While organizations are rushing to secure their networks and infrastructure in order to gain a robust security posture that allows them to meet regulations and protect their assets. They often tend to overlook an equally important aspect of security, which is securing the software development lifecycle.

尽管组织急于保护其网络和基础结构以获取强大的安全状态，使其能够满足法规和保护其资产。 他们通常倾向于忽略安全性的同等重要的方面，即确保软件开发生命周期的安全。

When we look at the numbers, we can get an idea of the reasons behind this disregard:

当我们查看数字时，我们可以了解这种无视的背后原因：

缺乏意识 (Lack of Awareness)

In a survey of 400 developers conducted by Vanson Bourne and commissioned by Veracode. 25% of the developers admitted that their companies did not have an application security program in place, while 4% did not know whether their companies had such a program or not.

由Vanson Bourne对Veracode委托的400位开发人员进行了调查 。 25％的开发人员承认他们的公司没有适当的应用程序安全程序，而4％的开发人员不知道他们的公司是否有这样的程序。

The same survey showed that nearly one in five developers were not at all familiar with the OWASP Top 10 web application security risks.

同一项调查显示，几乎五分之一的开发人员根本不熟悉OWASP十大Web应用程序安全风险 。

时间不够 (Lack of Time)

It would make sense for companies to try to bring their product to the market as fast as possible, but this often comes at the cost of security. A SonaType survey from 2018 showed that 48% of developers do not have enough time to fix security issues, although they realize their criticality.

对于公司来说，尝试尽快将其产品推向市场是很有意义的，但这通常是以安全为代价的。 SonaType于2018年进行的一项调查显示，尽管48％的开发人员意识到了其重要性 ，但他们没有足够的时间来解决安全问题。

缺乏技能 (Lack of Skills)

Adopting secure coding practices requires at least a basic knowledge of security principles, something that is lacking in the technology industry. In fact, Tripwire’s 2020 Skills Gap Survey showed that 72% of the participants think their security teams are understaffed, while hiring security professionals is becoming harder:

采用安全编码实践至少需要安全原理的基础知识，这在技术行业中是缺乏的。 实际上， Tripwire的2020年技能差距调查显示，有72％的参与者认为他们的安全团队人手不足，而雇用安全专业人员的难度却越来越大：

On top of the above-mentioned reasons, companies seem to overlook the importance of security in software development. Although, real world events have shown that securing the code is just as important as securing the infrastructure:

除上述原因外，公司似乎忽略了安全性在软件开发中的重要性。 虽然，现实世界中的事件表明，保护代码与保护基础结构同样重要：

The recently discovered Octopus Scanner malware scanned Github repositories for NetBeans source code files, and injected itself into the code. Impacting every developer that downloaded one of the 26 affected open-source software, and bringing to light a new aspect of supply-chain attacks.

最近发现的Octopus Scanner恶意软件在 Github存储库中扫描了NetBeans源代码文件，并将其自身注入了代码中。 对下载了26种受影响的开源软件之一的每个开发人员都有影响，并揭示了供应链攻击的新方面。

In 2018, Facebook discovered three bugs in their source code that would enable users to generate access tokens for other accounts, potentially exposing 50 million accounts.

在2018年， Facebook在其源代码中发现了三个bug ，这些bug使用户能够为其他账户生成访问令牌，从而可能暴露5000万个账户。

Failing to secure the code can not only impact the end-user, but might also lead to the theft of Intellectual Property, damage the company’s reputation, and compromise the company’s network by rendering expensive security controls useless.

未能保护代码不仅会影响最终用户，而且还可能导致知识产权被盗，损害公司声誉并通过使昂贵的安全控制失效而损害公司网络。

保护您的代码！ (Secure your code!)

It should have become clear by now WHY it is so important to apply security principles to the software development lifecycle. But with the lack of security skills, the HOW remains unanswered. Fortunately, there are plenty of standards, frameworks and advisories publicly available, and they mostly revolve around the following main best practices:

到现在应该已经清楚了， 为什么在软件开发生命周期中应用安全性原理是如此重要。 但是由于缺乏安全技能， HOW仍然没有答案。 幸运的是，有很多标准，框架和咨询可以公开获得，它们主要围绕以下主要最佳实践进行：

安全开发培训 (Secure Development Training)

A company cannot expect its developers to apply secure coding practices without providing them with proper training specific to their duties. There are many software security courses available, like Defending Web Applications Security Essentials by SANS, Certified Application Security Engineer by EC-Council, and Certified Secure Software Lifecycle Professional by (ISC)².

