/catalog/296695a3fdd74f71b4ced1996c9b6856//Document/424188637298757.html/Document/423430430916677.html/Document/422738450387013.html/Document/421335462469701.html/Document/420956089200709.html/Document/420244068835397.html/Document/419142595375173.html/Document/418879737671749.html/Document/418156051357765.html/Document/417780141715525.html/Document/416729842651205.html/Document/416373677670469.html/Document/416014651207749.html/Document/414600654966853.html/Document/414232150913093.html/Document/413894034452549.html/Document/411749575036997.html/Document/411444007235653.html/Document/410989555187781.html/Document/410365315555397.html/Document/408937260335173.html/Document/408592682856517.html/Document/408239118336069.html/Document/402940329152581.html/Document/401521045061701.html/Document/401149456379973.html/Document/400819542675525.html/Document/400464907001925.html/Document/399363703992389.html/Document/399019061391429.html/Document/398327264952389.html/Document/397988956139589.html/Document/396547962679365.html/Document/396188926316613.html/Document/395839580831813.html/Document/395509538283589.html/Document/393696815161413.html/Document/393356444545093.html/Document/393008819511365.html/Document/391891180220485.html/Document/391256916983877.html/Document/390918744105029.html/Document/390528820486213.html/Document/389136971677765.html/Document/388763822231621.html/Document/388416565977157.html/Document/388045527777349.html/Document/386637062586437.html/Document/386290355249221.html/Document/386290343432261.html/Document/385922848862277.html/Document/384498574901317.html/Document/384178599956549.html/Document/383813990293573.html/Document/383450832826437.html/Document/383112784425029.html/Document/381983009394757.html/Document/381676021035077.html/Document/381338668412997.html/Document/380973198676037.html/Document/380625301606469.html/Document/376028059926597.html/Document/374587749163077.html/Document/374252417724485.html/Document/373905092177989.html/Document/373540837523525.html/Document/373226847809605.html/Document/311601443917893.html/Document/311285189517381.html/Document/310134890274885.html/Document/309794452426821.html/Document/309507604934725.html/Document/304898482892869.html/Document/304549706600517.html/Document/304188584996933.html/Document/303818784497733.html/Document/302700517105733.html/Document/302416475320389.html/Document/302077848256581.html/Document/301288627347525.html/Document/300279638184005.html/Document/274792263872581.html/Document/273024381308997.html/Document/272683642789957.html/Document/272351623921733.html/Document/271961406242885.html/Document/271560844214341.html/Document/270477420015685.html/Document/269881559916613.html/catalog/c51244b85e704db9a2a34ca396e9fe27//Document/375674108960837.html/Document/340619525128261.html/Document/340263572500549.html/Document/337103780888645.html/Document/336726028042309.html/Document/336395351863365.html/Document/336019384291397.html/Document/334605603291205.html/Document/334264344903749.html/Document/333908786077765.html/Document/333537608929349.html/Document/332422937043013.html/Document/323979240091717.html/Document/323624591507525.html/Document/322518056206405.html/Document/322224629981253.html/Document/321870777405509.html/Document/321154810175557.html/Document/319738524639301.html/Document/319395521761349.html/Document/319038449188933.html/Document/318684198744133.html/Document/317575537291333.html/Document/316584392339525.html/Document/297463116619845.html/Document/296410729726021.html/Document/294281412902981.html/Document/289614801383493.html/Document/289336711553093.html/Document/288989717336133.html/Document/267736666357829.html

如何在整个开发生命周期的工具链中嵌入安全测试

前面我们讲到过DevSecOps在技术方面的一个关键点是集成,就会涉及到我们开发生命周期的工具链,我们上图中列出的还不是全部,大家都知道涉及到的工具链太多了。仅仅是开发工具,主流的就有好几种,最主流的像eclipse、Visual Studio、IntelliJ IDEA。

DevSecOps

开发完成后,就到了代码管理环节,常见的像GitLab、GitHub、Bitbucket,还有构建用的Maven、Gradle等等。再就是CI/CD持续发布、持续集成,最常见的是Jenkins,很多平台都是基于Jenkins开发的。


测试完成之后,要跟踪缺陷,还会用到Jira、Bugzilla这些工具。还有一些针对开源组件的测试平台,以上这些都是我们会用到的工具链。


我们在开发的过程中,通过工具的应用、一些在线的培训都能够帮助我们开发人员丰富安全编码的知识、具备安全编码的能力。在这些工具链中,都可以将安全测试嵌入进去。


以IDE为例,IDE本来是个开发者平台,我们可不可以边开发边做安全测试呢?是可以的,在开发的同时就可以保证代码的安全性。我认为,安全左移,其实就是移到了开发人员的IDE上,这也是左移最重要的一个体现了。


那我们在CI/CD的时候,是不是可以同步把代码也测了呢?我们在构建build的时候可以同时把代码做一个安全测试吗?都是可以的,都可以集成进去。同时,安全问题也是bug,也可以通过Bugzilla这些工具去管理,而不仅仅是管理功能缺陷。

 

接下来的文章我们会继续带大家了解DevSecOps最佳实践如何落地,各个环节如何部署,以及行业最佳实践的案例,欢迎大家继续关注。