Hi!我们是DevSecOps研发安全运营一体化解决方案提供商、Atlassian全球白金合作伙伴——龙智
.在过去的十多年间,传统软件研发模式发生巨变,从瀑布式开发到敏捷再到DevOps,开发和运维之间曾经明确的界限正在慢慢变得模糊.
DevOps由于能够促进开发、运维、测试等不同部门的沟通、协作与整合,正在悄然成为软件研发运营主流趋势.发展至今,DevOps也结合了新的流程,比如持续集成和持续部署来快速交付价值.
如果您对DevOps还知之甚少,或是想要更深入地了解DevOps工具链,请不要错过本系列文章.龙智将从DevOps的概念、DevOps工具链、CI及工具对比、DevOps监控、DevSecOps五个方面入手,让您从起源开始,逐步深入了解DevOps这个已流行数十年的方法论.
Although software company do the best,But security hole is still there,And endless.自2000年以来,大约有35One hundred million people stolen personal data.Part of the answer to these problems lies in the,As the software scale and complexity of application code library growth,Security holes and exploit area is growing.
此外,随着越来越多的企业采用DevOps方法,Automation and integration of software development andIT团队之间的流程,This makes the traditional security tools are no longer applicable.现在,Developers need to embed the safety measures in each phase of development workflow,And through the security left inSDLC早期预防安全风险.当涉及到DevOpsWhen the safety of the workflow,这种做法称为DevSecOps.
什么是 DevSecOps?
DevSecOpsIs to integrate the security into continuous integration、持续交付和持续部署Pipeline中的实践.通过将 DevOpsValue into the software security,Security verification become a positive development process、集成的部分.
与DevOps非常相似,DevSecOpsIs a project management workflow and automationITTool with the combination of organization and technology method.
DevSecOpsIntegration of the active safety audit and test to agile development andDevOps工作流程中,To make safety inside put in product,Instead of application to the finished product.
要实施DevSecOps,团队应该:
By putting the safety control、Tools and process integration toDevOps工作流程中,At every stage of the software delivery enable automatic security check.通过“安全左移” Will the safety procedure(代码审查、分析、测试等等)Move to the software development life cycle(SDLC)早期阶段,To prevent defects and identify vulnerabilities as soon as possible.
通过DevSecOps,Security should be applied to the typicalDevOps Pipeline的每个阶段:计划、编码、构建、测试、发布和部署.
DevOps必须向左移动以确保安全
在传统的DevOps流程中,安全评估在开发流程结束时进行.This method of safe will slow down the development life cycle,导致开发人员和安全团队产生间隙,因为他们需要重新处理几乎交付的代码来修复本可以更早发现和解决的安全问题.
因此,组织已经开始向左转移,即主动将安全性引入开发生命周期本身,Rather than at the last minute The security to repair.安全“左移”是IT开发和DevOpsResearchers use jargon,Used to describe the safety test and technology to the software development cycle upstream mobile.当前,安全“左移”Has become the consensus of the software industry,Because early repair loopholes in the software development life cycle than in the later remedy saves time and effort.
“左移”的实践:Ahead of the safety test to coding and the construction phase
从实践方面来说,左移,Means that in the early stage——Coding and the construction phase can be started for security test,In the early scan code vulnerability is the basic product safety,Is also a first step.To integrate the vulnerability scanning tools toCI/CD流程中,Is obvious startedDevSecOps的地方.
This means that to ensure the deliveryPipelineEvery major phases of the loopholes in check code,In order to achieve the integration level,Companies need to ensure that is responsible forPipelineThe stages of all parties with the training and tools they need,To detect vulnerabilities in your code.
Related technologies, including proprietary code used in the detection of holes in theSASTAnd used for determination of open source components with known vulnerabilitiesSCA工具.许多SAST和SCASuppliers withCI服务,构建工具,存储库的集成,还提供与IDE的集成,To help developers find problems as early as possible.
