The management of the security development life cycle is an important measure to ensure the normal operation of Internet enterprise business, which is directly related to the safety of the online business operation of the enterprise. The security risks involved in corporate office security are more complex and diverse, with numerous data leaks, personnel violations, external intrusions, and physical security issues.
1. Safety development life cycle
The SDL of Internet companies must be integrated with existing CI / CD (Continuous Integration / Continuous Deployment) systems (such as IDE, Gitlab, Jenkins, JIRA, etc.) to produce good results. The construction of SDL must be placed in agile development, continuous delivery, and technical operation, that is, it must conform to the idea of security and design.
In the actual landing SDL can be divided into four stages: 计划阶段, 编码阶段, 测试阶段, 部署阶段.
1.1 Planning stage
The work to be done in the planning stage has clear security requirements, and carries out security design, threat modeling, supplier security assessment, security training, etc. Security requirements need to be integrated into software requirements measurement, UML modeling, and itemized project management.
Safety design principles include:
| in principle | Explanation |
|---|---|
| Minimize the attack surface | Minimize the exposure of the vulnerable side of the system |
| Establish a default security mechanism | In the initial situation, the relevant settings of the system should be safe by default |
| Enforce the principle of least privilege | It is recommended that the account have the minimum permissions required to perform its business processes |
| Implement the defense-in-depth principle | Deal with the same risk with more different control measures |
| Safe handling of abnormal things | Handle program exceptions correctly |
| Dealing with uncontrollable situations of third parties | Safe handling measures against uncontrollable situations of external systems |
| Segregation of Duties | Separation of permissions for different management roles |
| Avoid security secrecy | The security of critical systems should not only depend on confidentiality |
| Keep it safe and simple | Business logic should be as simple and effective as possible |
| Correctly fix security issues | Identify the root cause of the problem, fix it thoroughly, and conduct a safety test |
Threat modeling tools:
SeaSpongeIt is an open source web threat model modeling tool provided by Mozilla. It is very convenient to build a web threat model through a browser.
Threat DragonIt is a free open source threat modeling tool provided by OWASP.
Microsoft Threat ModelingIt is a free threat modeling tool provided by Microsoft.
Third-party security assessment:
You can use Google open source VSAQ(vendor security assessment questionnaire) evaluation tools.
Safety Training:
Safety training is a long-term job and should be carried out from the beginning of the employee's employment.
1.2 Coding stage
The main tasks in the coding phase are:
1. Establish safe coding specifications
2. Static source code safety analysis
3. Open source component safety scanning (OSS)
4. Safety filter library & middleware
5. Safety compilation check
References to the published secure coding specifications:
OWASP Secure Coding Practice
IDE code detection plugin:
Plug-ins for Java coding specifications: Plug-ins for P3C IDE
Java vulnerability detection: Findbugsand successors Plug-ins for Spotbugs
.NET vulnerability detection: Plug-ins that Puma Scan
support C / C ++:cppcheck
Open source component security scanning (OSS) tool:
OSS commercial products: BlackDuck
open source license agreement compliance inspection products: FOSSology
open source products for component vulnerability inspection: Dependency-Check(can be used in combination with maven or Jenkins)
component vulnerability detection products: synk(can scan vulnerabilities in node.js nmp, ruby, java dependencies ) The
most abundant security checks are from SourceClear:EFDA
Security filter library & middleware:
Common java security filter library: ESAPI
Node.js web security filter library can refer to: egg-security
browser-side filter library are:DOMPurify
Safe compilation check:
/GSCheck the buffer overflow through the options in the Visual Studio compilation options and /guard:cfcheck the control flow safety.
iOS APP Security compiler options are -fobjc-arc, -fstack-protector-all,-pie
1.3 Test phase
1.3.1 Automated safety testing
Automated security testing includes static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST)
Static application security testing
That is, white-box testing the application.
Commercial products: Fortify, 奇安信代码安全卫士
open source PHP source code vulnerability scanning product: RIPS, progpilot
for the synthesis tool Python, Ruby, security scanning of Go language: huskyCI
for java security scanning tools include: spotbugsand related plug-ins fb-contrib, find-sec-bugs
integrated tools for security scans C / C ++ is : flawfinder
Comprehensive security scanning tool that supports multiple languages: Infer
Comprehensive platform for static application security testing:SonarQube
Dynamic application security testing
That is, black-box testing the application.
