I. Preamble
From the perspective of product manager, product manager of security responsibilities to the connotation of product-driven security, job content, working methods, the required safety resources, workload and safety product manager analyzed. Hope that all product manager in the absence of the psychological burden of the situation, goals, methods, resources and promoting product safety building.
Second, background
Security is part of the natural attributes of software products, "no security without finance", for financial software products, safety is particularly important, because customers are always able to associate from a variety of security vulnerabilities to his assets and personal information secure financial security. Occasionally heard before Tucao counterparts in some salon or security summit, "he said information security is important, but doing it a secondary, not busy." The reason behind Tucao very complex, very important point is that with a weak sense of security product manager, do not know how to promote product safety related to construction, such as not attribute great importance to product safety, product safety demand is not clear, inadequate resources, product safety, product safety construction can not start and so on. In this paper, product manager standing point of view, starting from the product manager's ability dimensions, product manager on how to promote the safety of construction products.
As we all know, security as a natural attribute of software products, from product definition and planning point of view, the product manager for product safety inescapable responsibility, but the product manager on how to fulfill their security responsibilities, the industry has not yet given a clear and feasible of action.
At present, the software product safety requirements are usually propose appropriate solutions based on professional knowledge of developers and security personnel, such as the industry's more general analysis of sensitive information five elements:
| 1 | 2 | 3 | 4 | 5 |
|---|---|---|---|---|
| Full name | identity number | telephone number | Bank card information | contact address |
This method is simple, but often can not cover all the sensitive information, such as
- Multi-user data associated with the system user ID (super-ID).
- Multimedia audio and video data in the transaction process.
- All kinds of unstructured document data, such as contract scans.
- Portrait of user behavior data and other content.
These information are valuable sensitive data, clearly does not belong to the aforementioned range of sensitive data, but often there is no clear protection requirements. From specific business scenarios, product manager for sensitive data and business value range have the final say.
Third, the embarrassment of the security sector
Five elements sensitive information analysis method described above is a typical method of driving safety products, namely security sector to promote safety-related product teams to carry out. This model exists many drawbacks, such as:
- Security requirements may not be complete, professional knowledge is no substitute for in-depth analysis of specific business scenarios;
- Product teams can not guarantee the security of resources, research and development team has reason to believe that security teams interference research and development programs, research and development progress in the case and the same resources, additional workload;
- Security sector is usually no opportunity to participate in the development of R & D programs, product development plans and security out of touch;
- The security team is highly dependent on the right to speak, mandatory drivers often put on the spot.
(Figure 1 security drives)
Numerous safety practice shows, there are many drawbacks ideas and methods of safe driving products, if, in turn, drive product safety, product manager make clear their security responsibilities, actively promote the construction of security products, will produce contrasting results.
Rationality Fourth, product-driven security
Product-driven security product manager does not mean a single role promoting security building product, but that product managers take the initiative to bear the corresponding liability product safety, construction safety initiative to promote the product with the security sector, driven by the single-wheel drive products into security product safety drive wheel drive. As shown below:
(Figure 2 product-driven security)
Safety is a natural attribute of software products, is part of the product manager duties. At the same time as the product manager for product planning and R & D resources into the evolution of the baton, R & D team can ensure appropriate investment in security. By a simple analysis, product manager responsible for product liability, product safety initiative to promote the construction should be very reasonable logic.
Fifth, how to drive product safety
Product managers are willing to make product safety, we may ask the following questions:
- Content, security product manager what needs to be done;
- Capacity, in order to complete the work, product managers need to have what kind of security capabilities;
- Methods, how the security work to do in order to take into account both development and security products business functions, while maintaining agility and R & D project management process without distortion;
- Security resources, which can be obtained from security support security sector and other sectors, to improve the efficiency and effectiveness of their own security team and R & D work, the ability to reduce the threshold of safety work;
- Workload, job security will not let product manager very hard, affecting their quality of work and quality of life.
