Shulou(Shulou.com)06/01 Report--

Why do I need to establish a DevSecOps?

In the face of the current environment of the Smart Internet of everything and the rapid development of digital economy, application software security will play a vital role in promoting the development of China's digital economy, maintaining social stability and national security. According to the Gartner report, more than 80% of the networks * occur at the application layer, and more than 70% of the vulnerabilities disclosed are related to application security, especially vulnerabilities such as SQL injection, XSS, CSRF, directory traversal, etc., so application security will be the top priority.

1.2 Security needs to be preceded

At present, cloud computing, big data and artificial intelligence are used as the core technologies to build a digital intelligent world of the Internet of everything, which eliminates the boundaries of the original traditional networks and applications, and makes the original concept of boundary security protection in vain. It brings great challenges to security.

In the context of the Internet of everything, we need to change our thinking from "treating diseases" to "strengthening our health". We should focus on "business and data as the core" and "in the era of the Internet of everything, we not only need more security software." and the need for more secure software "as the security concept, put security work ahead of development, testing and other links, to achieve the security goal of" security is code, temporary cure and permanent cure ". If you fail to carry out continuous testing and fix safety problems before and during production, it is impossible to ensure the safety of continuous improvement in the application and after it is put into production. Security front can not only greatly improve the security capability of application software, but also solve the largest proportion of security risks at the earliest stage and at the lowest cost. therefore, security front is the core innovative security concept and the best security enabling measure in the IoE environment.

1.3 New risks brought by new technologies and new applications

The digital intelligent world of the Internet of everything promotes the rapid development of the global digital economy. In the face of cloud applications, big data applications, industrial Internet and Internet of things intelligent application software, the security boundaries of the original networks and applications are eliminated. The current mainstream detection and protection technologies are difficult to meet the security enablement under the background of the Internet of everything. It is especially aimed at the current new application architectures such as container applications, API, micro-services, and security enablement in new application scenarios such as encryption, anti-replay, and signature verification.

We take "the era of the Internet of everything, we need not only more security software, but also more secure software" as the core idea of security, so that security runs through all aspects of development and operation. New technologies such as AI and automation are used to realize new security enabling, interactive application security detection and protection technology with high coupling between security and software, so that security and business are highly coupled, synchronized and adapted, which not only provides users with more secure software, but also satisfies the security protection of application software in the environment of the Internet of everything.

1.4 Operation protection is also an important part.

Neither can we fall into the erroneous pursuit of "reducing the number of security vulnerabilities to zero", the identification of the burden of security development and testing is increased, and it is likely to become an obstacle to business development; so ongoing risk and trust assessment and prioritization of application vulnerabilities can compensate for the remaining risks of known low-risk vulnerabilities or unknown vulnerabilities by using runtime protection controls.

DevSecOps security solution, based on the core security concept of "the Internet of everything era requires not only more security software, but also more secure software", allows security to run through all stages of the business life cycle, including technology development, testing, release, launch, deployment and operation. In order to build a new generation of safe, efficient and compliant life cycle application safety operation system, from the security supply side to protect the "digital economy".

2.1 changes in organizational culture and way of thinking

N security front

DevSecOps security solution is based on the core security concept of "the era of the Internet of everything, which requires not only more security software, but also more secure software"; security work needs to be preceded in all aspects of development and testing, so as to achieve security empowerment in the context of industrial interconnection.

N Safety is everyone's responsibility

To enable developers, security, operations and maintenance to jointly embrace the concept and culture of DevSecOps, we need to change the attitude and concept that only security personnel are responsible for safety in the past. We must not allow a very small number of security personnel to be regarded as obstacles to project progress and destruction of internal production efficiency. Developers, operations and security must be responsible for security, work together and take responsibility together.

N Security service management

The security goal is to reduce the security risk of the application system to a degree acceptable to users and to meet the requirements of compliance; if there are no regulatory defects, then the acceptable risk does not depend on information security, it is the business decision ultimately made by the business application owner.

N safe whole life cycle

Based on "the era of the Internet of everything, we need not only more security software, but also more secure software" as the core security concept and the purpose of security service management. In order to build an application-based lifecycle security operation system, so that security throughout the entire business life cycle (from development to operation), including technology development, testing, launch and operation and other stages of security enablement. In order to build a new generation of safe, efficient and compliant life cycle application safety operation system, from the security supply side to protect the "digital economy".

Information security should serve the operation and development of enterprises and institutions. Business development and work efficiency are the key elements and core competitiveness of enterprise development. Information security work must adapt to the tools and processes of all links from development to operation. Developers and operation and maintenance workers should not be allowed to leave their familiar tool chain environment because of information security work, which makes the work flow more complex and less efficient. It's about making IT worker time more commercially valuable. DevSecOps is a tool that integrates security into all aspects of development and operation efficiently and transparently through AI and automatic detection technology, and into the developer's development environment (IDE) and CI/CD tool chain, without changing the original working environment and ecological chain, so as to build a convenient, efficient, secure and compliant application security capability.

2.3 using new technologies to empower new security

Use new technologies to promote security throughout the entire business lifecycle to meet the security enablement of cloud applications, big data applications, industrial Internet and other new technology application frameworks, so as to more effectively ensure the convenience, security and compliance of its program implementation. At the same time, it should better adapt to the new application architecture of existing cloud native technologies such as containers and micro-services, and the ability to identify security risks such as open source software, third-party code bases and sensitive information disclosure.

For example, the interactive application security test system-IAST, using the core security detection technology of non-execution state at runtime, can automatically output security results through functional operations, accurately locate vulnerable lines of code, and provide detailed context repair examples to help development teams quickly fix vulnerabilities. It can completely solve the high false alarm rate in the current vulnerability scanning system; manual testing is limited by technical and professional capabilities, and it is time-consuming and laborious, so it can not meet the needs of rapid iteration of products; it also fully meets the security risks in new application architectures such as container applications, API, micro-services, and new application scenarios such as application encryption, anti-replay, and label verification.

Through adaptive application security architecture and intelligent detection algorithm, real-time detection and protection of day-like application vulnerabilities can be realized, achieving the security capability of "self-protection" at runtime; at the same time, real-time security detection and analysis of sensitive information, running environment and tripartite components can be carried out; it is fully suitable for security detection and protection of application platforms such as cloud applications, big data technology applications and Internet of things Smart Internet of things.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.