在DevSecOps中,最流行的SAST工具是SonarQube.SonarQubeIs an automatic code scanning tools,用来持续分析和评测项目源代码的质量.它支持29种开发语言,包含java、python、C#、C++等,And from the amount of code、安全隐患、Test coverage, and other dimensions analysis code.SonarQube涵盖了编程语言的静态扫描规则:代码编写规范+安全规范,能够与代码编辑器、CI/CD平台完美集成.
Another common tools are bothSCA和SAST的Mend(原WhiteSource).MendIs a focus onSCA,Open source component management one-stop security、许可和质量的解决方案.它可以准确检测所有开源许可,包括库的许可,自动化强制实施在新加组件上的许可政策.用户因此可以阻挡不期望的组件进入自己的软件.
通过使用Mend,使企业能够通过自动修复方式,保护其专有和开源代码的安全,从而使开发人员能够集中精力开创新型应用程序.Mend部署在云上,为SCA和SAST提供自动修复功能,并直接呈现在开发人员的存储库中.
With the other tool integration in the left
在Atlassian的DevOps解决⽅案中,Also take the left,The last part of the test in the test phase shift to the left to the construction phase.之前SonarQube是放在Bamboo中的,相当于在CI/CDDidn't useSAST工具.Now after the shift to the left,通过SonarQube for Bitbucket插件,让SonarQube与Bitbucket紧密集成,Code scanning was left in the coding phase.
使用SonarQube for BitbucketPlug-in integration after the two software,您可以直接在Bitbucket中调用SonarQubeScan code syntax errors, etc,And all can see in the two software scans.
Mend与BitbucketThe integration of the same is through plug-ins,方便快捷.使用WhiteSource for Bitbucket,让SCA/SASTTool known vulnerabilities in the coding phase can scan open source components,Guarantee to submit code clean.
如果您想要把Mend集成到CI/CD Pipeline中,Atlassian的MarketplaceDoes not provide the relevant plug-ins.您可以联系Atlassian全球白金合作伙伴——龙智,We provide custom development service for you,Through a script to buildMend与Bamboo的集成,Allows you to easily putMend集成到CI/CD Pipeline中.
Security throughout theDevOps流程:Applied to all stages、Security tools
In addition to code and build,Security concept and need to practice moreDevOps阶段.Because only the security into the whole life cycle of software development,And implement the security shift to the left,才能落地DevSecOps的最佳实践.PerforceThe company's software version management——Helix CoreCan be implemented throughout the security.从计划到部署,Every link is that it comes in.
Helix CoreIn an all digital content repository safety management,Provide a single trusted source,统一、灵活、Granularity of access control,With comprehensive traceability.With the multifactor authentication and other security features strong support,Helix CoreIs the most precious asset for you——知识产权,The safest provides strong protection of the version control system.
除了Helix Core以外,There are many version control software to choose from,例如Bitbucket、SVN等.If your business at the same time the use of multiple version control software,那么通过AtlassianThe company's view software source code library depthFisheyeTo manage these version management software is a good choice.Fisheye与Jira深度集成,That you can directly through theJiraTo manage these version management software.
Long Zhi integrated world mainstream tools,为您量身定制DevSecOps解决方案
With the development of more and more development team their processes and the use of new tools,They need to take security seriously.DevSecOps是一个循环过程,Should constantly iteration is applied to each new code deployment.Vulnerability and the attacker in the continuous development of,The development of modern software team must also go.
Long Zhi continue openDevOps的理念,To help you integrateAtlassianTools and various security tools,为企业量身定制DevSecOps解决方案.
同时,龙智作为Atlassian全球白金合作伙伴,为帮助释放及拓展Atlassian工具的力量,也自主开发了多款Atlassian插件,更适合本土企业使用.Including helping users to protect the copyright、Tracking the document content sources and improve the credibility of the
Confluence水印插件(Watermark for Confuence)
;实施记录、限制用户在Confluence中复制页面内容、Download accessories, etcConfluence附件与页面安全管理插件,以及
Jira工时管理插件(TimeWise for Jira)
、
Jira工作流扩展和并行审批插件(WorkflowWise for Jira)
等,欢迎咨询试用.
想了解更多Atlassian DevOps解决方案、工具及客户案例?欢迎您立即咨询
:
电话:400-775-5506
原网站版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/214/202208021702172048.html