During the first six months of 2019, more than 3,800 breaches were reported — which represents a 50% increase over the last 4 years according to the midyear Risk Based Security report. This number boggles the mind and it is showing no signs of slowing down.
根据年中基于风险的安全报告 ,在2019年的前六个月中,报告了超过3,800起违规事件,比过去4年增加了50%。 这个数字使人震惊,并且没有丝毫放慢的迹象。
Over the course of the last year — and beyond — one thing has become clear: almost each software has its own weaknesses. Some of the most recent famous critical vulnerabilities that I think are worth mentioning are:
在过去的一年中(甚至更远),有一件事已经变得很清楚:几乎每种软件都有其自身的弱点。 我认为值得一提的一些最近著名的严重漏洞是:
1. WhatsApp Remote Code Execution — Vulnerable Open Source GIF parsing library used by WhatsApp with double-free memory corruption bug
1. WhatsApp远程执行代码-WhatsApp使用的易受攻击的开源GIF解析库,带有双重释放内存损坏错误
2. Google Chrome audio component memory corruption — “use after free” security bug detected. As a result, Google had to distribute a patch to billions of users within a day
2. Google Chrome音频组件内存损坏 -检测到“免费使用后”安全漏洞。 结果,Google必须在一天之内向数十亿用户分发补丁
3. XSS exploitation on Outlook for Android — This bug allows an attacker to takeover a victim’s device
3. Outlook for Android上的XSS利用 -此错误使攻击者可以接管受害者的设备
All these security issues could have been mitigated by having the right attention during the development lifecycle. Embedding security into software at the start is the best way to protect against malicious attacks — but that also means that R&D managers are also taking part in the mutual responsibility of security efforts.
通过在开发生命周期中给予适当的关注,可以缓解所有这些安全问题。 从一开始就将安全性嵌入软件是防止恶意攻击的最佳方法,但这也意味着研发经理也要承担安全性工作的共同责任。
In this post I will discuss the importance behind having a security mindset and how to embed it into the culture of an R&D team.
在这篇文章中,我将讨论拥有安全思想的重要性以及如何将其纳入研发团队的文化。
研发团队的作用 (The Role of the R&D Teams)
R&D managers are required by their organizations to invest in more security related efforts and to show a trend of improvement.
组织要求R&D经理进行更多与安全性相关的工作,并显示出改进的趋势。
A Reactive approach is not so complicated to achieve, as we must address an appropriate response for any cyber-attack, pen-test scan report, vulnerability announcement for libraries or components that we’ve used, etc. But it is much harder to adopt a Proactive approach, requiring us to eliminate security issues before they even have a chance to appear.
响应式方法的实现并不是那么复杂,因为我们必须针对任何网络攻击,笔测试扫描报告,所使用的库或组件的漏洞公告等做出适当的响应。但是采用起来要困难得多。一种主动的方法,要求我们在安全问题甚至没有出现之前就消除它们。
On one hand, our responsibility as R&D managers in this matter is to provide a mitigation once a vulnerability has been detected. Although not any security issue may require immediate action, it does need our attention on analyzing its severity. On the other hand, you have your responsibility to the product and R&D commitments, which mean that you aim to keep the teams working according to plan without any urgent interruptions.
一方面,我们在这方面作为研发经理的责任是一旦发现漏洞就提供缓解措施。 尽管不是任何安全问题都可能需要立即采取措施,但在分析其严重性时确实需要我们注意。 另一方面,您对产品和R&D承诺负有责任,这意味着您旨在使团队按计划工作,而不会出现任何紧急中断。
为什么要关心它? (Why you should care about it?)
Over my career, I’ve taken part in handling suspected security defects in various products, including 3rd parties’ libraries. It gave me a chance to get acquainted with the issues and the ways to mitigate them. The security vulnerability of a product could be tantamount to a natural disaster — having vast impact on the company and on the development lifecycle. The efforts of fixing defects, as mentioned in exponential-cost-of-fixing-bugs, increases exponentially with time through the phases of the development workflow:
在我的职业生涯中,我参与了各种产品(包括第三方库)中可疑安全缺陷的处理。 它使我有机会熟悉这些问题以及缓解这些问题的方法。 产品的安全漏洞可能等同于自然灾害-对公司和开发生命周期造成巨大影响。 在开发流程的各个阶段中,修复缺陷的工作(如指数修复错误中所述)随时间呈指数增长:
Loss of trust, brand reputation and revenue losses are part of the long-term consequences. In the short term, it influences the product roadmap, delivery prioritizations, teams’ focus, engineering quality, and more.
