Table of contents
Software: an important driving force for digitalization and the development of the digital economy
Security: The Lifeline of Software
The Weird State of Software Security
Increasingly frequent security issues
The increasingly severe security situation
There are still many misunderstandings in security awareness
The Breakthrough of Software Security: DevSecOps
Simplification into complexity, all methods into one: Jihu GitLab DevSecOps
Promote the development of the digital economy. Promote the development of the digital economy. Strengthen the overall layout of digital China construction. Build digital information infrastructure, promote the large-scale application of 5G, promote the digital transformation of industries, and develop smart cities and digital villages. Accelerate the development of the Industrial Internet, cultivate and expand digital industries such as integrated circuits and artificial intelligence, and enhance the innovation and supply capabilities of key software and hardware technologies. Improve the governance of the digital economy, unleash the potential of data elements, better empower economic development, and enrich people's lives."
——Excerpt from the 2022 "Government Work Report"
The digital economy with digitalization as an important starting point has developed into an important economic form. The digital economy has also been included in the government work report for many years. In the just past 2022 "Government Work Report", the digital economy was mentioned again. This is enough to see that software plays an important role in promoting the digital transformation of enterprises and accelerating the development of the digital economy.
Software: an important driving force for digitalization and the development of the digital economy
Some data show that for every 1% increase in the output value of China's software industry, the output value of the digital economy will increase by 0.511241%, indicating that the development of my country's software industry has a relatively significant role in promoting the growth of the digital economy. Therefore, in the "14th Five-Year" Digital Economy Development Plan issued by the State Council, the scale growth of the software and information technology service industry is set as the main indicator for the development of the digital economy during the "14th Five-Year Plan" period, and it is clearly pointed out that software and information technology services The scale of the industry will increase from 8.16 trillion yuan in 2020 to 14 trillion yuan in 2025. The security capability of software will be a powerful guarantee for the rapid development of the digital economy, and security will also be an important lifeline of software.
Security: The Lifeline of Software
Security issues bring various losses to the enterprise, the most direct economic loss, such as delivery of extortion and ransom, payment of penalties from regulatory authorities, etc.; other indirect losses such as legal risks, brand influence, these problems are likely to lead to the loss of customers, The shrinking market share eventually translates into economic losses, so safety is money .
-
In 2021, CNA Financial, one of the largest insurance companies in the United States, paid $40 million to a ransomware group after its IT systems were attacked;
-
In December 2021, there was a security loophole in Wal-Mart's network system, which was not dealt with in a timely manner. The Futian Branch of the Shenzhen Municipal Public Security Bureau and others decided to give Wal-Mart (China) Investment Co., Ltd. an administrative penalty of warning in accordance with relevant regulations and ordered to make corrections;
-
The SolarWinds supply chain attack issue in 2020 affected many heavyweight customers and had a great impact on the reputation of its main company;
In the digital age, data is the core asset. Software is used to generate data, analyze data, mine data, and finally make data generate value. Software security will directly affect data security, and data insecurity will directly lead to major economic losses. According to the "Data Leakage Cost Report" released by IBM, data leakage exists in all walks of life, and enterprises need to bear millions of dollars in losses due to data leakage.
Image source: IBM Cost of a Data Breach Report
The Weird State of Software Security
Increasingly frequent security issues
-
In March 2022, Samsung Electronics was attacked by hackers, resulting in the leakage of a large amount of confidential information;
-
In February 2022, Nvidia discovered that it had been hacked, resulting in the theft of important information;
-
At the end of 2021, the log4j vulnerability spread to the whole world, and it still exists today;
-
The security issue of the SolarWinds software supply chain in 2020 will affect many major manufacturers, including Cisco and Intel.
The increasingly severe security situation
The rapid rise of open source and the new crown epidemic that still exists today make the software security situation still not optimistic:
-
The State of the Software Supply Chain 2021 report from Sonatype shows a 650% increase in attacks targeting open source supply chains;
-
The "Anchore 2021 Software Supply Chain Security Report" released by Anchore shows that 64% of enterprises have suffered software supply chain attacks in the past year;
-
The "2021 Open Source Security and Risk Analysis Report" released by Synopsys shows that 84% of sample code libraries contain at least one vulnerability, while the average number of vulnerabilities per library is 158;
-
According to the "DevSecOps Status Report" released by Contrast, 79% of the respondents said that their development environment had an average of 20+ vulnerabilities, and their production environment had at least 4 vulnerabilities.
Stricter Safety Regulations
-
The "Troika" in China's data governance legal field, the "Data Security Law", "Personal Information Protection Law" and "Network Security Law" have come into force and implemented;
-
The General Data Protection Regulation (GDPR), which has penalized many international companies, is very powerful;
-
The United States issued the "Executive Order to Strengthen National Network Security" to strengthen network security and protect federal government networks.
There are still many misunderstandings in security awareness
-
Throwing the blame: Security is the job of the security team;
-
Narrow: Being hacked and blackmailed is the scope of security issues, and everything else (misconfiguration, sensitive information leakage, etc.) is careless;
-
Luckily: There are so many software and software developers in the world, how could the attack target my software, how could I be that unlucky guy;
-
Short-sightedness: Security needs to recruit people, buy tools, and build a system. The cost is high, but the benefits cannot be seen;
-
Blind self-confidence: Over the years, I have never been attacked.
The Breakthrough of Software Security: DevSecOps
DevSecOps expands and extends DevOps with the aim of integrating security into the software development lifecycle to ensure application security in all aspects, so as to ensure security while delivering high-quality software quickly. DevSecOps has three core elements: security shift left, continuous automation, and security for everyone .
