Safe Development Practice Principles
Today, the destructive power of security threats is growing at an unprecedented rate with the deepening of informatization. Expanding and building digital businesses usually leads to a larger attack surface. To deal with current and future security threats, it is insufficient to rely solely on traditional investment in security products. In addition to purchasing security products, what is more important is the enhancement of security awareness and the construction of security processes.
In various security construction plans, "security capabilities front-loaded" is an obvious trend. Just like a house with an unstable foundation, weak walls, and collapsed floors when it was built cannot stand with the support of a few pillars after completion. Without the application of a safe development process, it will inevitably be full of loopholes in later operations.
We believe that safe development practices have the following 5 important principles:
1. Security training
Safety skills training is very important to bridge the gap in technical capabilities and Managing security at every step of the product lifecycle is critical. Companies need to invest explicitly in security awareness and security skills training to improve developers' awareness and ability to code securely, and to understand the recommendations and actions made by the security department, which is essential for efficient collaboration between business teams and security teams. Very important.
According to the SANS Institute’s Security Status Report, as early as 2016, more than half of the surveyed company samples in the United States had made security training one of the company’s main tasks. To this day, there are only a handful of Chinese companies that understand the importance of safety training, and even fewer companies that can transform training intentions into training behaviors.
2. Secure application development
At present, the security of applications has attracted widespread attention from enterprises. In order to ensure the security of development, there are two important practical methods:
(1) Use a security-centered process framework.
(2) Incorporate feedback from the security team into developer workflow and demo reviews for each iteration cycle.
For process frameworks, we believe it is best to choose a proven and appropriate security-focused framework based on best practices, software libraries, standards, and your organization's industry-specific regulations. The following two well-known frameworks are collections of rules, techniques, and processes that guide development organizations and provide applicable resources. Although there are different concerns, they are all fundamentally safety-oriented.
Microsoft Security Development Lifecycle (SDL) : This process fits well into existing DevOps environments and provides a more general structure that integrates security well throughout the process sex. In our experience, it is not limited to any specific code type or operating environment.
Open Source Web Application Security Project (OWASP): This community website provides data on vulnerabilities, related impacts, and risks; as well as best-practice guidance for developing and detecting secure web applications.
Enterprises need to proactively bring security teams into the development process to get their feedback early and include them throughout the development workflow and iterative prototype demos. The benefit of this is that it allows teams to address security risks concurrently during the development phase to avoid introducing costly risks into the development process.
Compared with the development stage, the cost of eliminating risks in the product operation and maintenance stage will be at least dozens of times higher. However, many development teams are not comfortable collaborating with security teams. Taking the first step and persevering is key. Ultimately, a security-based development workflow will become a huge advantage in the overall security strategy.
3. Security DevOps=DevSecOps
DevSecOps is an emerging trend that fully integrates security into the DevOps workflow, thereby creating a unified the process of. Just as DevOps was proposed to solve development and operation and maintenance problems at the same time, now it is also necessary to solve security issues at the same time.
Security DevOp or DevSecOps not only involves expanding the work content of each stage to include security elements, but also includes cross-stage, cross-department training to ensure that the development process is complete Reduce risk while coding.
4. Application Security Testing (AST)
Continuous testing is very important, and the Application Security Testing (AST) tool should become a must-have in every developer’s tool chain. components of the equipment. There are many excellent tools available today, including open source tools. When considering application security testing tools, it's a good idea to pre-determine the set of tools you want to use in order to optimize the steps and processes for code instrumentation. Otherwise, the tool may not be able to instrument the code completely and efficiently.
AST tools are divided into several basic categories:
(1) Static Application Security Testing (SAST)
(2) Dynamic Application Security Testing (DAST)
(3) Interactive Application Security Testing (IAST)
Gartner’s 2017 report stated that “most enterprises developing applications have adopted some form of AST. But different technologies have different maturity levels. DAST and SAST are currently the most widely used product types, but the market demand for IAST is showing rapid growth."
5. Continuous monitoring and analysis
Continuous monitoring and analysis help protect applications during the operation and maintenance phase. Get continuous feedback from monitoring and feed it back into the development process. The application of monitoring and analyzing the operation and maintenance phase is a basic common sense operation. It can provide enterprises with valuable information and data, help them intercept potential loopholes and reduce potential risks.
Just as security in the operation and maintenance phase cannot be achieved without development security, development security cannot be achieved independently of operation and maintenance security. A process without a feedback mechanism is definitely not a good process.