公司不能期望其开发人员在没有为其提供针对其职责的适当培训的情况下应用安全的编码实践。 提供了许多软件安全课程，例如SANS的《 防御Web应用 程序安全性》 ，EC-Council的认证的应用程序安全工程师以及(ISC)²的认证的安全软件生命周期专业人员 。

设计安全 (Security by Design)

To implement security by design means to involve security from the initial stages until delivery. Designing a secure application is way more effective than patching security issues at later stages and then going through testing again.

通过设计实现安全性意味着从最初阶段到交付为止都涉及安全性。 设计安全的应用程序比在后续阶段修补安全问题然后再次进行测试更有效。

Security by design requires a threat analysis at the design stage in order to identify the threats and the types of attacks that might be used for each threat. Mitigation techniques are then selected for each threat and inserted into the design of the application.

设计安全性要求在设计阶段进行威胁分析，以识别威胁和每种威胁可能使用的攻击类型。 然后为每种威胁选择缓解技术，并将其插入应用程序的设计中。

It is important that basic security principles are applied in the design. Such as least privilege, segregation of duties, secure authentication and authorization, and secure failure.

在设计中应用基本安全原则非常重要。 例如最小特权，职责分离，安全的身份验证和授权以及安全的故障。

Security by design also requires security testing at each of the development, testing and release stages. Testing includes Design Security Review at the Design stage, Application Security Testing at the Component Testing stage, System Security Acceptance Testing at the System Integration Testing stage, and finally Penetration Testing at the Deployment stage.

设计安全性还要求在开发，测试和发布阶段的每个阶段进行安全性测试。 测试包括设计安全审查在设计阶段， 应用程序安全测试在组件测试阶段， 系统安全验收测试的系统集成测试阶段，最终渗透测试在部署阶段。

安全编码做法 (Secure Coding Practices)

Developers are at the core of the SDLC, it is therefore necessary for them to write the code with a defensive mindset.

开发人员是SDLC的核心，因此他们有必要以防御的心态编写代码。

“All input is evil, until proven otherwise.” ― Michael Howard & David LeBlanc, Writing Secure Code

“除非有其他证明，否则所有输入都是邪恶的。” ― Michael Howard和David LeBlanc，编写安全代码

The OWASP Secure Coding Practices Quick Reference Guide sets clear instructions related to secure coding. The instructions tackle the following concepts:

OWASP安全编码实践快速参考指南设置了与安全编码有关的明确说明。 这些说明解决以下概念：

• Data Validation
  资料验证
• Authentication and Password Management
  身份验证和密码管理
• Authorization and Access Management
  授权和访问管理
• Session Management
  会话管理
• Sensitive Information Storage or Transmission
  敏感信息的存储或传输
• System Configuration Management
  系统配置管理
• General Coding Practices
  一般编码惯例
• Database Security
  数据库安全
• File Management
  文件管理
• Memory Management
  内存管理

代码审查 (Code Review)

Even with a security mindset, the best developers are prone to make mistakes. This is where code review comes in as an additional layer of security. Often developers are so deep into the code that they might miss a bug. Having a peer developer review another developer’s code introduces a new perspective with a fresh set of eyes that might identify mistakes overlooked by the original developer. The OWASP Code Review Guide is an excellent guidance document that focuses on the mechanics of reviewing code for certain vulnerabilities.

即使具有安全意识，最好的开发人员也容易犯错误。 这是代码检查的另一层安全保障。 通常，开发人员对代码的了解是如此之深，以至于他们可能会错过一个错误。 让同级开发人员审阅另一位开发人员的代码将以崭新的眼光引入新的视角，这些视角可能会发现原始开发人员忽略的错误。 OWASP代码审查指南是一份出色的指导文档，其重点是审查某些漏洞的代码的机制。

储存库安全性 (Repository Security)

The source code repository can be the crown jewels of many companies, and the target of many attackers. Securing the repository with proper security controls like strict access controls and encryption is necessary to prevent intellectual property theft, or a leak that might damage the company’s reputation.

源代码存储库可以是许多公司的头号珠宝，也是许多攻击者的目标。 必须使用适当的安全控制措施(例如严格的访问控制和加密)来保护存储库，以防止知识产权被盗或泄漏，这可能会损害公司的声誉。

Theft of source code can also allow hackers to check the code for bugs and exploit them, thus gaining access to the company’s network or to client devices and information.

盗窃源代码还可以使黑客检查代码中的错误并加以利用，从而获得对公司网络或客户端设备和信息的访问权限。

In case the software is sold to clients or made publicly available as open source. Attackers that are able to modify the code in the repository can inject malware that compromises the networks and devices of the clients or the software users. which is what happened with the Octopus Scanner malware mentioned earlier.

