[SDL Practice Guide] Product Safety Quality Measurement

Enterprise 2023-09-08 21:19:39 views: null

Preface to the article

After the software product is developed, it is not only necessary to conduct functional testing on the business functions to judge whether it meets the actual needs of the demander, but also needs to conduct security testing on the product to detect the overall security of the product. In the SDL process, if the product is to achieve development Version standards not only need to meet the expected functional business goals established by product managers and project managers, but also meet safety and quality standards.

Measurement object

Software products can be broadly divided into the following categories:

  • Internal systems: systems developed by enterprises for internal use, such as internal communication software, internal database systems, etc.

  • External system: a system developed by an enterprise and released to the outside world, such as the enterprise's external official website and the enterprise's extranet office system

  • Procurement products: Enterprises evaluate industry products and then choose to purchase security products, collaborative office products and other software systems developed by third parties.

Metrics

There will also be different software security quality measurement standards for different types of software products:

  • Internal system: The system developed by the enterprise for internal use only needs to meet the requirements of no medium-risk vulnerabilities in the host and no medium-risk vulnerabilities in the web.

  • External system: The system developed by the enterprise and released to the outside world must meet the requirements of Web leak scanning, manual penetration, and code security audit, and have no medium-risk vulnerabilities, and the security design checklist must meet the standards.

  • Purchasing products: The third party needs to provide product safety certification materials and must include a safety responsibility agreement and emergency stop-loss after-sales service when signing a contract. The safety certification materials here generally refer to reports issued by third-party security companies, including code audit reports, mainstream Scanner missed scan, penetration test report, open source component list (dependent open source component type and version information)

Vulnerability rating

Enterprises can security grade vulnerabilities based on the importance of their own business as well as industry standards and laws and regulations. The following is a simple example:

grade

Description of assessment criteria (meets one of the following conditions)

Low

1) No obvious security issues found

2) Does not deviate from relevant national industry standards and specifications

3) The exploitation of security holes will not cause obvious security risks to the system (for example, the exploitation of security holes will only obtain certain information of system components)

4) Other security vulnerabilities that are as harmful as the above

middle

1) Deviation from relevant national industry standards and specifications and the deviation will cause problems such as partial information exposure but will not directly cause serious problems (such as reading the backend database)

2) The exploitation of security holes will have a certain impact on the system (such as obtaining some non-sensitive information in the communication process)

3) Although the exploitation of security holes will have a serious impact on the system, it is not easy to exploit

4) Other security vulnerabilities that are as harmful as the above

high

1) Deviation from relevant national industry standards and specifications and the deviation will directly cause serious problems (for example: obtaining program source code, being able to remotely read and write system files or manipulate background data, being able to remotely execute commands as an ordinary user or conduct denial of service attacks) , can remotely execute commands as an administrative user, etc.)

2) The exploitation of security vulnerabilities will have a serious impact on the system and is easy to exploit (for example: obtaining program source code, remotely reading and writing system files or manipulating background data, remotely executing commands as an ordinary user or conducting denial-of-service attacks, remotely Execute commands as an administrative user, etc.)

3) Other security vulnerabilities that are as harmful as the above

Summary at the end of the article

Product safety and quality determine whether the product can meet the launch requirements and whether the product can be launched on time. Therefore, the sooner the product safety and quality measurement standards and SDL product launch regulations are implemented and publicized, the better. At the same time, product managers, project managers, R&D personnel should pay more attention to security issues during the software development cycle to avoid being unable to go online due to security issues in the later stage or causing product function reconstruction, etc.

Guess you like

Origin blog.csdn.net/Fly_hps/article/details/129789389
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com