Product Manager to solve the above problems, eliminate worries, product manager may have a high probability to embrace security, resolve the conflict between development and security fundamentally.
Sixth, security product manager of content
Content security product manager as follows:
- Clear product safety requirements;
- R & D resources to protect the safety, the security settings to the development plan and the allocation of adequate security research and development resources;
- Promote capacity building security research and development team to ensure the safety development plan implementation in place;
- Integration of perimeter security resources to ensure the safety development plan implementation in place.
(Figure 3 content security product manager)
6.1 clear product safety requirements
Product safety requirements means standing business point of view, data security software products need to meet the needs of business compliance requirements and business continuity requirements, which is part of the business security needs. Product safety requirements described herein generally include:
- Business demand for data security products carried by the main concern is the confidentiality and integrity of business data.
- Product-related information security regulatory requirements, such as the level of protection, information security industry regulatory requirements.
- Business Continuity product-bearing requirements. Because usually, a uniform implementation of the mission led by the data center or operation and maintenance department, this article will describe the contents are not expanded.
(4 product safety requirements)
6.2 Product Data security needs
Product data security requirements means that the system should ensure proper security system users and place in an appropriate way with the appropriate action to access the right data at the right time, to ensure the confidentiality of the data it carries, integrity and availability. That system security system should ensure that access to the list of legitimate behavior is similar to the white list, as long as the behavior in the list belong to the range are lawful behavior, behavior outside the white list is the default behavior inappropriate data access behavior, requires a security measure for prevention , referred to herein as blacklist behavior.
Due to blacklist behavior usually hacking, analysis and a list of their typical behavior requires a strong offensive and defensive technology background, business people and not within the sphere of competence, product manager, security experts need to be analyzed based on product operating environment, so this product requirements product safety is usually a clear demand for its white list section manager, product manager needs to blacklist part of the organization for security experts and development specialists with clear. The main objective of the various security measures contained in the product design is to ensure the success of a certain behavior whitelist, blacklist behavior must be prevention, monitoring and auditing.
From the business point of view, after security, the definition of legitimate data access behavior, also need to have data access behavior audit tools to help ensure the correctness of the access behavior of the business, as well as data access behavior of the offending conduct audits.
(Figure 5 Product Data security needs)
Based on the above analysis, the list of acts of clear white list only need to understand the business model related information can be done, for product managers, on the threshold of the ability to does not exist. Process requires explicit data product manager include:
| ID | content | Explanation |
|---|---|---|
| 1 | Legitimate users list | User category, office location and access methods, user category should include peer relations system call interface |
| 2 | List of sensitive data | And a list of sensitive data range, and sorting, grading instructions |
| 3 | Business access the list of acts | Access the mapping between the user and sensitive data and system operation list |
| 4 | Sensitive list of acts | Need to record a minimum set of operational logs, provide the basis for operational audits, the above list of basic services to access the list of acts coincide |
The above information in a clear process, the product manager should follow the following two principles:
| ID | in principle | Explanation |
|---|---|---|
| 1 | Least Privilege | The user data access mode operations and actions to minimize, as appropriate for a user class, OA access network can meet the business needs it should not be open to the external network access, data can be read desensitization situation should meet business needs not open plain text readable or writable |
| 2 | Necessary to know | The user's data access range is minimized, such as for certain categories of users, single file access to meet business needs, not open two or more files access |
Designers can be based on the white list access control and rights management model design, testers can whitelist baseline test as data security, whitelist any breach of security bug found in testing both systems, such as:
- No sensitive data desensitization.
- Redundant data operating authority.
- Horizontal or vertical unauthorized data access.
- Log critical behavior of trace missing.
