$30 off During Our Annual Pro Sale. View Details »

2019-07-11_Dev_Sec_Ops_-_Architecture_for_Security_and_Compliance.pdf

 2019-07-11_Dev_Sec_Ops_-_Architecture_for_Security_and_Compliance.pdf

技術無邊,資安及法遵有邊。軟體架構師規畫架構時,有時會忽略資安及法規的重要性。面對各國各式的法令及商業契約遵循要求,現代軟體架構設計時也應當具備合理的因應措施,包括 2012 年《個人資料保護法》及今年號稱「史上最嚴格的個人資料保護法」的 《GDPR》等。此議程將探討軟體架構設計如何應對各種資安自動化及法遵的挑戰。

Yi-Feng Tzeng

July 11, 2019
Tweet

More Decks by Yi-Feng Tzeng

Other Decks in Technology

Transcript

  1. Dev(Sec)Ops
    Architecture for Security and Compliance
    曾義峰 (Ant)
    [email protected]
    2019-07-12

    View Slide

  2. 2/90
    Introduction & Research interest
    13 年互聯網研發經驗, 4 年顧問資歷。
    時而編程,時而沉浸於法律領域、倘洋於資訊安全世界中。
    Web Security ( 網頁安全 )
    Data(base) Security ( 資料安全 )
    Agile Way ( 敏捷方法 )
    Compliance ( 法遵 / 合規 )

    View Slide

  3. 3/90
    SDLC & Agile
    1
    Product Owner & Stakeholders
    2
    DevOps & Security
    3
    Agenda
    引言
    角色
    安全
    DevOps & Compliance
    4 法遵
    CI/CD & Pipeline
    5 實踐

    View Slide

  4. 4/90
    SDLC & Agile
    1
    Product Owner & Stakeholders
    2
    DevOps & Security
    3
    DevOps & Compliance
    4
    Agenda
    引言
    CI/CD & Pipeline
    5

    View Slide

  5. 5/90
    Requirements
    Design
    Code
    Test
    Deploy
    Software Development Life Cycle (SDLC)

    View Slide

  6. 6/90
    Requirements
    Design
    Code
    Test
    Deploy
    Secure Software Development Life Cycle (SSDLC)
    Risk Assessment
    Design Review
    &
    Threat Modeling
    Static Analysis
    Code Review
    &
    Penetration Testing
    Secure Configuration
    &
    Security Assessment

    View Slide

  7. 7/90
    Requirements
    Design
    Code
    Test
    Deploy
    Secure Software Development Life Cycle (SSDLC)
    Risk Assessment
    Design Review
    &
    Threat Modeling
    Static Analysis
    Code Review
    &
    Penetration Testing
    Secure Configuration
    &
    Security Assessment
    Waterfall
    EVERYTHING WORK WELL

    View Slide

  8. 8/90
    Agile
    Credit: https://medium.com/innodev/agile-development-for-dummies-dd161da253c7

    View Slide

  9. 9/90
    Agile
    Credit: https://www.kisspng.com/png-scrum-sprint-agile-software-development-systems-de-4949713/
    Scrum

    View Slide

  10. 10/90
    Agile
    Credit: https://sanzubusinesstraining.com/how-to-create-a-kanban-board-to-manage-your-to-do-list/
    Kanban

    View Slide

  11. 11/90
    Agile
    Credit: https://dilbert.com/strip/2007-11-26
    我們將嘗試一種稱為敏捷開發的模式。
    意味著不需計畫,不需文檔。只要寫程式和發牢騷就好。

    View Slide

  12. 12/90
    Agile
    Prejudices
    推動 Agile 後造成一團混亂 (Chaos) 。
    Agile 過於複雜。
    Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。
    Agile 會產出不安全的軟體。
    Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。

    View Slide

  13. 13/90
    Agile
    Prejudices
    推動 Agile 後造成一團混亂 (Chaos) 。
    Agile 過於複雜。
    Agile 只是把待辦清單 (Todo) 用便利貼或數位的方式貼在牆上。
    Agile 會產出不安全的軟體。
    Agile 太浪費時間,例如每日站立會議、回顧 (retrospective) 。

