DevOpsDays It is a world-famous brand of series of technical conferences , It covers software development 、 automation 、 test 、 Security 、 Organizational culture and IT Running community meetings, etc .DevOpsDays from DevOps The father of Patrick Debois Founded by Mr , There's the Internet in the organization 、 Finance and all walks of life DevOps practitioner , By sharing 、 Exchange each other's advanced technological ideas 、 Ideas and industry best practices , Elites from all walks of life and top experts in the industry have promoted DevOps Landing on a global scale . In the development of the past decade ,DevOpsDays The city as a unit quickly swept the world , To be worthy of being DevOps The most influential international event in the world .

​

stay 2021 the DevOpsDays Tokyo At the conference , A number of DevOps Big names in the field have brought wonderful theme sharing .DevOps The father of Patrick Debois They also answer questions for participants online , Share the most valuable DevOps practice .CODING Senior technical expert 、 Preacher —— Zhou Jihai Also invited to participate in the conference and online to DevSecOps Tools and practices are shared as topics .

​

​

Here is Zhou Jihai in DevOpsDays Tokyo The content of the speech shared on ——《 DevSecOps Practice in large banks 》

DevSecOps Concept 、 A brief introduction to the birth reasons and advantages

​

DevSecOps yes Gartner stay 2012 The concept put forward in , The original term is " DevOpsSec ".2017 year RSA After the summit ,DevSecOps It's becoming a hot topic in the world .DevSecOps Based on and continued DevOps Idea , Its design and implementation are still in a state of Agile Under the framework of .DevSecOps Our goal is to embed security into DevOps In every process of （ demand , framework , Development , Testing, etc ）, So as to achieve safe left shift , Make everyone responsible for safety , Turn security from passive to active , In the end, the team can be faster , Develop better quality products more safely .

• In the traditional mode , Throughout the R & D process （ demand , Development and testing ） When it's done , Security review is needed before going online . So the whole lead time is the R & D time plus the safety assessment time .
• DevOps In mode , Through automation , agile development , Teamwork . Micro service design, etc DevOps The concept shortens the duration of the entire R & D phase , This reduces the lead time . however , Because of the traditional DevOps The pattern doesn't consider security , Therefore, the duration of security review before going online has not changed . It's clear here that , The bottleneck of the whole R & D process is the safety review stage before going online .
• DevSecOps In mode , Due to the senseless move to the left part of the pre launch security review work to the development team , It makes the time of safety evaluation shorter , This further shortens the lead time .

DevSecOps There are many benefits to R & D effectiveness , Mainly in three aspects ：

• faster - DevSecOps Scanning through automated security tools , Moved left part of the security scanning work in the last stage before going online in the traditional mode , Make the whole lead time shorter , Delivery is therefore faster .
• control risk - DevSecOps Reduced the development team's attention to the security department / Team dependence , Let the development team have the ability to discover and correct some security risks and vulnerabilities through security left shift .
• Cost savings - DevSecOps Because in SDLC Find and fix security risks and vulnerabilities in the early stage , It avoids the rework in the last stage of security scanning before going online in the traditional mode , This saves costs from the process .

DevSecOps Challenges in actual landing

​

stay DevSecOps There are many challenges in the actual landing , Among them Technological and human challenges The most typical . One side , Software development is a complex process , need DevSecOps Provide corresponding automation tool support , But because of DevSecOps It's a whole new idea , There are fewer tools available on the market ; On the other hand , People's attention to information security , implement DevSecOps Extra work for post developers , And the support of the management has become DevSecOps It's the key factor for the successful landing . however , Even without the hindrance of the former , At this stage, developers are lack of information security knowledge , In the face of security vulnerabilities can not be successfully repaired , Also for the DevSecOps There's a lot of resistance to the landing .

DevSecOps Types of security tools commonly used in

​

• Static application security tools （SAST）：SAST Scanning security vulnerabilities from the code level . The advantage of it is that it can be precisely positioned , A specific line of code was found to be vulnerable , At the same time, it is easy to be accepted by programmers . But the disadvantage of this tool is that the false positive rate is very high .
• Dynamic application of security tools （DAST）：DAST More through the simulation of hackers to attack the port and site , Try to get information . The advantage of this kind of tool is that it has a very wide scanning range , False positives are not particularly high ; The disadvantages are also very obvious , It's like a test , It takes manpower to write relevant code to simulate hacker attacks , The requirements for safety knowledge of operation and maintenance students are relatively high , Because you need to simulate the scene . meanwhile , It's also easy to generate some dirty data .
• Interactive application security tools （IAST）： Insert... Into the app IAST, Or intercept traffic through proxy , It can analyze whether there are security loopholes in the operation process of the system . The advantage is accurate scanning 、 The false alarm rate is low . The disadvantage is that while updating the tool , The server needs to restart .
• Third party component analysis （SCA）： front 3 A security tool is more to protect the code you write , From the port level to ensure that their products are safe . However, it is inevitable that third-party plug-in tools will be introduced in the development process , FOSS Tools are designed to ensure the security of code written by others .

in general ,SAST and SCA It's mainly used in the development phase ,DAST and IAST It is applied in the test phase , Security tools in DevSecOps Please refer to the figure below for the distribution in the whole life cycle ：

​

DevSecOps The implementation and operation model of

​

structure DevSecOps The system is DevSecOps The ultimate goal of the project , To achieve this goal ,DevSecOps Implementation model It provides the following ideas for our practice ：

• The first step is to adopt DevSecOps Tools to find vulnerabilities in applications . And integrate security tools into CI/CD In the assembly line , Automation . Finally, the results of vulnerability scanning will be visualized in the dashboard or reported to the user .
• The second step is to provide training for developers , Give them enough skills to fix the hole .
• In the introduction of DevSecOps Tools and training for the development team ,DevSecOps Our ultimate goal is for everyone to have DevSecOps The consciousness of , And build... In the team DevSecOps Culture . Besides , Every development team wants at least one with advanced application security skills “ Security experts ”, Can help the team fix the tricky holes , And train other team members .

​

In understanding DevSecOps After the goal of the project ,DevSecOps Run the model Provides an example of how to perform DevSecOps The solution to achieve . It defines the responsibilities of several different roles :

• DevSecOps person in charge - The responsibility of the person in charge is to promote DevSecOps project , Extension DevSecOps Culture , Help the development team build DevSecOps Culture . Connect the development team with the security team , Collect feedback from the development team , And provide it to the security team .
• The development team - take DevSecOps Tools integrated into CI/CD In the assembly line , Visualization of security scan results on the dashboard . Accept DevSecOps train , Learn enough about application security , There are enough skills to fix loopholes . Use in real projects and daily work DevSecOps Tools and knowledge , Gradually change their way of thinking , And build... In the team DevSecOps Culture .
• Security team - They mainly provide DevSecOps Tools and application security training . If necessary , Advisory services are available .

The above is 2021 DevOpsDays Tokyo station content sharing .