Safe left shift (shift left)
In traditional software development (typically such as waterfall development), the time for security intervention is relatively late, generally in the testing phase of the software development life cycle, or even later, and it is more "to the right" at this time. This security approach is a common practice in the industry when it is only released once every six months or even a year. However, with the diversification and agility of user needs, the frequency of software releases must be increased in order to respond to the growing needs of users. It is very common and common. With this release frequency, it is necessary to maintain the security of the software, which brings great challenges to software development.
The way to deal with this challenge is to get security involved early, in the coding and even planning stages (such as threat modeling), which forms a security "shift left". Left and right are for the software development life cycle, the farther to the left, the closer to the development side.
Behind the left shift is the logic of the relationship between the cost of fixing security issues and the life cycle of software development:
It can be seen that in the early stage of the software development life cycle (planning and coding), the cost of repairing security problems is very low, but the cost of repairing them rises sharply when it reaches the production line. Therefore, the ultimate goal of security "shift left" is to detect security problems as early as possible in software development so that remedial actions can be taken quickly and at the same time reduce costs. This is similar to the early detection, early isolation, and early treatment of the new crown epidemic.
continuous automation
There are many security testing methods (SCA, SAST, DAST, etc.), covering the entire software development life cycle. If these security protection methods are run in an automated manner, there are two advantages:
-
First, reduce the workload of R&D, testing and other personnel, reduce repetitive manual labor, and allow them to focus more on business innovation and empowerment;
-
Second, continuous automation can achieve comprehensive security protection for every code change , so that every code change can be delivered in a safe manner.
The most common and common method is to integrate security testing into CI/CD Pipeline.
everyone is safe
Patrick proposed DevOps in 2009. Everyone's conventional cognition is to combine Dev and Ops, but at the QCon in London in 2020, it was mentioned that DevOps is not just a matter of R&D and operation and maintenance (DevOps beyond Development and Operations), the challenge of accelerating software delivery , Risks and bottlenecks may also come from other teams, such as marketing, finance, legal and so on. The same is true for security. DevSecOps is not just the integration of the Dev, Sec, and Ops teams. It means that all teams and everyone should be responsible for the security of the software, jointly eliminate the risks brought about by security, and ultimately achieve the security of the software. Safe and fast delivery.
A Landing Guide to DevSecOps
You can follow the "PPT" model to implement DevSecOps, namely people (People), process (Process) and tools (Tool):
-
People: Adhere to people-oriented. People are the most critical and core factor of production. The people here not only refer to R&D, operation and maintenance, and security personnel, but also include all people related to software development. On the basis of people-oriented, transform the organizational structure and build the company (team) culture, and finally achieve the purpose of improving staff work efficiency and work experience;
-
Processes: Build appropriate processes. The process should be as standardized, automated, and transparent as possible, and the staff must reach a certain consensus on the process so that everyone can follow the process. For example, what security measures should be embedded in CI/CD, the CI/CD pipeline should be terminated when a security problem occurs, the report of security vulnerabilities should be transparent, the tracking of vulnerabilities should be visualized, and the standards for repairing vulnerabilities should be clarified.
-
Tools: Choose the right tool. Tools are the ultimate support for DevSecOps practice. There are many security-related tools. For different development stages, there are open source and commercial versions. No single tool can solve all security problems. The comprehensive guarantee of security is often a combination of multiple tool chains. It is very important to choose a tool that can be seamlessly integrated with the existing R&D process, convenient for R&D personnel to use, and smooth collaboration between departments. of.
Simplification into complexity, all methods into one: Jihu GitLab DevSecOps
-
Ten Thousand Methods in One: One Platform, End-to-End Security Capabilities
Jihu GitLab's DevSecOps function covers the entire software life cycle, provides full-process security assurance capabilities from planning to launch, and completes security escort from static to dynamic software.
-
Convenience and ease of use: out of the box
Jihu GitLab DevSecOps functions are available out of the box. Users do not need to install and configure third-party tools, and do not need to learn additional programming languages. R&D, testing, and operation and maintenance can be used quickly.
-
Continuous security: seamlessly integrate Jihu GitLab CI/CD
It can be seamlessly integrated with GitLab CI/CD of Jihu, and complete security detection is performed for every code change, so as to achieve real security continuous automation.
-
Simplify the Complexity: Unified Display of Reports
The results of multiple security scans are displayed in a unified manner, breaking the security information islands caused by security reports generated by multiple security tools alone, and making it easier to filter out truly valuable security vulnerability data.
-
Repairing the closed loop: using Jifox GitLab Workflow
When there is any code change (MR is created), the security detection method embedded in the CI/CD Pipeline is triggered, and the corresponding security scanning results will be displayed in the MR at the end of the CI/CD process. The level of vulnerabilities (high, medium, low), The source (from SAST or DAST, etc.) is clear at a glance, helping R&D to find security problems in the first place, make timely repairs, and prevent problematic codes from being merged into the main branch in time, thereby "infecting" the code of the main branch.
-
Refuse to take the blame: bug fixes, evidence-based, and traceable
Once you see a security issue in MR, you can directly click on the security vulnerability. In the process of viewing the details, you can directly create an Issue to track the security issue. After the security issue is fixed, close the Issue. In the later review, you can directly view the Issue to find the corresponding person in charge, repair status, etc.
Software is like life, safety is like insurance,
Buy an insurance (safety) to keep your life safe (delivery).
The earlier you purchase insurance (early intervention), the lower the premium (less cost),
The better the guarantee (the better the effect), it is a rainy day;
The later the purchase (late intervention), the higher the premium (higher cost),
The worse the protection (poor effect), it is a remedy after the disaster;
If you don't buy it for life (without safety awareness), you will have no ability to resist risks.
In case of misfortune (being attacked), there is no way to recover (game over).