6.3 compliance requirements
Compliance requirements is due to system operation location, and customer service network regions or countries where the relevant departments of the service delivery model, data security and business continuity proposed restrictions. At present, regulatory requirements faced by our system include:
| ID | Regulatory requirements | Regulatory level |
|---|---|---|
| 1 | Network Security Act and its two high interpretation (country) | country |
| 2 | Information system level protection (MPS) | Ministry of public security |
| 3 | Personal Information Protection Specification (Ministry) | Ministry |
| 4 | GDPR (EU citizens involved in service-related IT services) | The EU |
2019 proposed a series of relevant state departments App collect personal information relevant regulatory requirements:
| ID | name | time | Dispatch department |
|---|---|---|---|
| 1 | Notice regarding the development of App illegal use of personal information collected by the special treatment | 2019/1/25 | Central network Informatization Office, the Ministry of Industry and Information Technology, Ministry of Public Security, the General Administration of market regulation |
| 2 | Mobile Internet applications, basic business functions necessary information specification | 2019/6/1 | National Safety Standardization Technical Committee for Information |
| 3 | App illegal use of personal information collected by the Self-Assessment Guide | 2019/3/1 | APP Special Working Group on Governance |
| 4 | App illegal use of personal information collected behavioral identification method (draft) | 2019/5/5 | APP Special Working Group on Governance |
| 5 | Information security technology mobile Internet application (App) collect personal information basic specification (draft) | 2019/10/25 | National Safety Standardization Technical Committee for Information |
| 6 | Notice on APP special work against the interests of users | 2019/11/6 | Ministry of Industry and Information Technology |
After the product manager set out compliance requirements, the Ministry of Security to give an authoritative interpretation of the relevant departments, and product line to communicate with a variety of security measures recommended design will meet IT security compliance requirements together a great extent. Level of protection requirements for the common requirements for all systems need to face without having to list product manager, Security can be directly interpreted.
Definition and maintenance methods specific security needs, it will be explained in other articles.
Seven, product manager for security analysis and capacity building
Safety product manager of content analysis, the main challenge comes from the list of four clear business security needs. The ability to analyze relevant safety following table:
| ID | Product Manager job content security needs | Capacity Analysis |