    View Slide

  14. 14/90
    Agile
    Credit: http://www.commitstrip.com/en/2017/06/19/security-too-expensive-try-a-hack/

    View Slide

  15. 15/90
    Agile

    View Slide

  16. 16/90
    Agile
    Agile ≠ Fast

    View Slide

  17. 17/90
    Agile
    很多公司都有推動各種敏捷專案管理流程。
    例如 Scrum 或 Kanban 。
    但其中有具備資安 (Security) 思維的只有一小部分。

    View Slide

  18. 18/90
    誰說 Agile Coach 不需要懂資安 !?
    Agile
    Injection
    頻繁安插的無理需求、急件

    View Slide

  19. 19/90
    誰說 Agile Coach 不需要懂資安 !?
    Agile
    XSS
    Injection
    頻繁安插的無理需求、急件 從其他團隊來的跨組扔包

    View Slide

  20. 20/90
    誰說 Agile Coach 不需要懂資安 !?
    Agile
    XSS
    StackOverflow
    Injection
    頻繁安插的無理需求、急件 從其他團隊來的跨組扔包
    我是 Full-Stack Developer
    指的是如果再給我一個工作
    我的工作 (Stack) 就會溢出

    View Slide

  21. 21/90
    誰說 Agile Coach 不需要懂資安 !?
    Agile
    God Injection
    XSS
    StackOverflow
    Injection
    頻繁安插的無理需求、急件 從其他團隊來的跨組扔包
    我是 Full-Stack Developer
    指的是如果再給我一個工作
    我的工作 (Stack) 就會溢出
    老闆一聲令下
    搖身變為隕石開發法

    View Slide

  22. 22/90
    隕石開發法
    Credit: http://eiki.hatenablog.jp/entry/meteo_fall
    Waterfall

    View Slide

  23. 23/90
    隕石開發法
    Credit: http://eiki.hatenablog.jp/entry/meteo_fall
    Agile

    View Slide

  24. 24/90
    隕石開發法
    Credit: http://eiki.hatenablog.jp/entry/meteo_fall
    Agile
    無論什麼方法,在神面前,
    都無用

    View Slide

  25. 25/90
    DevOps & Security
    3
    DevOps & Compliance
    4
    Agenda
    Product Owner & Stakeholders
    2
    SDLC & Agile
    1
    角色
    CI/CD & Pipeline
    5

    View Slide

  26. 26/90
    Scrum & Product Owner
    “The Product Owner is the sole person responsible for managing
    the Product Backlog.” (Scrum guide)
    “ 產品負責人是負責管理產品待辦清單的唯一人員。”
    “The PO role is responsible for working with the customers and
    stakeholders to understand their needs.”
    “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
    Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team

    View Slide

  27. 27/90
    Scrum & Product Owner
    “The Product Owner is the sole person responsible for managing
    the Product Backlog.” (Scrum guide)
    “ 產品負責人是負責管理產品待辦清單的唯一人員。”
    “The PO role is responsible for working with the customers and
    stakeholders to understand their needs.”
    “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
    Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
    Who are your stakeholders ?
    誰是你們的利益相關者

    View Slide

  28. 28/90
    Scrum & Product Owner
    “The Product Owner is the sole person responsible for managing
    the Product Backlog.” (Scrum guide)
    “ 產品負責人是負責管理產品待辦清單的唯一人員。”
    “The PO role is responsible for working with the customers and
    stakeholders to understand their needs.”
    “ 產品負責人負責與客戶和利益相關者合作以了解他們的需求。”
    Credit: https://www.scrum.org/forum/scrum-forum/7820/product-owner-role-delegated-team
    Security officer should start taking up
    the role of security stakeholders
    資安官應該開始擔任利益相關者的角色

    View Slide

  29. 29/90
    Product Backlog
    Product Backlog Item (PBI) :

    Features

    Bugs

    Refactoring

    Spike



    Security Features

    Security Stories

    Attacker Stories

    Ab-Use User Stories

    View Slide

  30. 30/90
    Product Backlog
    Scenario: User are able to register
    Given the user is on “/users/register”
    When the user types the email “[email protected]
    When the user types the password “xxx”
    When the user clicks the register button
    Then the response should contains “Password must be at least 8 characters long”
    ...
    BDD

