front said

Today, , Most enterprises have implemented it internally DevOps practice .DevOps It provides a methodology for the team to deliver reliable software and rapid updates . This method allows the team to focus more on quality rather than waste time on operation and maintenance . However , The result is , Safety practices are often left in the hands of safety experts at the end of the delivery line . then , Because accidents often occur at the end of the delivery phase , Therefore, the specific security methods generate unnecessary expenses in the delivery process . therefore , The team doesn't have enough time to fix the code , And start the same process repeatedly , Finally, it leads to high delivery cost and low efficiency .



As most companies begin their digital transformation ,DevSecOps Has become more and more important . With the implementation of these plans , The company is moving to the cloud . This makes the local infrastructure gradually transferred to the public cloud . Cloud service providers provide cost-effective 、 Scalable 、 Highly available and reliable solutions . However , These advantages are also accompanied by new security challenges .

DevSecOps Incorporate safety into DevOps, As SDLC An integral part of , Instead of thinking about security after software development is almost complete . It also assigns safety responsibilities to team members , In the cooperation of security experts , Teams can achieve a “ Security is code (Security as code)” Culture , Encourage safety and SDLC Other components in the pipeline are treated in the same place .

What is? DevSecOps ?

DevSecOps It's full stack , Across the whole IT Stack , Including the network 、 host 、 The server 、 cloud 、 Mobile terminal and application security . These layers are gradually replaced by all kinds of software , Therefore, application security becomes DevSecOps Concerns .DevSecOps Across the entire software development lifecycle , Including development and operation and maintenance . In development , The focus of security is to identify and prevent vulnerabilities , In operation and maintenance , Monitoring and defending against attacks are the main targets .

Then the team can DevSecOps Practice and tools apply to non DevOps Project ? The answer is yes . If your team's goal is to produce highly secure software in the most cost-effective way , that DevSecOps Is the way forward .

implement DevSecOps Our enterprises have benefited greatly . according to Gartner The data of , These early adopters are more likely to keep up with frequent application updates 2.6 times , And the time to fix the vulnerability is reduced 2 times .

With the help of DevSecOps, Development 、 Operation and maintenance 、 Cooperate with the testing and safety team , And integrate resources , In order to find security problems as early as possible in the development process . Development will not stagnate , The end result is faster 、 Create a more secure workflow 、 Higher quality applications .

If you are a IT Security professionals , DevSecOps It can give you a place on the negotiation table . Your team is no longer seen as a heavy shackle , Your opinions will be valued at the beginning of development , Your organization will see you as the leader in promoting security integration .

If you're a developer , You'll come from DevSecOps Benefit a lot . Because the security requirements for software will not disappear , If you only deal with security at the last moment , Then it will only drag down your progress . Security is an important part of software quality nowadays , Pay attention to software security at the development stage , Your clients will thank you for this .

DevSecOps Of 5 Elements

1、 Collaboration

The starting point of collaboration is to establish a mentality of sharing safety responsibilities throughout the organization , At the same time, it has the support of the leadership . Around a common goal , That is, under the premise of meeting all safety and compliance requirements , Develop and release high-quality products as soon as possible , So as to consolidate cooperation .

The security team is familiar with DevOps Practice begins to do your job well , And integrate it into security . for example , Provide security functions frequently , And automate safety tasks as much as possible . In turn, , Developers should also learn security best practices , Requirements for safety 、 Risk awareness and safety tools .

2、 communicate

The communication gap between developers and security experts must be bridged . Security experts need to use developer terminology to illustrate the need for control and the benefits of compliance . for example , When discussing security risks , Take project delays and unplanned extra work by developers as an example , It will make the importance of solving these risks deeply rooted in the hearts of the people .

Developers should clearly understand their security responsibilities , In this way, they can fully accept their role in a more secure and compliant organization . These responsibilities include awareness of potential safety risks , And keep security best practices in mind when writing code . Developers should also be prepared to test vulnerabilities throughout the development process , In order to repair the vulnerability in time .

3、 automation

Automation can be a success DevSecOps The most critical component of the plan . It allows security measures to be embedded in the development process , And ensure that safety will not become a burden on the safety team . Automated security testing and analysis can be integrated into the entire CI/CD In the assembly line , Provide safe software without dragging down the innovation and development workflow . Now? , The developers and security team are very satisfied .

Automation can also realize valuable safety control , Such as interrupt construction . This safety failure protection mechanism is based on an automated risk scoring system , When the risk exceeds a predetermined threshold, an alarm will be issued . then , All build processes will be frozen , Until the developer fixes the security problem . Once the security problem is fixed , Developers can continue to build and deliver applications .