|---|---|---|
| 1 | Clearly legitimate user list | No additional capacity, need to describe the template support |
| 2 | A clear list of sensitive data | Need to understand the basic concepts of security, the security of sensitive data at the specified level, need sensitive data classification and grading standards support, templates support needs |
| 3 | Clear business access the list of acts | No additional capacity, need to describe the template support |
| 4 | A clear list of sensitive behavior | No additional capacity, need to describe the template support |
Other security product manager and development work required capabilities as follows:
| ID | Work content | Capacity Analysis |
|---|---|---|
| 1 | R & D resources to protect the safety | Increased security-related activities and links in an iterative product development program, and assign responsibility for people. Plans to develop itself without additional capacity, but in the security arrangements related activities, in order to maintain the development of agility and existing project management mechanism is not deformed, require safety, quality management and project management departments to provide methodological support. Product manager needs to have a certain sense of security. |
| 2 | Promote R & D team Safety Capacity Building | In order to ensure the implementation of successful R & D team (design, development and testing) requires an iterative development program activities in high security awareness and some basic security capabilities, such as security design, security codes and safety testing. Security should co-ordinate security capabilities of each team building needs, provide security capacity-building support. Product manager needs to have a certain sense of security. |
| 3 | Integrated Peripherals Security Resources | In order to ensure that the activities of the iterative development program succeeds, the need to integrate peripheral sector of professional security services, such as various types of safety review services department of security, threat modeling, code auditing, penetration testing, real-time traffic monitoring service, basic research and development department the SSO platform, operation and maintenance of a unified identity management services. Even need security support legal and compliance departments of. Security sector have a responsibility to provide and maintain a safe list of services continuously available, so that product managers and development teams know the list of services, and know where to obtain the relevant security services. Product manager needs to have a certain sense of security. |
综上所述,产品经理要履行相关安全职责,必要的能力和素质是具有较高安全意识,能够理解相关安全基础概念,没有过高的能力门槛,通过一定的安全培训,产品经理完全可以达到相应的能力要求。
八、产品安全研发方法
针对目前敏捷开发与DevOps开发普遍落地的情况,安全开发不应固守与瀑布开发相结合的陈旧经验。因为瀑布开发周期长、资源充分,在繁杂的计划活动中安排一些零星的安全活动不会产生明显的延期压力和资源压力。而敏捷开发和DevOps开发要求快速响应用户需求的同时,兼顾开发质量与效率,如果在迭代计划中设置过重的安全开发活动,迭代开发容易失去敏捷特性。
