当前位置：网站首页>4 reasons for "safe left shift"

4 reasons for "safe left shift"

2022-06-24 13:57:00 【InfoQ】

In the previous article we discussed DevSecOps Best practices .“ Move left safely ” As the principle and idea of this practice, it is an unavoidable topic . In this article , We will talk about the reasons for the safe left shift and the benefits it brings to the enterprise .

Agility and flexibility are the hallmarks of modern cloud native technologies , It can handle complex digital transformation plans from construction to production . As the market changes and the epidemic situation normalizes , Optimize the software development lifecycle （SDLC） It has gradually become the focus of the company , Especially management CI/CD Assembly line and SDLC Safety risks in the later production stage .

With the right cloud technology , The development team can work with DevOps Work with the security operations team to build and test application code safely , And finally achieve more efficient operation , At the same time, reduce the safety problems in the production process .

Safety has become a symbol of market differentiation

2020 year , In known vulnerabilities ,

90% involves Web Applications , This is the main target of hacker attacks

. And consumers are the most direct victims , Because of their personally identifiable information （PII） It is being exposed and sold on the dark Internet . Putting secure code into production faster means fewer security vulnerabilities . At the same time, user privacy and security are very important to consumers , And enterprises can gain more favor and income by providing safer services to consumers .

Malicious attackers are also adjusting their strategies when attacking vulnerabilities 、 Technology and procedures , Its attack speed is faster than ever , So there is no DevSecOps Technology and DevOps Developing software in the context of processes and teams is not desirable . And build powerful DevOps Basics , Team members need to be 、 Tools and organizational structures invest energy and money .

CI/CD Safe left shift in pipeline

CI/CD Pipeline is the only way for developers . Failure of any step triggers a notification to the corresponding developer .

Here are CI/CD Three basic stages in pipeline ：

Construction phase

At this stage , The code is taken from the source code and combined with its dependencies . The code is then compiled to deploy the final application on the production server . Container image and IaC The template is scanned locally , Or as CI/CD Part of the workflow is scanned . Automated tests are then performed to verify the authenticity and quality of the code .

Deployment phase

The image warehouse will be continuously monitored , To ensure that the application image is secure before deployment , At the same time, there are protection policies to prevent unsafe deployment . Once the source code has passed all the tests , Will be deployed to various environments , Such as the production environment .

Operation phase

Through the integration of environmental alerts and risk priorities with notification tools , To monitor risks in the production environment .CI/CD The pipeline adds strict regulations to protect personal identity information .

stay DevOps Use in CI/CD Pipelining allows developers to easily identify defects and software without breaking code / Application quality issues . When “ Move left safely ” The concept was added to SLDC when ,CI/CD The pipeline can be further strengthened . Moving the safety guard to the left will DevSecOps Principles and tools automation as a dynamic integration application , To build - test - Strengthen safety during operation cycle .

Safe left shift embedded CI/CD Advantages of assembly line

When the security move left is embedded in CI/CD In the assembly line , Enterprises can gain the following four advantages ：

1. Improve application security

A suitable cloud platform can scan container images , And in IaC Help identify in the template SDLC Vulnerability or misconfiguration in . Look for cloud security functions that can provide left shift scanning results for the security operation team , And deeply understand the production environment , If the potential attack path is combined with the existing risk , These features help DevOps Work with the development team to solve problems efficiently .

2. stay SDLC Early prevention of safety risks

In contrast , Early code problems are easier to fix , And the repair cost is lower . And when the code enters the production environment and something goes wrong , The repair cost is very high .

3. Deploy applications to production earlier

Security is no longer the work that is done after development . Integrate security earlier into CI/CD In the assembly line , It can avoid relevant problems in the production environment that cannot be solved quickly , The application cannot be deployed in the production environment on time .

4. Optimize teamwork , Strengthen safety management

By integrating security into CI/CD In the assembly line , And make developers and DevOps Be able to use the same platform as the security team , Be able to perform the scanning process by yourself , The team can work well together , All departments can actively manage security risks from development to operation .

Strengthen multi department collaboration by moving left safely

Collaboration is critical to security and development teams .

Security operations center （SOC） The team may need to be trained in cloud technology , The cloud team needs to understand how the enterprise performs risk management .

Understand the roles and responsibilities of the team and the safety responsibilities performed by each team , Critical to managing security risks . The security team can lead the development and DevOps How the team can fully implement the threat modeling exercise , At the same time, provide full support during security incidents . Security teams can also operate on underlying platforms or libraries , Support the cloud engineering team （ Such as IAC Scanning function 、 Shared libraries for authentication and monitoring ） And support the workload structure （ Such as security service grid ）.

With the development of technology , Security managers have more choices than ever before , Through specially built SDLC Functions to promote cloud security , These capabilities provide environmental visibility from development to runtime . This brings together cross functional teams , To unify workflow and manage security risks .

原网站

版权声明
本文为[InfoQ]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/175/202206241134325147.html