01
-
Writing background
I remember that when I was asked about SDL in the interview, I recited the process with a little explanation, and the interviewer's disdain was fresh in my memory. Because at that time, Party B's safety service technical team was responsible for the lack of experience in respect of the SDL that party a highly praised but few actually implemented and completed. Later, I found a lot of relevant information on the Internet, but most of them are theoretical guidance articles without blood or meat, and few cases have landed. Later, I took the initiative to contact the original interviewers and ask them how to carry out SDL of their company. The reply is: there are few companies that actually land this thing, they are all first-line and second-line Internet companies playing; those papers outside are too metaphysical, there is no landing space, some concepts can be referred to, it's OK to brag with the leaders.
Today, the direction of work has shifted from application security to basic security. After nearly a year's evolution, the SDL of the landing version of the company has seen a little rudiment, and each link has been basically connected and stable. During this period, various experiences and experiences are very valuable. Therefore, it is planned to write this series of articles, which may bring a little reference and thinking to peers and friends in the time when SDL cases are missing. As it is the initial practice, there must be some shortcomings or even mistakes. Please correct and discuss warmly.
02
-
General situation of SDL
Security development lifecycle (SDL) is a management mode proposed by Microsoft to guide the software development process from the perspective of security. In each stage of the traditional software development life cycle, some necessary security activities are added. The security activities performed in different stages of software development are also different. Even if each activity is executed separately, it can play a certain role in software security.
As long as we are doing application security, we will definitely touch a certain link or several links in SDL. Whether it is necessary to connect all the links or fill in the blank link is almost determined by the current working state (workload, work plan) and business form (whether the business iterations are frequent, and whether the security check will significantly affect the business after the change).
03
-
SDL process
The core idea of SDL is to integrate security considerations into every stage of software development: requirements analysis, design, coding, testing and maintenance. In order to reduce the number of vulnerabilities in software and minimize the number of security defects, corresponding security activities are added at every stage from requirements, design to product release. Microsoft's processes are:
04
-
SDL process in my eyes
Combined with the actual situation and resources, it can be divided into seven parts as follows:
This practice is based on the initial practice of the author and his security team learning and implementing. It serves a company in the logistics industry that is transforming from the traditional Internet. It also faces a late start in security, a small number of security teams, and a poor security development ability. However, by virtue of internal and external resources, internal system projects of the company, security event promotion and other factors, all new business systems and old business system functions have been basically changed and implemented in accordance with SDL.
Long press identification QR code to communicate with me
More...
Enterprise safety construction
- Enterprise safety construction demand
Enterprise safety construction demand
- Brief introduction of enterprise security threat
Brief introduction of enterprise security threat
- Enterprise security architecture construction
Enterprise security architecture construction
- Enterprise security project - Test Environment Intranet
Enterprise security project - Test Environment Intranet
- Enterprise security project - GitHub information disclosure
Enterprise security project - GitHub information disclosure
- Enterprise security project - SMS verification code security
Enterprise security project - SMS verification code security
- Enterprise safety project - front end bypass special rectification
Enterprise safety project - front end bypass special rectification
- Another hidden danger of business security
Another hidden danger of business security
- Security risks of application release
Security risks of application release
- Safety test in the eyes of Party A
Safety test in the eyes of Party A
Appreciation of security loopholes
- Safe operation and maintenance of those holes
Safe operation and maintenance of those holes
- Security business holes
Security business holes
- Emergency response: redis mining (Defense)
Emergency response: redis mining (Defense)
- Emergency response: redis mining (attack)
Emergency response: redis mining (attack)
- Emergency response: redis mining (end)
Emergency response: redis mining (end)
Penetration testing techniques
- That simple Threat Intelligence
That simple Threat Intelligence
- Android app data storage security
Android app data storage security
- Collect "technical work" in SRC information
Collect "technical work" in SRC information
- Routine penetration bottleneck, divergent thinking breakthrough
Routine penetration bottleneck, divergent thinking breakthrough
Play snake series together
- Python Arsenal
Python Arsenal
- Vulnerability scanner asset handling
Vulnerability scanner asset handling
- Python code audit weapon I
Python code audit weapon I
- Python code audit weapon II
Python code audit weapon II
- Nodejs code audit weapon
Nodejs code audit weapon
- Learning approaches to fortify loopholes
Learning approaches to fortify loopholes
Personal growth experience
- C3 sense of participation in Security Summit
C3 sense of participation in Security Summit