4、 Tool and architecture security

Safe software begins with safe DevOps Environmental Science . Protection tools 、 Access and architecture in any DevOps In the system is crucial . The security team should take the lead in selecting and checking the configuration of all system security tools , To ensure that appropriate functions have been configured before these systems are approved for widespread use .

Identification and access management should be taken seriously . The security team should control the right DevOps Access to architecture and data , Protect the use of credentials throughout the development pipeline . Multifactor certification (MFA)、 Minimum access rights and temporary access to advanced rights are access control policies that you can use . Besides ,CI/CD The assembly line should be isolated , To limit lateral movement , All unnecessary visits DevOps The account of the tool should be eliminated .

With DevSecOps, Security and compliance controls are incorporated into the infrastructure , To cover all environments , Including clouds . All workstations and servers should be subject to regular security monitoring 、 Vulnerability scanning and patches . You can use automated tools to scan all code , To ensure that there are no omissions when checking the code base . in addition , All new virtual machines and containers will automatically be controlled by the correct configuration , To help resist automatic reconstruction . Centralized storage system DevOps Tools and keys , All of these are subject to encryption and multifactor authentication (MFA) The protection of the .

5、 test

In the history of , Security testing is run as the last step before product release . Ideally , Testing should run through the entire development process .Keatron Evans,Infosec Skills Infosec Institute Author and consultant , explains :“ Traditionally , The application is tested after development , But if developers are automating 、 Test on a continuous basis , It will be more effective . Developers should be able to do basic OWASP Top ten tests , Instead of testing a fully built Application , Because the former will solve half of the network security problems .”

In order to keep safety and development in step , The injection of automated tests is crucial . Automation can help execute simple processes , Such as scanning the code key before the code is checked into the code base , To ensure that the password is not recorded in the event log , And malicious code for search applications .

Effective testing schemes include static application security testing (SAST)、 Dynamic application security testing (DAST) And less frequent but equally important technologies , Such as penetration testing 、Red Teaming and Threat Modeling. The latter may be valuable , Because they approach the code from the perspective of hackers , Without damaging the production environment . Now? , Many organizations adopt “Bug money reward ” Plan to motivate thorough testing , Reward for discovering potential safety problems .

DevSecOps Evaluate the testing mechanism by monitoring key indicators , To measure the effectiveness of optimization and safety practices to reduce risks throughout the development process . Developers will receive a self-assessment scorecard , Keep them responsible for safety issues through various related issues . for example , Whether the attack surface is decreasing ? Whether the misuse of vouchers has been found ? Whether our penetration tests show fewer code vulnerabilities ? What is the percentage of code submissions with passwords ?

How to integrate DevSecOps Introduce the enterprise ?

The transition to DevSecOps Methods take time . To ensure the recognition of the whole organization , It is suggested to take a step-by-step approach . Here is the introduction of DevSecOps Some key points to remember when planning :

  • Establish a safety centered culture within the organization , Emphasize that safety is the common responsibility of organization members .
  • Find ways to integrate automated security testing as early as possible throughout the development process .
  • Guide developers to understand security threats through security awareness training 、 Security coding requirements and tools .
  • Let developers access current hacker technology , Teach them to think and attack code like hackers .
  • Let the security team provide strong penetration testing 、 Red team practice and threat modeling , To actively test the code .
  • Monitor security issues in a shared tracking system , For maximum visibility across all departments .
  • Provide relevant indicators , To prove that over time DevSecOps The project is continuously improving and providing value .
  • Recognize that developers need time to completely change their way of thinking and habits . Continue to emphasize the concept of safety in daily activities and improve safety awareness .

How to integrate DevSecOps Introduce the enterprise ? More articles about

  1. Enterprises QQ Add online conversation links

    Enterprises QQ The online communication link is similar to ordinary QQ Online communication is different , Ordinary QQ Online communication , Can be in http://shang.qq.com/v3/widget.html Generate : Enterprises qq Links to can be added as follows : First step : Introduction enterprise ...

  2. The friend NC V6.3 Build an efficient information platform for group enterprises

    In recent years , With the rapid development of the Internet , The application of information management is becoming more and more popular , Informatization construction has penetrated into the core business of many enterprises , And to ensure business stability . Reliable and fast . Effectively Develop , Enterprises often use multiple information systems to support , however , Many enterprises ...

  3. Enterprise architecture research summary (38)——TOGAF Architecture capability building and architecture governance of architecture capability framework

    In order to ensure that the architecture function can be successfully used in the enterprise , Enterprises need to establish an appropriate organizational structure . technological process . role . Responsibility and skills to achieve their own enterprise architecture capabilities , And that's exactly what it is TOGAF The architecture capability framework of (Architecture Capabil ...

