当前位置：网站首页>How to do a good job in safety development?

How to do a good job in safety development?

2022-07-25 07:20:00 【Huawei cloud developer Alliance】

Abstract ： From using safe tools 、 Security coding and management of open source and third-party components .

This article is shared from Huawei cloud community 《DevSecOps R & D safety practices —— Development of article 》, author ： Hua Wei Yun PaaS Little helper .

Preface

all the time , The industry has long attached great importance to the security protection of software after it goes online , And the investment in safety in R & D phase is not much .2012 year ,Gartner Put forward DevSecOps Idea .DevSecOps The idea is to integrate the safety protection process into the traditional DevOps In the process , Provide a strong guarantee for R & D safety , Safety tools support the implementation of safety requirements in the R & D stage .

The importance of security development

Safety is closely related to development quality , If the development process is well controlled , The cost of repairing defects later will be sharply reduced . R & D verification is the key to safety pre practice , Safety in the R & D stage is the key to the realization of the overall safety shift to the left , So pay attention to code and program security , Avoid risk introduction .

Code is the initial form of software application service development , Its defects or vulnerabilities are the direct source of security problems , Do a good job of security coding , Early detection of source code defects can greatly reduce the repair cost of security problems . According to the National Institute of standards and Technology （NIST） Statistics , The cost of repair in the coding phase is much lower than that of performing code repair after release .

How to do a good job in security development

How to do a good job in security development , We focus on using safe tools , Security coding and management of open source and third-party components .

Use safe tools

A good workman does his work well , You must sharpen your tools first . The security of tools is a key link to ensure before development , The editor used by the development team 、 Linker and other related tools , Some safety related links may be involved , So on the version of the tool used , Need to communicate with the security team in advance , Use after safety check , Approved tools , Security hardened compiler build environment , Make sure the code is actually secure .

Security code

Security coding is very important to ensure the security of products and services , defects , Errors and logic flaws are always the main reasons for software vulnerabilities that can be widely exploited . Security coding is an important part of development practice , By following the established threat model, security related vulnerabilities can be reduced 、 Number of vulnerabilities and integration errors , Prevent accidental introduction of security vulnerabilities .

Establish internal security coding standards , Maintain audited general security modules . Provide security coding specification , Formulate relevant security coding specifications based on security basic library , Ask the business to abandon some dangerous coding habits , For example, various splicing methods 、 Call unsafe default API etc. , Safe to use SDK Medium API Realize the related functions , To reduce the risk of writing loopholes . Train all staff on safety coding standards , Gradually cultivate everyone's safety awareness .

Execute the code after coding Review And automatic code scanning , Pass the code quality check 、 Code style check , Warehouse safety inspection , High risk frame inspection 、 Static code analysis and vulnerability scanning ensure the security in the research and development stage . At the same time, the code specification check is also integrated into the R & D tool chain , Ensure the high efficiency and quality of inspection .

Manage open source and third-party components

Open source software is becoming more and more popular , Open source software has become the most basic raw material for modern software development . Mixed source software development has become the main software development delivery mode of modern applications , Its comprehensive risk review should consider the defects and Backdoors of open source components from third parties 、 Common vulnerabilities in self-developed code 、 Self developed code business logic vulnerability 、 Hidden malicious code and other dimensions of comprehensive audit .

To understand potential third-party software security threats , Constantly update the list of known third-party software threats and vulnerabilities , Alert the product team , Ensure the security of software supply chain .

Huawei cloud security development practice

Huawei has 20 Years of R & D safety accumulation , Huawei's R & D security capability is gradually formed with the continuous problems in the business . Huawei will open its operation and maintenance security capabilities , And the upcoming R & D security capabilities and Huawei cloud DevCloud Deep integration , Bring... To the enterprise DevSecOps platform , Let the enterprise convenient landing DevSecOps idea , In the process of software development, built-in security protection , Let software “ Natural safety , Grow up healthy ”, Become the competitiveness of enterprises .

Security code

Huawei has its own security code checking platform SecSolar Huawei cloud strictly complies with the security coding specifications released by Huawei internally , Build a security coding knowledge base , Security coding defect library , Security coding capability base . To prevent 、 Detect and eliminate errors that may endanger software security , Huawei cloud service R & D and testing personnel have passed the study and examination of corresponding specifications before taking the post .

In order to ensure that the service always has high security , Huawei cloud security coding at the same time , Introduced a static code scanning tool, daily check , As a result, data enters cloud services for continuous integration and deployment （CI/CD – Continuous Integration, Continuous Deployment） Tool chain , Control through quality threshold , To assess the quality of cloud service products . All cloud products 、 Cloud services before release , The alarm clearing of static code scanning shall be completed , Effectively reduce the security problems related to coding when online . Code check developed by Huawei cloud CodeCheck Provide access to 2000 Huawei typical inspection rules , Support multiple mainstream development languages , Most security issues can be identified during the development phase , Achieve security risk pre positioning , Effectively control code quality .

Third party software security management

Huawei cloud is based on the principle of strict promotion and leniency , Ensure the safe introduction and use of open source and third-party software . Huawei cloud has formulated clear security requirements and perfect process control scheme for the introduced open source and third-party software , In type selection analysis 、 Security testing 、 code safety 、 Risk scanning 、 Legal review 、 Software application 、 Software exit and other links , Strict control is implemented . For example, in the process of type selection analysis , Add network security assessment requirements in the selection stage of open source software , Strictly control the type selection . In the use of , Third party software must be carried out as part of the service or solution , And focus on evaluating the combination of open source and third-party software and self-developed software , Or whether the use of independent third-party software in the solution introduces new security problems .

Huawei cloud brings network security capabilities to the community , When there are open source vulnerabilities , Relying on the influence of Huawei cloud on the open source community , Discover vulnerabilities and fix them at the first time . Vulnerability response , Open source and third-party software must be tested as part of services and solutions , Verify whether known vulnerabilities of open source and third-party software are fixed , And in the service of Release notes List of bug fixes for open source and third-party software .

Postscript

All kinds of security vulnerability scanning 、 Open source component version checking, even code quality, code style and other tools , It allows developers to discover and eliminate some potential security risks when coding . stay DevSecOps Time , This requires a lot of investment , If you do it well , It can greatly reduce the workload of subsequent links . But there are also some challenges , For example, the false positive rate of static analysis of source code , Another example is that some accurate detection schemes for security vulnerabilities rely heavily on the compilation or construction process, and so on . thus it can be seen ,DevSecOps There is a long way to go .