    View Slide

  31. 31/90
    Product Backlog
    Scenario: The application should not contain SQL injection vulnerabilities
    And the SQL-Injection policy is enabled
    And the attack strength is set to High
    And the alert threshold is set to Low
    When the scanner is run
    And the following false positives are removed
    | url | parameter | cweId | wascId |
    And the XML report is written to the file output/security/sql_injection.xml
    Then no Medium or Higher risk vulnerabilities should be present
    Credit: https://continuumsecurity.net/bdd-security/
    BDD

    View Slide

  32. 32/90
    Product Backlog
    Scenario: Present the login form itself over an HTTPS connection
    Given a new browser instance
    And the client/browser is configured to use an intercepting proxy
    And the proxy logs are cleared
    And the login page is displayed
    And the HTTP request-response containing the login form
    Then the protocol should be HTTPS
    And ...
    Credit: https://continuumsecurity.net/bdd-security/
    BDD

    View Slide

  33. 33/90
    Tools

    SpecFlow (.NET)

    Cucumber (Ruby)

    JBehave (Java)

    Behat (PHP)

    Jest (JavaScript)

    Godog (Go)


    BDD

    View Slide

  34. 34/90
    DevOps & Compliance
    4
    Agenda
    SDLC & Agile
    1
    DevOps & Security
    3
    Product Owner & Stakeholders
    2
    安全
    CI/CD & Pipeline
    5

    View Slide

  35. 35/90
    DevOps & Security
    《 Dev Ops
    ⋅ 》
    同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。
    這就是為什麼它經常被描述為一種文化。
    從 DevOps 視角,探討 Security

    View Slide

  36. 36/90
    DevOps & Security
    《 Dev Ops
    ⋅ 》
    同 Agile / Lean ,具備自身核心,更快的執行速度和更快的學習速度。
    這就是為什麼它經常被描述為一種文化。

    View Slide

  37. 37/90
    DevOps & Security

    View Slide

  38. 38/90
    DevOps & Security
    SecDevOps—sometimes called “Rugged DevOps” or “security at
    speed”—as a set of best practices designed to help
    organizations implant secure coding deep in the heart of
    their DevOps development and deployment processes. The goal
    is to automate secure coding and security tests and fixes
    within the workflow, making secure software an inherent
    outcome of DevOps approaches.
    Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/

    View Slide

  39. 39/90
    DevOps & Security
    SecDevOps—sometimes called “Rugged DevOps” or “security at
    speed”—as a set of best practices designed to help
    organizations implant secure coding deep in the heart of
    their DevOps development and deployment processes. The goal
    is to automate secure coding and security tests and fixes
    within the workflow, making secure software an inherent
    outcome of DevOps approaches.
    Credit: https://blog.newrelic.com/2015/08/27/secdevops-rugged-devops/
    “SecDevOps seeks to embed security inside the development process
    as deeply as DevOps has done with operations”
    (SecDevOps 旨在將開發過程中的資訊安全深入到 DevOps 的操作中 )

    View Slide

  40. 40/90
    DevOps & Security
    The hinge to success for DevOps security lies in changing
    the underlying DevOps culture to embrace security—with no
    exceptions. As with any other methodology, security must be
    built into DevOps.
    Credit: https://techbeacon.com/devsecops-foundations

    View Slide

  41. 41/90
    DevOps & Security
    The hinge to success for DevOps security lies in changing
    the underlying DevOps culture to embrace security—with no
    exceptions. As with any other methodology, security must be
    built into DevOps.
    Credit: https://techbeacon.com/devsecops-foundations
    DevOps 資訊安全成功的關鍵仰賴改變潛在的 DevOps 文化以擁抱安全性
    - 沒有例外 -

    View Slide

  42. 42/90
    DevOps & Security

    View Slide

  43. 43/90
    DevOps & Security

    View Slide

  44. 44/90
    DevOps & Security

    View Slide

  45. 45/90
    Credit: https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Design_Patterns

