by means of security intervention in the early stage of software development , The content of early intervention includes the development of 、 Safety awareness training for maintenance personnel 、 Safety development specification training 、 Security requirements （ Non functional requirements ） Import of 、 Early code audit work 、 White box based security testing 、 Penetration testing, etc . The content added in the operation phase is similar to that in the early development phase , The main content focuses on the verification of the implementation of new security requirements and the overall software security assessment .IBM Of researchers have published statistics , The cost of fixing security problems after product release is the cost of solving them in the design phase 4 To 5 times , The cost of repairing security problems in the operation and maintenance phase will reach or even exceed 100 times . Although in DevSecOps In the pattern , Safety work links have been increased , But from the development and maintenance cost of the whole software life cycle , Finding problems in advance will lead to a significant reduction in security costs .
• Connection between security and development work . To avoid safe work （ for example ： Testing and evaluation 、 Security policy deployment, etc ） Become a development bottleneck , Make the application system realize its due value and security attributes in the shortest cycle .DevSecOps Adopt a fast iterative development approach , This requires seamless connection between security and development , Import security work into existing development workflow and tools , This includes importing security requirements into unified requirements management processes and tools 、 Security testing and continuous integration / Continuous deployment （CI/CD） docking 、 Security test results are imported into defect management tools and many other links .

and MITRE Propose to cooperate from the perspective of attack ,MITRE It is an American non-profit research institution . They put forward , The security goal in the development phase is to prevent security problems that lead to vulnerabilities ; The security objective in the operation phase is to protect the infrastructure of the deployed system 、 Configuration and use , Prevent security problems in the system . therefore , The ultimate goal is to make all operating software free of vulnerabilities , Completely safe . What security development and security operation have in common is that they both need to know how attackers attack software , This is the core of both . For all that , The two fields differ in the level of abstraction, the purpose and other specific requirements , But they work together . Security development requires a theoretical understanding of the attacker's intentions , To comprehensively improve safety , Not for a single instance . Safe operation requires a detailed understanding of the attacker's specific attack behavior , To identify 、 Understand the attack , Estimate the impact , Planning mitigation options . Security development provides a top-down perspective , Safe operation is a bottom-up perspective , When the two are in balance , Each field can solve its own needs , At the same time, it provides important input to the main concerns in another field .

chart 4

DevSecOps Difficulties in practice

this RSA At the conference , From Party A 、 Both Party B and the third-party organization tell DevSecOps Difficulties in practice , It can be roughly divided into three categories .

The first kind of problem is Strategic and cultural challenges , For the traditional development mode and safe operation mode ,DevSecOps In essence, it is a subversive model change , The promotion of its practice first needs CIO Promote... From a strategic height . The second is the change of culture and concept , Realization DevSecOps It is necessary to change the attitude and concept that only safety personnel were responsible for safety in the past , It must be possible for the development team 、 The O & M team and the security team recognize that everyone needs to be responsible for security .

The second kind of problem is Adjustment of personnel skills and knowledge structure ,DevSecOps Practice requires developers 、 The operation and maintenance personnel and the security personnel shall cooperate with each other , Be able to look at problems objectively from the perspective of the other party . Specifically for developers , It's not just about developing skills , We also need to have an understanding of operation and maintenance and safety , The same is true for operation and maintenance personnel and security personnel , We need to expand the common skills and knowledge in different fields .

chart 5

The third type of problem is Docking of processes and tools .DevSecOps Achieving the initial goal requires fast iterations , The process of development and operation needs to be highly automated . Development 、 Operation and maintenance 、 Tools and processes for safe work need to be seamlessly connected . For most enterprises , Need is a daunting challenge .

chart 6

DevSecOps Present situation and Prospect of practice at home and abroad

Through this RSA General Assembly DevSecOps Seminar , It is not difficult for us to find that DevSecOps Still in its infancy , Experts in various fields are still in the discussion stage ,DevSecOps There is no general standard or practice guide yet , Only 1~2 Three practice cases to share . At home , although DevSecOps It's still a new idea , But in China's operator industry 、 The energy industry and the financial industry started as early as 2~3 Three synchronization requirements were put forward years ago （ Simultaneous planning 、 Simultaneous construction 、 Synchronous operation ） And in IT The construction project has been put into practice . Three synchronization requirements and DevSecOps The core idea of is essentially the same , We can understand that China is actually ahead of or earlier than foreign countries in project practice .

at present , China's traditional enterprises and Internet enterprises have gradually reached the world's leading level in the application of the Internet . I believe that the future in China will be driven by business DevSecOps Practice will be at the forefront of Europe, America and even the world , Lead its development .

Reprinted from ：RSA2017 Talking about the next generation application and IT Security management mode of infrastructure --DevSecOps | Green alliance tech blog , There are a few changes .