  4. Lingqueyun is invited to join VMware Innovation network , Jointly contribute to the process of enterprise digitization

        11 month 15 Japan , stay VMware Sponsored “VMware Innovation network ”2018 Summit Forum ,VMware Released VMware Innovation network (VMwareInnovation Network,VIN) Long term development planning and ...

  5. Enterprise WeChat JS-SDK Realize the chat function

    vue The introduction of enterprise wechat JS-SDK Realize the chat function Wechat chat can be done in two days , It is found that the wechat documents of enterprises are not particularly detailed , Online search also did not find a particularly complete process . Also stepped on a lot of pits during the period , In this ...

  6. TOGAF Architecture capability building and architecture governance of architecture capability framework

    TOGAF Architecture capability building and architecture governance of architecture capability framework In order to ensure that the architecture function can be successfully used in the enterprise , Enterprises need to establish an appropriate organizational structure . technological process . role . Responsibility and skills to achieve their own enterprise architecture capabilities , And that's exactly what it is TOGAF Our architecture can ...

  7. odoo: Open source ERP/CRM Introduction and practice

    Look at this picture , Maybe you are right. odoo With some interest . This time is to share open source with you ERP/CRM System :odoo Helpful to the following readers : Research and development . product . project . market . service . operating . Management etc. . One . Background trends Social networks . Online retailers O2O: ...

  8. Network Monitoring in Software-Defined Networking :A Review( review )

    source :IEEE SYSTEMS JOURNAL Time of publication :2018 type : review primary coverage : Overview SDN The development of monitoring , And collect information from . Preprocessing . Send messages . analysis . And describe five stages for interpretation , The traditional network and SDN ...

  9. odoo: Open source ERP/CRM Introduction and practice -- Shanghai Jiabing information technology company provides consulting services

    odoo: Open source ERP/CRM Introduction and practice Look at this picture , Maybe you are right. odoo With some interest . This time, Chat It's about sharing open source with you ERP/CRM System :odoo Helpful to the following readers : Research and development . product . project . market . service . ...

  10. Android Equipment management API overview (Device Administration API)

    original text :http://android.eoe.cn/topic/android_sdk Android 2.2 By providing Android Equipment management API To introduce enterprise application support . Equipment management at the system level API Provides ...

Random recommendation

  1. js multi-select Reverse election

    //$(".435__1").attr("checked", true); //$(".435__0").removeAttr(" ...

  2. Use in class library projects log4net(RollingFileAppender) Log

    1. Create solutions 2. Create a class library project 3. Modify the namespace as needed , modify ( and / or ) Add classes to the class library 4. quote log4net 5. Create a class library under the root directory of the project leg4net The configuration file , Such as D3CallTriggerPlugi ...

  3. WebBrowser Disable right click

    Disable error script prompts take WebBrowser The control of ScriptErrorsSuppressed Set to true Disable right click menu take WebBrowser Of IsWebBrowserContextMen ...

  4. javascript Advanced knowledge —— Built in object prototype

    The code information comes from http://ejohn.org/apps/learn/. You can modify the methods of built-in objects . if (!Array.prototype.forEach) { Array.prototype.fo ...

  5. Cocos2D v3.x On the priority of overlapping touch layers in

    stay Cocos2D v2.x In this version, you can set the touch priority of this layer by the following methods : [[CCDirector sharedDirector].touchDispatcher addTargetedDelegate ...

  6. bootstrap-table Refresh page data

    bom.bootstrapTable('load',msg['object']);// This step Be sure to add . if(msg['code']==1){ bom.find('tbody').css('dis ...

  7. Hive Official user manual —— new Hive CLI(Beeline CLI)

    Hive Official user manual —— new Hive CLI(Beeline CLI) https://blog.csdn.net/maizi1045/article/details/79481686

  8. Hibernate The next day

    ### Hibernate The persistence class of ### ---------- ** What are persistent classes ** 1. The persistent classes : It's just one. Java class ( We wrote JavaBean), This Java Classes and tables can become ...

  9. TypeScript Learning notes ( 3、 ... and ) - Method

    This article will introduce TypeScript How to define and use methods . One . Method standard declaration and use // Method statement function func(x: number, y: number): number { return ...

  10. compile skia Static library , Picture decoding library can not be registered

    Reprint :http://www.cnblogs.com/imlucky/archive/2012/08/01/2617851.html Compile today skia library , It is always invalid to add picture decoding library . After modification according to the method of this blog ...