失去信任,品牌声誉和收入损失是长期后果的一部分。 在短期内,它会影响产品路线图,交付优先级,团队关注重点,工程质量等。
Adopting new security methodologies and techniques will help you maximize your product quality, leverage best practices and create a more efficient development process. Focusing on security matters during the design phase often results in:
采用新的安全方法和技术将帮助您最大程度地提高产品质量,利用最佳实践并创建更有效的开发流程。 在设计阶段关注安全问题通常会导致:
· Better architectural decisions
·更好的架构决策
· Best practice infrastructure implementations
·最佳实践基础结构实施
· Better application layers and separation of concerns
·更好的应用程序层和关注点分离
· Automation coverage improvement
·自动化覆盖率的提高
创建安全第一文化 (Creating a Security First Culture)
Now you have the motivation to make progress, you probably understand that security mindset is an approach that must be embedded in your R&D culture, and that you have a significant impact on it.
现在您有进取的动力,您可能已经了解到安全性心态是必须嵌入到您的研发文化中的一种方法,并且会对它产生重大影响。
If your R&D team doesn’t have much security experience it may be a long path to success — but, trust me, it’s worth it. Here are some examples on how you can reach a better secured development process:
如果您的研发团队没有太多的安全经验,那可能是成功的漫长道路-但是,请相信我,这是值得的。 以下是一些有关如何实现更好的安全开发过程的示例:
1. Promote Knowledge Sharing. Agile or not, knowledge sharing among R&D teams, which help to increase productivity and efficiency, is a great platform to change your team’s way of thinking during the daily efforts. The knowledge can be shared by security persona, or even by any team member. Team Demo, for example, might be very good place for sharing this knowledge.
1. 促进知识共享。 无论敏捷与否,研发团队之间的知识共享(有助于提高生产力和效率)是在日常工作中改变团队思维方式的绝佳平台。 知识可以由安全角色甚至任何团队成员共享。 例如,团队演示可能是分享此知识的好地方。
2. Create a Hands-on Environment. Ensure all team members are taking part in security bug fixes or any other security incidents.
2. 创建动手环境。 确保所有团队成员都参与安全漏洞修复或任何其他安全事件。
3. Test. Test. Test. Using ATDD/TDD security test cases will increase the developers’ attention during the implementation phase. For example, once the team is familiar with ‘Deserialization of Untrusted Data’ or XSS (all flavors) vulnerabilities concept, they will pay attention to this area.
3. 测试。 测试。 测试。 使用ATDD / TDD安全测试用例将在开发阶段增加开发人员的注意力。 例如,一旦团队熟悉“不可信数据的反序列化”或XSS(所有类型)漏洞的概念,他们将关注此领域。
4. Use Static and Dynamic Code Analysis Tools. Use security analysis tools as part of your CI/CD. It will keep the teams updated with their product security level, and you will be able to have confidence in not introducing new issues.
4. 使用静态和动态代码分析工具 。 使用安全分析工具作为CI / CD的一部分。 这将使团队随时了解其产品安全级别的最新信息,并且您将有信心不引入新问题。
5. Keep Investing in Security Efforts. Never say I’ve done enough — manage this effort continuously. This will increase the team’s sense of urgency and will improve their expertise.
5. 继续投资于安全措施。 永远不要说我做够了-持续管理这项工作。 这将增加团队的紧迫感,并提高他们的专业知识。
6. Implement Security Training. It could be frontal sessions or hands-on training. This training can be presented by a security expert or by any team member.
6. 实施安全培训。 可能是前锋训练或动手训练。 可以由安全专家或任何团队成员进行此培训。
7. Assign a “Security Champion”. Any team member with ambitions and interest in security matters, can lead and facilitate security related events in the team.
7.分配一个“安全冠军” 。 任何对安全事务抱有雄心和兴趣的团队成员都可以领导并促进团队中与安全相关的事件。
If you’re still pushing your way into secured application development, it might be challenging to engage peers or stakeholders in any special efforts related to security concerns. As with any new culture paradigm, it may require convincing other colleagues about your agenda. But leveraging the above cautionary measures while offering increased security and product quality as well will help pave the way to a safer world.
如果您仍在推动安全应用程序开发,那么让同级或涉众参与与安全性问题相关的任何特殊工作可能会很困难。 与任何新的文化范例一样,它可能需要说服其他同事关注您的议程。 但是,在利用上述警告措施的同时,还可以提供更高的安全性和产品质量,这将为通往更安全的世界铺平道路。
The war will never be over, but you can significantly minimize your casualty rate by leading a proactive approach and encouraging security mindset on a daily basis.
战争将永远不会结束,但是您可以每天采取积极主动的做法并鼓励安全心态,从而大幅降低伤亡率。
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