    View Slide

  46. 46/90
    Credit: https://www.linkedin.com/in/LarryMaccherone/

    View Slide

  47. 47/90
    Agenda
    SDLC & Agile
    1
    Product Owner & Stakeholders
    2
    DevOps & Compliance
    4
    DevOps & Security
    3
    法遵
    CI/CD & Pipeline
    5

    View Slide

  48. 48/90
    DevOps & Compliance
    Compliance
    Security
    License
    Standards
    Regulations
    Law Policies

    View Slide

  49. 49/90
    DevOps & Compliance
    很多公司都有推動各種敏捷專案管理流程。
    例如 Scrum 或 Kanban 。
    但其中有具備資安 (Security) 思維的只有一小部分。
    更不用論更大範圍的法遵 / 合規 (Compliance) ,例如 GDPR 等。

    View Slide

  50. 50/90
    DevOps & Compliance
    歐盟《通用資料保護規則》 (General Data Protection Regulation, GDPR)
    2018-05-25 正式生效
    Credit: https://www.clearvertical.co.uk/is-your-website-gdpr-compliant/

    View Slide

  51. 51/90
    DevOps & Compliance
    歐盟《通用資料保護規則》 (General Data Protection Regulation, GDPR)
    2018-05-25 正式生效
    史上最嚴的個人資料保護法
    Credit: https://www.clearvertical.co.uk/is-your-website-gdpr-compliant/

    View Slide

  52. 52/90
    DevOps & Compliance
    美國加州通過最嚴格的資料隱私法
    Credit: https://www.theverge.com/2018/6/28/17509720/california-consumer-privacy-act-legislation-law-vote

    View Slide

  53. 53/90
    DevOps & Compliance
    CLOUD Act (Clarifying Lawful Overseas Use of Data Act)
    2018-03-24 正式生效
    Credit: https://restoreprivacy.com/cloud-act/

    View Slide

  54. 54/90
    DevOps & Compliance
    Compliance
    Security
    License
    Standards
    Regulations
    Law Policies
    Open source

    View Slide

  55. 55/90
    DevOps & Compliance
    《法律訴訟》美國 (1/2)
    2002
    MySQL vs. Progress Software
    2002
    MySQL vs. Progress Software
    2006-03
    Jacobson vs. Katzer
    2006-03
    Jacobson vs. Katzer
    2007-10
    BusyBox vs. Monsoon
    2007-10
    BusyBox vs. Monsoon
    2007-11
    BusyBox vs. Xterasys
    2007-11
    BusyBox vs. Xterasys
    2007-11
    BusyBox vs. High-Gain
    Antennas
    2007-11
    BusyBox vs. High-Gain
    Antennas
    2007-12
    BusyBox vs. Verizon
    2007-12
    BusyBox vs. Verizon
    2008-01
    Trend vs. Barracuda
    2008-01
    Trend vs. Barracuda
    2008-06
    BusyBox vs. Bell Microproduct
    2008-06
    BusyBox vs. Bell Microproduct

    View Slide

  56. 56/90
    DevOps & Compliance
    《法律訴訟》美國 (2/2)
    2008-06
    BusyBox vs. Super Micro
    Computer
    2008-06
    BusyBox vs. Super Micro
    Computer
    2008-07
    BusyBox vs. Extreme Networks
    2008-07
    BusyBox vs. Extreme Networks
    2008-12
    FSF vs. Cisco
    2008-12
    FSF vs. Cisco
    2009-02
    Microsoft vs. TomTom
    2009-02
    Microsoft vs. TomTom
    2009-12
    BusyBox vs. Best Buy 等 14 間
    企業
    2009-12
    BusyBox vs. Best Buy 等 14 間
    企業 2014-12
    Ximpleware vs. Versata
    2014-12
    Ximpleware vs. Versata

    View Slide

  57. 57/90
    Agenda
    SDLC & Agile
    1
    Product Owner & Stakeholders
    2
    DevOps & Security
    3
    CI/CD & Pipeline
    5
    DevOps & Compliance
    4
    實踐

    View Slide

  58. 58/90
    CI/CD & Pipeline
    《 Dev Ops
    ⋅ & CI ⋅ CD 》
    DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。
    持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。
    持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。
    DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。
    你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。
    從 CI/CD & Pipeline 視角,探討 Security

