sdl initial practice

Posted by lipsius at 2020-03-23

SDL can be seen as a defense in depth in software security. At the testing stage, it means that the software architecture and design have been finalized, the reference of the third-party open source components is almost impossible to change, and the network leakage security bugs in the previous links have ushered in the detection before the final release.



Safety target

In my initial practice, the development of SDL is the same as that of many companies: from the development of the initial security test, step by step put security first, and keep the card points set before the system is released and launched. However, the content of security inspection has been enriched, and the results of security design checklist, static code scanning, web vulnerability scanning and manual security testing have been included in the inspection. In principle, each item can be released online only when it is qualified.



Safety activities

In the test phase, security activities mainly focus on Security Report acceptance, manual security test and vulnerability verification.

1) Report acceptance

The business side is required to include the security design checklist self inspection report, static code scanning report and web vulnerability scanning report into the security testing work order. After the security testing personnel checks and passes the manual security test, each security standard can refer to:

Development stage

Safety activities


safety standards

design phase

Safety design self inspection

Safety design checklist self inspection report

No nonconformities

Encoding phase

Static code scanning

Static code scan report

No set high-risk vulnerability

Testing phase

Web vulnerability scanning

Web vulnerability scanning report

No high school risk loopholes

Manual safety test


No high school risk loopholes

It is worth noting that a spot check and retest mechanism should be set up to prevent the business party from intentionally or unintentionally providing reports that are not in line with the actual situation, including the implementation scope and results of safety activities.

2) Manual test

After all safety reports are accepted, conduct manual safety test. Before automated acceptance and automated safety testing, this activity tends to be the most stressful and blocking point in the entire process. It is understood that some companies will selectively carry out manual security tests; some will carry out special security tests for specific common problems, such as only testing unauthorized vulnerabilities Some will conduct comprehensive manual safety test through the stacker, for example, many outsourcing will be stationed without HC.

3) Vulnerability verification

Manual security testing is often used to further improve the security quality of the software, and find the security vulnerabilities left by previous links, including but not limited to: unauthorized vulnerabilities, security configuration error vulnerabilities, too many sensitive information vulnerabilities returned by API, replay attacks in important scenarios, and more common hidden web vulnerabilities. However, it is also important to promote security vulnerability repair, re verify until the repair closed-loop.



Safety practice

1) Safety measurement information

Consistent test environment: to ensure that the system to be tested is the same as the production environment, which is the basis of ensuring the quality of safety test, but it is often difficult to achieve.

Test environment is accessible: it is also a common phenomenon that security testers cannot access it for a while due to network ACL restrictions and other factors. It is a pity to spend security test time on environment preparation.

Test account provision: the system to be tested usually has accounts with different permissions. If the business party fails to provide them completely, it may cause common security bugs such as unauthorized, sqli, information disclosure, etc. to be missed.

Determination of test scope: indicate whether the type of safety test is full or incremental. If it is incremental, it is necessary to indicate that the new function point is crucial, which can improve the speed of safety test and ensure a certain safety quality.

To solve all kinds of problems that may be encountered in the safety measurement information, we can standardize the requirements for filling in the measurement information, check the processing flow of the measurement information, and set up a specially assigned person to proofread (outsourcing and interns who have just started).

2) Safety test ideas

Security test case: before the implementation of automated security testing, it is necessary to precipitate a security test case with the characteristics of our company and integrating the testing skills of team members. First, to some extent, it can make up for the different quality of safety testing caused by team members' different ability levels, and then it can provide high hit rules for the realization of automation; second, it can provide new people with quick start to help them grow up to be competent for safety testing; finally, it can be exported to the test team, enabling the test team to reduce the pressure of the safety team.

Security testing tools: passive testing tools are more and more popular within the team, especially in the face of heavy multi work order tasks. It is a simple and efficient method to integrate the highly targeted plug-ins into burpseuite for passive scanning.

Safety testing methodology: the standard safety testing process can not urge team members to perform standard work, nor can it make up for the differences in team members' abilities. Automated security testing may be the best solution to these problems.

The generation and repair of vulnerabilities can not be separated from security personnel and business parties. However, what connects them is the vulnerability management process and reverse state. The former needs process management system to support, such as JIRA; the latter needs to customize the vulnerability state and trigger action of state change, and the final goal of the whole link is to make the vulnerability be repaired in time.



Safety test training (excerpt)

I think the easiest way to do security testing is for testers. Their basic skills and knowledge are similar. Only a change of thinking is needed to achieve transformation. Here are a few pages of training materials for the test team, along with a brief syllabus:

(the screenshot table in the figure is from the Internet)



Continuous optimization

No matter what kind of technology, security test automation is the goal of the industry. It can effectively detect the loopholes with less human investment. However, before automation, there are semi automation and standardization options. With the help of some open-source or off the shelf tools, security testing can be carried out quickly, which often has good results.



Safety recruitment

Base: Beijing

Have: some SDL experience, and want to study and precipitate in this direction

Contact: welcome to wechat me for more details



Safety communication

Please add me: name company SDL

Please note: only discuss SDL related topics and share SDL related materials

Refuse to reach out to the party, fight for the party, drive the party and come in with mentality to learn (dive) the party

Long press identification QR code to communicate with me


SDL initial practice

Opening chapter

Safety training

Safety requirement

safety design

Safe development

Infrastructure security construction

Automation function practice based on Fortress 1

Automation function practice based on Fortress 2

Automation function practice based on Fortress 3

Automation function practice based on Fortress 4

Enterprise safety construction

Enterprise safety construction demand

Brief introduction of enterprise security threat

Enterprise security architecture construction

Enterprise security project - Test Environment Intranet

Enterprise security project - GitHub information disclosure

Enterprise security project - SMS verification code security

Enterprise safety project - front end bypass special rectification

Another hidden danger of business security

Security risks of application release

Safety test in the eyes of Party A

Appreciation of security loopholes

Safe operation and maintenance of those holes

Security business holes

Emergency response: redis mining (Defense)

Emergency response: redis mining (attack)

Emergency response: redis mining (end)

Penetration testing techniques

That simple Threat Intelligence

Android app data storage security

Collect "technical work" in SRC information

Routine penetration bottleneck, divergent thinking breakthrough

Play snake series together

Python Arsenal

Vulnerability scanner asset handling

Python code audit weapon I

Python code audit weapon II

Nodejs code audit weapon

Learning approaches to fortify loopholes

Personal growth experience

C3 sense of participation in Security Summit

Secret script for improving cognitive efficiency