为了将安全开发理念在敏捷与DevOps开发中得到贯彻,建议采用如下原则:
- 安全开发活动轻量化。轻量化可以通过工具化、自动化来实现,尽量减少人工耗费大和耗时长的安全开发活动;
- 安全开发活动分散化。将那些短期无法轻量化处理的安全开发活动分解并分散到多个迭代周期中执行;
- 安全开发活动并行化。将安全开发相关活动与其他活动并行,如渗透测试通常安排在测试的最后一个环节,避免单轮次渗透测试无法覆盖那些并行的修复点,当然渗透测试也可以由多个轮次来弥补这种情况,但通常资源不允许。实际上这种同步修复导致渗透测试覆盖率下降的问题,完全可以通过良好的沟通和团队文化建设进行弥补。
- 优化现有敏捷开发与DevOps相关的流程与工具平台,使得安全专家能够充分参与项目,提升安全开发沟通效率,快速获取安全反馈;
- 将安全专家纳入到敏捷开发和DevOps文化建设中来,信息安全人人有责,安全专家可以充分发挥教练员角色和守门员角色,使得团队人人有能力履行自己的安全职责,安全专家在恰当的时机对安全交付物进行质量把控;
- 提前进行安全基础设施规划与布局,如身份与权限管理系统、SSO系统、加解密平台与SDK、日志分析与监控平台、全流量检测平台等等,使得安全措施标准化、服务化和平台化,降低安全设计与编码的能力门槛,对安全基础设施的测试与验证取代设施所承载应用的大部分安全测试,可以有效消减安全测试工作量。
对于一些安全开发活动的计划安排示例如下:
| ID | 安全活动名称 | 迭代执行要求 | 触发场景与基线示例 |
|---|---|---|---|
| 1 | 创建产品安全需求名单 | 一次性执行 | 产品原型发布之前 |
| 2 | 维护产品安全需求白名单 | 每迭代执行 | |
| 3 | 评审产品安全需求白名单 | 多迭代执行 | 重大需求变更或累积变更开发量达到n人天 |
| 4 | 创建产品数据流图 | 一次性执行 | 产品原型发布之前 |
| 5 | 建立威胁初始模型 | 一次性执行 | 产品原型发布之前 |
| 6 | 维护威胁模型 | 每迭代执行 | 重大需求变更或累积变更开发量达到n人天 |
| 7 | 评审威胁模型 | 多迭代执行 | 重大需求变更或累积变更开发量达到n人天 |
| 8 | 安全设计评审 | 多迭代执行 | 重大需求变更或累积变更开发量达到n人天 |
| 9 | 代码扫描及其报告分析(开发) | 每天/迭代执行 | |
| 10 | 代码扫描及其报告分析(安全部) | 多迭代执行 | 重大需求变更或累积变更开发量达到n人天 |
| 11 | 深度黑盒安全扫描 | 每天/迭代执行 | |
| ... | ... | ... |
上表中“多迭代执行”指的是按照一定要求,间隔多个迭代后执行一次。关于多迭代执行的安全活动需要制订一个执行基线,该基线无标准可参考,需要根据各产品线实际情况逐渐摸索调整。
安全活动的触发场景与基线不是固定的,随着团队安全能力与自动化、工具化程度的提高,多迭代执行的安全活动可能转变为每迭代执行;不是所有识别出来的安全活动都必须执行,一切以控制主要安全风险、不拖迭代项目后腿为基准。通常安全团队会与所有产品经理和项目管理进行多次沟通,提出一个多方基本认可的安全活动触发场景与基线表,供产品经理参考。
九、产品经理获取安全资源支持
产品经理在履行各项安全职责时,需要周边部门提供的安全服务与支持包括但不限于:
| ID | 产品经理工作内容 | 所需资源或服务 | 提供者 |
|---|---|---|---|
| 1 | 明确产品安全需求白名单 | 敏感数据分类分级标准及其相关模板和Demo;产品安全需求变更发生判断标准 | 安全部 |
| 2 | 保障安全研发资源 | 安全活动清单及其迭代基线 | 安全部&QA |
| 3 | 推动研发团队安全能力建设 | 安全培训与实操 | 安全部 |
| 4 | 整合周边安全资源 | 安全资源清单,包括安全咨询、评审、培训、开发包、平台或服务 | 安全部&法务&合规 |
十、产品经理安全工作压力分析
产品经理安全工作压力分析如下表:
| ID | 产品经理工作内容 | 产品经理工作压力分析 |
|---|---|---|
| 1 | 明确产品安全需求白名单 | 初次创建产品安全需求白名单的4张表格有一定的工作量,但属于一次性工作。产品经理也可以分批次完成,先完善主要信息,其它信息后续择机补充。后续产品安全需求白名单维护工作压力比较小,新增需求或变更只要不触动白名单4张表格的内容,就无需维护。实践表明,产品的用户、数据、访问白名单在经过少数几轮迭代后趋于稳定,很少有机会对表格进行变更。 |
| 2 | 保障安全研发资源 | 是迭代研发计划制订与推进工作的一部分,无需额外花费时间;每年可能需要花费一天左右的时间参加安全培训,了解安全活动迭代安排基线,了解安全基础概念,了解产品安全需求制订与维护方法。 |
| 3 | 推动研发团队安全能力建设 | 在研发团队能力建设计划与方案中添加安全相关内容,可能会涉及到一部分预算和人天。能力建设推进过程中可能涉及到一部分参加培训和演练的人天投入,但这部分资源占比应该会较小,构不成明显资源压力。可能存在一些安全部能力暂时无法覆盖的培训,需要外购,比如云安全、移动安全等,产品经理可以独立申请预算,或安全部跟产品线统筹统一申请预算。 |
| 4 | 整合周边安全资源 | 为解决已知安全问题,很多产品经理日常也在推进该项工作,成为日常沟通协调工作的一部分。主要是将这种被动的、个案化的行动转换为主动的、常态化的工作行为。目前公司有较为清晰的安全责任划分和流程,构不成明显工作压力。 |
上表描述了产品经理可能会遇到的主要工作内容,但并不是全部内容。整体而言,会增加产品经理一定的工作量,但不会构成明显的工作压力。
十一、小结
产品经理对产品安全负有责任,通过明确产品安全需求中的白名单指明产品安全目标,通过制订安全研发计划、推动团队安全能力建设和协调周边安全资源,实现产品安全落地。
经过简短安全培训后,相关工作均在产品经理能力范畴,工作量不会对产品经理形成心理压力,灵活的安全活动触发标准也不会影响研发的敏捷性。笔者在这里衷心期望各位产品经理放心大胆、勇往直前地拥抱安全,和安全部一起不断地将产品安全推向新高潮。
十二、感悟
在笔者的工作经历中,安全部门为了推动安全工作,总是想着法地“抱大腿”,期望借助外力以推动安全工作,却没有注意到产品经理这个“大腿”,只需觉醒其安全意识,这一“大腿”不仅粗壮有力,而且有着主动拥抱安全的强烈动因。
安全部与产品经理合作,很容易建立基于迭代开发的常态化安全落地机制,而与其他部门合作,例如合规或法务,常常只在特定阶段推动特定安全工作的落地。建议各位应用安全同行和产品经理多多交流,因为:产品经理才是我们安全部最需要拥抱的“大腿”!
作者:危国洪 郭建伟
来源:宜信技术学院