Shulou(Shulou.com)06/01 Report--

What is the solution based on the concept of DevSecOps in the process of SDLC development? aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

At the beginning of 2019, pinduoduo APP appeared major BUG, and users can get 100 yuan unlimited no-threshold coupons without any restrictions. According to incomplete statistics, the face value of coupons that directly caused pinduoduo's losses reached more than 20 billion yuan in one night. According to pinduoduo's official report, the incident was caused by a black ash production gang that stole tens of millions of yuan of platform coupons through a loophole in expired coupons.

At the end of 2018, Shanghai police successfully smashed a criminal gang that exploited loopholes in online banking to make illegal profits. Members of the gang discovered and took advantage of the security loopholes in the pledge loan business in the APP software of a bank, using illegal means to accumulate illegal profits of more than 2800 million yuan.

In November 2018, Wang Liqun, deputy director of the Banking Bureau of Taiwan's Financial Regulatory Commission, said that the loophole in Citibank's prepaid card fee transaction system for credit card business had been exploited by customers before. More than NT $6300 (about RMB 13.45 million) was spent by credit card.

In the environment of fast-paced software development and frequent application vulnerabilities, solving the problem of software vulnerabilities is an arduous task that the software development team has to face.

Since 2004, SDLC has been the company-wide planning and enforcement policy of Microsoft. Secure Development Life cycle (SDLC), or Security Development Life Cycle, is a software development process that helps developers build more secure software and meet security compliance requirements while reducing development costs. Its core idea is to integrate security considerations into every stage of software development: requirements analysis, design, coding, testing, and maintenance. Corresponding security activities and specifications have been added at every stage from requirements, design to product release, in order to reduce the number of vulnerabilities in the software and minimize security defects. Security Development Life cycle (SDLC) is a security assurance process that focuses on software development and aims to develop secure software applications.

Microsoft Security Development Lifecycle-simplified (Chinese version)

The current software system development process usually includes coding, unit testing, integration testing, dealing with Bug and other steps. With the increase of system complexity, the dependencies between modules become more and more complex, many Bug can not be found until the project integration, and the longer away from the development phase, the higher the cost of Bug repair.

With the advent of DevOps, the software development and deployment process becomes faster and iterations become more frequent. To effectively reduce risk without sacrificing speed and productivity, enterprises need to integrate security into DevOps processes and tool chains. This is more important than ever. Suspension Security provides SDLC full development process DevSecOps adaptive threat management system solution.

In the project research and development phase, the suspension mirror provides a security development solution with the suspension mirror Lingmai AI penetration test platform as the core. Xuanjing Lingmai adopts IAST (Interactive Application Security Test) gray-box testing technology, which is one of the top ten information security technologies of Gartner. Its AI heuristic website scanning engine can assist R & D engineers, test engineers, project managers and other non-security personnel to complete the vulnerability testing of the system. Suspended Mirror Lingmai can not only solve the limitation of crawler function in traditional black box scanning mode, but also internalize AI penetration test into SDL process without feeling, which greatly reduces the labor cost of enterprise security testers.

* IAST interactive security testing tool is a new generation of "gray box" code audit, security testing and third-party software testing products. It is a new technology that has sprung up in recent years, and is listed by Gartner as one of the Top10 technologies in the field of information security. It combines the advantages of SAST and DAST technology, without source code, and supports bytecode detection. IAST greatly improves the efficiency and accuracy of security testing, and is well suited to agile development and DevOps. It can seamlessly integrate existing development processes in the software development and testing phase, allowing developers and testers to complete security testing without perception while performing functional testing.

For the operation phase of the project, the overhanging mirror security launched a host security defense scheme with the suspended mirror cloud guard as the core. Based on ASA adaptive security architecture, Cloud Guardian accurately combs IT assets from the perspective of enterprise security management, dynamically quantifies security risks, completes tower defense security defense system in advance, and realizes real-time monitoring and response of hacker intrusion based on attack chain multi-anchor detection technology, early warning customers and providing security technical support to avoid vulnerability risk in time.

This is the answer to the question about what is the solution based on the concept of DevSecOps in the process of SDLC development. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.