/catalog/296695a3fdd74f71b4ced1996c9b6856//Document/424188637298757.html/Document/423430430916677.html/Document/422738450387013.html/Document/421335462469701.html/Document/420956089200709.html/Document/420244068835397.html/Document/419142595375173.html/Document/418879737671749.html/Document/418156051357765.html/Document/417780141715525.html/Document/416729842651205.html/Document/416373677670469.html/Document/416014651207749.html/Document/414600654966853.html/Document/414232150913093.html/Document/413894034452549.html/Document/411749575036997.html/Document/411444007235653.html/Document/410989555187781.html/Document/410365315555397.html/Document/408937260335173.html/Document/408592682856517.html/Document/408239118336069.html/Document/402940329152581.html/Document/401521045061701.html/Document/401149456379973.html/Document/400819542675525.html/Document/400464907001925.html/Document/399363703992389.html/Document/399019061391429.html/Document/398327264952389.html/Document/397988956139589.html/Document/396547962679365.html/Document/396188926316613.html/Document/395839580831813.html/Document/395509538283589.html/Document/393696815161413.html/Document/393356444545093.html/Document/393008819511365.html/Document/391891180220485.html/Document/391256916983877.html/Document/390918744105029.html/Document/390528820486213.html/Document/389136971677765.html/Document/388763822231621.html/Document/388416565977157.html/Document/388045527777349.html/Document/386637062586437.html/Document/386290355249221.html/Document/386290343432261.html/Document/385922848862277.html/Document/384498574901317.html/Document/384178599956549.html/Document/383813990293573.html/Document/383450832826437.html/Document/383112784425029.html/Document/381983009394757.html/Document/381676021035077.html/Document/381338668412997.html/Document/380973198676037.html/Document/380625301606469.html/Document/376028059926597.html/Document/374587749163077.html/Document/374252417724485.html/Document/373905092177989.html/Document/373540837523525.html/Document/373226847809605.html/Document/311601443917893.html/Document/311285189517381.html/Document/310134890274885.html/Document/309794452426821.html/Document/309507604934725.html/Document/304898482892869.html/Document/304549706600517.html/Document/304188584996933.html/Document/303818784497733.html/Document/302700517105733.html/Document/302416475320389.html/Document/302077848256581.html/Document/301288627347525.html/Document/300279638184005.html/Document/274792263872581.html/Document/273024381308997.html/Document/272683642789957.html/Document/272351623921733.html/Document/271961406242885.html/Document/271560844214341.html/Document/270477420015685.html/Document/269881559916613.html/catalog/c51244b85e704db9a2a34ca396e9fe27//Document/375674108960837.html/Document/340619525128261.html/Document/340263572500549.html/Document/337103780888645.html/Document/336726028042309.html/Document/336395351863365.html/Document/336019384291397.html/Document/334605603291205.html/Document/334264344903749.html/Document/333908786077765.html/Document/333537608929349.html/Document/332422937043013.html/Document/323979240091717.html/Document/323624591507525.html/Document/322518056206405.html/Document/322224629981253.html/Document/321870777405509.html/Document/321154810175557.html/Document/319738524639301.html/Document/319395521761349.html/Document/319038449188933.html/Document/318684198744133.html/Document/317575537291333.html/Document/316584392339525.html/Document/297463116619845.html/Document/296410729726021.html/Document/294281412902981.html/Document/289614801383493.html/Document/289336711553093.html/Document/288989717336133.html/Document/267736666357829.html

可知、可视、可管——DevSecOps落地的终极目标

前面的文章我们为大家介绍了DevSecOps的全部流程、如何合理地将安全测试融入到各个阶段中,以及静态代码分析工具、黑盒测试工具的推荐,本文继续为大家介绍,除了白盒测试、黑盒测试,还有哪些策略可以帮助我们提高应用安全?

软件测试管理

还有一个很重要的方面是第三方开源组件的测试,像前段时间的Log4J,还有前两年的心脏出血之类的事件都属于开源组件的问题。


做Java开发写log基本上都要用到这个组件,这些组件的问题其实都不是业务层面程序员的代码出现了问题,而是底层出现了问题。


所以我们不但要保证开发人员写的代码是安全的,同时还要保证代码依赖的、引用的开源组件也是安全的。所以我们的安全测试需要全面,代码扫描不只是扫描本身编写的代码,代码依赖的底层的依赖库、公共库也要保证安全。


这里我们推荐的Sonatype工具,可以帮助我们很好地发现公共的开源组件的问题,而且还可以跟Fortify相结合,既扫源代码,又扫依赖库,这样才是最全面的。

安全测试管理

最后我们讲一下软件安全中心的重要性。工具的本身是负责测试的,这些测试是针对某一个特定项目的测试结果,我们要做好整体的视图,把不同的工具、不同阶段的测试结果由一个统一的安全管控平台做可视化的展现。


没有绝对的安全,安全做得再好,也不能解决100%的问题,但是我们要做好安全的“可知”、“可视”、“可管”。


“可知”指我们测试完之后,发现了一些问题,知道问题在哪儿,漏洞在什么地方,在代码的哪一行,该怎么改。


“可知”还不够,还要“可视”,需要有一个可视化的平台,统一地去做展现。比如说领导层,他并不关注漏洞的代码怎么改,他想看到的是整体的安全状况。哪些漏洞在企业中存在最多,哪个项目问题最多,哪个项目组问题最多等等。对于程序员来说,想看到的点就是微观层面了,自己负责的代码有没有什么问题,问题在哪里,怎么改。


“可知”、“可视”之后,才能够“可管”,我们才能够很好地去管理企业的应用。