    View Slide

  59. 59/90
    CI/CD & Pipeline
    《 Dev Ops
    ⋅ & CI ⋅ CD 》
    DevOps 非商業口號,是以工具為中心的哲學,支持持續交付價值鏈。
    持續交付採用自動部署流水線,以便可靠、快速地將軟體發佈的方法。
    持續交付和 DevOps 擁有敏捷和精益的共同背景:小而快速的變化。
    DevOps 關乎文化、開發和運營之間、明確的流程。關乎敏捷。
    你可以在不實施持續交付的情況下接受並實踐 DevOps 理念。

    View Slide

  60. 60/90
    Credit: https://www.linkedin.com/in/LarryMaccherone/

    View Slide

  61. 61/90
    Credit: https://www.linkedin.com/in/LarryMaccherone/
    實踐上的困難點?

    View Slide

  62. 62/90
    CI/CD & Pipeline
    《 Pen testing 》
    滲透測試 (Penetration testing) 有時長達兩個月。
    每一次的提交與改變,是否會影響之前滲透測試的結果?
    《 Compliance validation 》
    如果發布需要通過外部審核機構 ( 法務 / 會計 / 稽核 ) ,
    如何能實現快速循環實驗?

    View Slide

  63. 63/90
    Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

    View Slide

  64. 64/90
    Credit: https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

    View Slide

  65. 65/90
    CI/CD & Pipeline
    Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
    以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
    The Scaled Agile Framework (abbreviated as SAFe)

    View Slide

  66. 66/90
    CI/CD & Pipeline
    Credit: https://www.scaledagileframework.com/release-on-demand/
    Develop on Cadence. Release on Demand.
    - A SAFe mantra

    View Slide

  67. 67/90
    CI/CD & Pipeline
    Credit: https://www.scaledagileframework.com/release-on-demand/
    Develop on Cadence. Release on Demand.
    - A SAFe mantra
    按節奏開發,按所需發布
    -SAFe 的口號 -

    View Slide

  68. 68/90
    CI/CD & Pipeline
    Credit: https://twitter.com/deanleffingwell/status/612425925515317248

    View Slide

  69. 69/90
    CI/CD & Pipeline
    Credit: https://www.scaledagileframework.com/release-on-demand/
    Develop on Cadence. Release on Demand.
    - A SAFe mantra
    Develop on Cadence
    ( 技術流程 )
    Release on Demand
    ( 商業決策 )

    View Slide

  70. 70/90
    CI/CD & Pipeline
    Credit: https://www.scaledagileframework.com/release-on-demand/
    Develop on Cadence. Release on Demand.
    - A SAFe mantra
    Develop on Cadence
    ( 技術流程 )
    Release on Demand
    ( 商業決策 )
    解耦
    (decoupling)

    View Slide

  71. 71/90
    CI/CD & Pipeline
    Credit: https://martinfowler.com/books/continuousDelivery.html
    Continuous delivery is about putting the release
    schedule in the hands of the business, not in the
    hands of IT.

    View Slide

  72. 72/90
    CI/CD & Pipeline
    Credit: https://martinfowler.com/books/continuousDelivery.html
    Continuous delivery is about putting the release
    schedule in the hands of the business, not in the
    hands of IT.
    持續交付是指將發布時程放在業務手中,而不是掌握在 IT 手中

    View Slide

  73. 73/90
    CI/CD & Pipeline
    Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
    Continuous Delivery is sometimes confused with
    Continuous Deployment. Continuous Deployment
    means that every change goes through the pipeline
    and automatically gets put into production, resulting
    in many production deployments every day. Continuous
    Delivery just means that you are able to do frequent
    deployments but may choose not to do it, usually due to
    businesses preferring a slower rate of deployment. In
    order to do Continuous Deployment you must be doing
    Continuous Delivery.
    Martin Fowler