Recommended related articles: web security tutorial
The above is the detailed content of Safe Development Practice Principles. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to stop Outlook from automatically adding events to my calendar
Feb 26, 2024 am 09:49 AM
As an email manager application, Microsoft Outlook allows us to schedule events and appointments. It enables us to stay organized by providing tools to create, manage and track these activities (also called events) in the Outlook application. However, sometimes unwanted events are added to the calendar in Outlook, which creates confusion for users and spams the calendar. In this article, we will explore various scenarios and steps that can help us prevent Outlook from automatically adding events to my calendar. Outlook Events – A brief overview Outlook events serve multiple purposes and have many useful features as follows: Calendar Integration: In Outlook
Dreamweaver CMS station group practice sharing
Mar 18, 2024 am 10:18 AM
Dream Weaver CMS Station Group Practice Sharing In recent years, with the rapid development of the Internet, website construction has become more and more important. When building multiple websites, site group technology has become a very effective method. Among the many website construction tools, Dreamweaver CMS has become the first choice of many website enthusiasts due to its flexibility and ease of use. This article will share some practical experience about Dreamweaver CMS station group, as well as some specific code examples, hoping to provide some help to readers who are exploring station group technology. 1. What is Dreamweaver CMS station group? Dream Weaver CMS
In-depth discussion of the principles and practices of the Struts framework
Feb 18, 2024 pm 06:10 PM
Principle analysis and practical exploration of the Struts framework. As a commonly used MVC framework in JavaWeb development, the Struts framework has good design patterns and scalability and is widely used in enterprise-level application development. This article will analyze the principles of the Struts framework and explore it with actual code examples to help readers better understand and apply the framework. 1. Analysis of the principles of the Struts framework 1. MVC architecture The Struts framework is based on MVC (Model-View-Con
PHP Coding Practices: Refusing Alternatives to Goto Statements
Mar 28, 2024 pm 09:24 PM
PHP Coding Practices: Refusal to Use Alternatives to Goto Statements In recent years, with the continuous updating and iteration of programming languages, programmers have begun to pay more attention to coding specifications and best practices. In PHP programming, the goto statement has existed as a control flow statement for a long time, but in practical applications it often leads to a decrease in the readability and maintainability of the code. This article will share some alternatives to help developers refuse to use goto statements and improve code quality. 1. Why refuse to use goto statement? First, let's think about why
Best Practices for Traffic Management with Golang
Mar 07, 2024 am 08:27 AM
Golang is a powerful and efficient programming language that is widely used to build web services and applications. In network services, traffic management is a crucial part. It can help us control and optimize data transmission on the network and ensure the stability and performance of services. This article will introduce the best practices for traffic management using Golang and provide specific code examples. 1. Use Golang’s net package for basic traffic management. Golang’s net package provides a way to handle network data.
C++ Reflection Mechanism Practice: Implementing Flexible Runtime Type Information
Nov 27, 2023 pm 01:11 PM
C++ Reflection Mechanism Practice: Implementing Flexible Runtime Type Information Introduction: C++ is a strongly typed language and does not directly provide a reflection mechanism to obtain class type information like other languages. However, with some tricks and technical means, we can also achieve similar reflection functions in C++. This article describes how to leverage template metaprogramming and macro definitions to achieve flexible runtime type information. 1. What is the reflection mechanism? The reflection mechanism refers to obtaining the type information of a class at runtime, such as the class name, member functions, member variables and other attributes.
Practical tutorial: Vue3+Django4 new technical practice
Sep 09, 2023 am 08:52 AM
Practical tutorial: Vue3+Django4 new technical practice Introduction: With the continuous development of front-end technology, Vue.js has become one of the most popular front-end frameworks. As a powerful and flexible Python Web framework, Django is also favored by developers. This article will lead you to explore how to combine Vue3 and Django4 to achieve a new technical practice. 1. Environment setup: First, we need to set up a development environment. Make sure your computer has the latest version of N installed
A practical guide to remote development using PyCharm
Feb 25, 2024 pm 07:18 PM
Using PyCharm for remote development is an efficient way that allows developers to easily edit, debug and run code on the remote server in the local environment. This article will introduce how to use PyCharm for remote development practice, and combine it with specific code examples to help readers better understand and apply this technology. What is PyCharmPyCharm is a Python integrated development environment (IDE) developed by JetBrains, which provides a wealth of functions and tools to help