Commercial products include: AWVS, AppScan, 绿盟漏洞扫描器
open source products are: Arachni
for the REST API automated testing products: Astra
safety testing of products for Web Service: WSSAT
Open Source DAST testing products for Android:Qark
Interactive application security testing
Used for testing security vulnerabilities within applications.
Commercial products include: Synopsys Seeker, Veracode, CxIAST
for PHP open source products: PHP taint, PHP Aspis
for Java open source products are:security_taint_propagation
1.3.2 Manual safety test
Code auditing and fuzzing
Manual code audits: OWASP代码审计指南
for commonly used protocol fuzzing tools: Peach fuzzer(black box testing can be performed on a variety of documents and agreements)
fuzzing tool for binary vulnerability: Asan, Tsan, Msan, UBsan
open source Fuzz testing platform are:OSS-Fuzz
web security testing
web security testing: OWASP安全测试指南
The main tools used: BurpSuite,Fiddler
Mobile security testing
Mobile Security Testing: OWASP移动安全测试指南
open source products are: MobSF
Android manual testing tools: Drozer, AppUse, Xposed, Frida
ios tools manual testing are: needle,iOSSecAudit
1.4 Deployment stage
The deployment phase mainly guarantees that the developed products can be released safely. Related work includes: certificate key management, security configuration hardening, operation audit, and penetration testing. Internet companies should establish a safe and controllable release platform to ensure the automation of configuration and ensure that the release is credible and auditable.
Certificate key management:
The certificate key management system (KMS) is mainly responsible for the secure storage, issuance, and revocation of API private keys, cloud IAM / STS certificates, database passwords, X.509 certificates, SSH certificates, application signing certificates, encrypted communication keys, and so on. The leakage of these certificate passwords is directly related to the company's data security.
Open source KMS products:Vault
Operational audit:
Mainly guarantee the controllable and safe audit of the release process. Technologies supporting operation auditing include DMS database management system, bastion machine, etc.
The DMS database management system can be used to be responsible for the unified data management, authentication and authorization, security audit, data trend, data tracking, BI charts and performance optimization of Internet companies. . The open source products that support MySQL are:Yearning
The bastion machine records and tracks the operation and maintenance operations, and provides fine-grained and centralized access control for host access, while reducing the exposure of critical business hosts to the outside world. Open source fortress machine products: JumpServer,Guacamole
Penetration test:
It is a long-term and continuous process to ensure the safety of the business after going online through comprehensive penetration testing of the business, system, and network.
Second, corporate office security
Office security has always been a weak link in information security. Common threats include data leakage, malicious insiders, APT attacks, and virus worms. Compared with online business security, enterprise internal office security is more complicated. For example, there are scenarios such as mobile office and BYOD office.
2.1 Personnel management
Before employees start employment, companies should conduct background checks on employees and conduct safety awareness training after entering the company. Special security development training should also be conducted in R & D positions, and examinations should be conducted more strictly.
Promote corporate safety culture, regularly organize safety weeks, safety months and other activities. The handling of safety violations and the safety approval process should be incorporated into the process system, and the necessary penalties and KPI assessment system should be formulated. In addition, security audits should be conducted on various office activities, and compliance audits should be conducted on the internal environment and external business services of the enterprise to meet the requirements of laws and industry regulations.
2.2 Terminal equipment
Enterprises should deploy centralized management AV anti-virus software and EDR terminal detection and response products to resist viruses and APT attacks. The open source EDR products are Facebook Osqueryand Mozilla MIG.
Important business departments should deploy DLP data leakage prevention and DRM data rights management products to prevent the leakage of key enterprise assets (such as data, code, and documents).
It is also common to use mobile terminals to work now. Therefore, mobile office products should also be strengthened. Common mobile terminal security products include MDM mobile device management and MAM mobile application management. Commercial products IBM MaaS360, SAP Mobile Secureetc., open source products, flyve-mdmetc.
Broadly defined terminal equipment also includes access control systems, printing and fax systems, telephone conference systems, video surveillance systems, Wi-Fi routing systems, etc. Security solutions should also be considered for these devices.
Finally, Splunkthe UEBA user entity and behavior analysis of SIEM products (such as ) can be used to discover abnormal security behavior attacks caused by user active behavior or account theft and terminal control.
2.3 Office services
Office service refers to the internal office support service platform of the enterprise, such as enterprise mailboxes, enterprise network disks, CRM, ERP, OA, HR, BOSS and other systems and R & D support platforms.
Penetration testing is an effective way to check the security of office services. Through penetration testing, various weak points in the corporate office network can be discovered to facilitate continuous improvement and perfection of their own security.