如果该软件出售给客户或作为开放源公开提供。 能够修改存储库中代码的攻击者可以注入恶意软件，这些恶意软件会破坏客户端或软件用户的网络和设备。 这就是前面提到的Octopus Scanner恶意软件所发生的情况。

更换管理层 (Change Management)

While change management is an integral part of the SDLC from an operational perspective. It can also serve as a strong security control.

从运营的角度来看，变更管理是SDLC不可或缺的一部分。 它还可以用作强大的安全控制。

A solid change management process can ensure that no malicious or unintended changes are made to the code during the transition from development to user acceptance testing, and then to release. It can also guarantee that no software or update is released without the sign-off of security personnel that have tested the software and cleared it for release.

可靠的变更管理流程可以确保在从开发到用户验收测试再到发布的过渡过程中，不会对代码进行任何恶意或意外更改。 它还可以确保没有经过测试该软件并清除其发行版本的安全人员的签名，不会发布任何软件或更新。

开发安全 (DevSecOps)

The DevOps development model has proven effective to a large number of companies, when it comes to faster releases. To make things even better, the principle on which DevOps is built, which is the collaboration between developers and IT operations, can easily cater for the introduction of security. Which brings us to DevSecOps.

当涉及到更快的发布时，DevOps开发模型已被证明对许多公司有效。 为了使事情变得更好，DevOps构建的原则(即开发人员与IT运营部门之间的协作)可以轻松满足安全性的要求。 这使我们进入了DevSecOps。

In traditional development processes, security was introduced at the end stage. With DevSecOps, and since developers, security professionals and IT operations work in collaboration throughout the whole process, security can easily be introduced at the design stage, and continue throughout the release.

在传统的开发过程中，安全性是在最后阶段引入的。 借助DevSecOps，由于开发人员，安全专家和IT运营人员在整个过程中协同工作，因此可以轻松地在设计阶段引入安全性，并在整个发行版中继续保持安全性。

Moreover, since DevOps relies heavily on automation tools, security professionals can introduce their own tools into the DevSecOps process, further reducing the time and effort required.

此外，由于DevOps高度依赖自动化工具，因此安全专业人员可以将自己的工具引入DevSecOps流程中，从而进一步减少了所需的时间和精力。

其他注意事项 (Additional Considerations)

Always use up-to-date third-party libraries to avoid introducing vulnerabilities into the software.

始终使用最新的第三方库，以避免在软件中引入漏洞。

Implement proper error handling to avoid unintended code behavior or revealing technical information to malicious users.

实施适当的错误处理，以避免意外的代码行为或向恶意用户泄露技术信息。

Use static and dynamic analysis tools to detect vulnerabilities in the code that may have been overlooked.

使用静态和动态分析工具来检测代码中可能被忽略的漏洞。

Security in the SDLC is a very large topic, and while it might seem complex at first, once you start going down the road things will start falling into place. The following are a few useful references to help you on your journey:

SDLC中的安全性是一个非常大的主题，虽然乍一看似乎很复杂，但是一旦您踏上了第一步，事情就会开始逐渐成熟。 以下是一些有用的参考资料，可帮助您的旅程：

• Microsoft Security Development Lifecycle Practices

  Microsoft安全开发生命周期实践

• OWASP Mobile Security Testing Guide

  OWASP移动安全测试指南

• OWASP Web Security Testing Guide

  OWASP Web安全测试指南

• OWASP Top Ten

  OWASP十佳

• NIST Secure Software Development Framework

  NIST安全软件开发框架

As a final note, the saying “Humans are the weakest link in the security chain” also applies to developers, most of whom are often overworked and have to meet strict deadlines. This is where communication sets in. Talk to your developers, let them understand that security is here to help and not make the work even harder, understand their concerns and try to work around them. Security works best when all concerned employees feel as part of a team, and disgruntled employees might cause intentional or unintentional security disasters. Keep your employees happy and your company will strive.

最后要说的是，“人类是安全链中最薄弱的环节”这一说法也适用于开发人员，其中大多数人往往工作过度，必须严格遵守期限。 这就是沟通的地方。与您的开发人员交谈，让他们了解安全在这里可以提供帮助，而不是使工作变得更加艰辛，了解他们的疑虑并尝试解决他们。 当所有相关员工都感觉像是团队的一部分时，安全性才能发挥最佳作用，而心怀不满的员工可能会导致有意或无意的安全灾难。 让您的员工感到高兴，您的公司就会努力。