sdl initial practice

Posted by millikan at 2020-03-01



Writing background

I remember that when I was asked about SDL in the interview, I recited the process with a little explanation, and the interviewer's disdain was fresh in my memory. Because at that time, Party B's safety service technical team was responsible for the lack of experience in respect of the SDL that party a highly praised but few actually implemented and completed. Later, I found a lot of relevant information on the Internet, but most of them are theoretical guidance articles without blood or meat, and few cases have landed. Later, I took the initiative to contact the original interviewers and ask them how to carry out SDL of their company. The reply is: there are few companies that actually land this thing, they are all first-line and second-line Internet companies playing; those papers outside are too metaphysical, there is no landing space, some concepts can be referred to, it's OK to brag with the leaders.

Today, the direction of work has shifted from application security to basic security. After nearly a year's evolution, the SDL of the landing version of the company has seen a little rudiment, and each link has been basically connected and stable. During this period, various experiences and experiences are very valuable. Therefore, it is planned to write this series of articles, which may bring a little reference and thinking to peers and friends in the time when SDL cases are missing. As it is the initial practice, there must be some shortcomings or even mistakes. Please correct and discuss warmly.



General situation of SDL

Security development lifecycle (SDL) is a management mode proposed by Microsoft to guide the software development process from the perspective of security. In each stage of the traditional software development life cycle, some necessary security activities are added. The security activities performed in different stages of software development are also different. Even if each activity is executed separately, it can play a certain role in software security.

As long as we are doing application security, we will definitely touch a certain link or several links in SDL. Whether it is necessary to connect all the links or fill in the blank link is almost determined by the current working state (workload, work plan) and business form (whether the business iterations are frequent, and whether the security check will significantly affect the business after the change).



SDL process

The core idea of SDL is to integrate security considerations into every stage of software development: requirements analysis, design, coding, testing and maintenance. In order to reduce the number of vulnerabilities in software and minimize the number of security defects, corresponding security activities are added at every stage from requirements, design to product release. Microsoft's processes are:



SDL process in my eyes

Combined with the actual situation and resources, it can be divided into seven parts as follows:

This practice is based on the initial practice of the author and his security team learning and implementing. It serves a company in the logistics industry that is transforming from the traditional Internet. It also faces a late start in security, a small number of security teams, and a poor security development ability. However, by virtue of internal and external resources, internal system projects of the company, security event promotion and other factors, all new business systems and old business system functions have been basically changed and implemented in accordance with SDL.

Long press identification QR code to communicate with me


Enterprise safety construction

Enterprise safety construction demand

Brief introduction of enterprise security threat

Enterprise security architecture construction

Enterprise security project - Test Environment Intranet

Enterprise security project - GitHub information disclosure

Enterprise security project - SMS verification code security

Enterprise safety project - front end bypass special rectification

Another hidden danger of business security

Security risks of application release

Safety test in the eyes of Party A

Appreciation of security loopholes

Safe operation and maintenance of those holes

Security business holes

Emergency response: redis mining (Defense)

Emergency response: redis mining (attack)

Emergency response: redis mining (end)

Penetration testing techniques

That simple Threat Intelligence

Android app data storage security

Collect "technical work" in SRC information

Routine penetration bottleneck, divergent thinking breakthrough

Play snake series together

Python Arsenal

Vulnerability scanner asset handling

Python code audit weapon I

Python code audit weapon II

Nodejs code audit weapon

Learning approaches to fortify loopholes

Personal growth experience

C3 sense of participation in Security Summit