    View Slide

  74. 74/90
    CI/CD & Pipeline
    Credit: https://martinfowler.com/bliki/ContinuousDelivery.html
    Continuous Delivery is sometimes confused with
    Continuous Deployment. Continuous Deployment
    means that every change goes through the pipeline
    and automatically gets put into production, resulting
    in many production deployments every day. Continuous
    Delivery just means that you are able to do frequent
    deployments but may choose not to do it, usually due to
    businesses preferring a slower rate of deployment. In
    order to do Continuous Deployment you must be doing
    Continuous Delivery.
    Martin Fowler
    持續交付只是意味著你可以進行頻繁部署 , 但可以選擇不這樣做,
    通常是因為企業更喜歡較慢的部署速度

    View Slide

  75. 75/90
    CI/CD & Pipeline
    Credit: https://www.scaledagileframework.com/release-on-demand/
    Develop on Cadence. Release on Demand.
    - A SAFe mantra
    Develop on Cadence
    ( 技術流程 )
    Release on Demand
    ( 商業決策 )
    解耦
    (decoupling)

    View Slide

  76. 76/90
    CI/CD & Pipeline
    Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
    以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
    The Scaled Agile Framework (abbreviated as SAFe)

    View Slide

  77. 77/90
    CI/CD & Pipeline
    Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
    以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
    The Scaled Agile Framework (abbreviated as SAFe)
    解耦
    (decoupling)

    View Slide

  78. 78/90
    CI/CD & Pipeline
    Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
    以 SAFe 的 Continuous Delivery( 持續交付 ) 模型為例
    The Scaled Agile Framework (abbreviated as SAFe)
    商業決策 技術流程 商業決策

    View Slide

  79. 79/90
    CI/CD & Pipeline
    Credit: https://www.linkedin.com/pulse/transformation-pmo-jack-caine/
    商業決策 技術流程 商業決策
    Compliance
    Security
    滲透測試 (Penetration testing) / 紅隊演練 (Red Team Assessment) 。
    外部審核機構 ( 法務 / 會計 / 稽核 ) 。

    View Slide

  80. 80/90
    Security
    Marketing
    Compliance
    needs
    pen testing red team
    regulations controls
    standards
    unit / integration / performance test
    unit / integration / performance test
    scheduling
    unit / integration / performance test
    scheduling
    schedule
    pipeline
    Develop

    View Slide

  81. 81/90
    Security
    Marketing
    Compliance
    Develop
    needs
    pen testing red team
    regulations controls
    standards
    unit / integration / performance test
    unit / integration / performance test
    scheduling
    unit / integration / performance test
    scheduling
    schedule
    pipeline

    View Slide

  82. 82/90
    Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

    View Slide

  83. 83/90
    Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

    View Slide

  84. 84/90
    Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

    View Slide

  85. 85/90
    Credit: https://www.linkedin.com/pulse/agile-scrum-gdpr-ruud-van-driel-cissp/

    View Slide

  86. 86/90
    Security
    Marketing
    Compliance
    Develop
    needs
    pen testing red team
    regulations controls
    standards
    unit / integration / performance test
    unit / integration / performance test
    scheduling
    unit / integration / performance test
    scheduling
    schedule
    pipeline

    View Slide

  87. 87/90
    程式提交
    程式提交 ……
    …… 授權分析
    授權分析 授權白名單
    授權白名單 授權黑名單
    授權黑名單 授權灰名單
    授權灰名單 程式通過
    程式通過
    靜態分析
    靜態分析
    動態分析
    動態分析
    註解分析
    註解分析
    相容分析
    相容分析
    X
    問題清單
    問題清單
    MIT
    Apache-2.0
    BSD-2-Clause
    BSD-3-Clause
    ……
    AGPL-3.0
    CPAL
    OSL
    SSPL
    ……
    LGPL-2.1 / 動態連結 → OK
    LGPL-2.1 / 靜態連結 → NO
    LGPL-3.0 / 動態連結 → OK
    LGPL-3.0 / 靜態連結 → NO
    ……
    X X
    https://github.com/fossology/fossology
    https://github.com/google/licenseclassifier
    https://github.com/github/licensed
    https://github.com/dmgerman/ninka
    https://github.com/jslicense/licensee.js [npm]
    https://github.com/davglass/license-checker [npm]
    https://github.com/pmezard/licenses [Go]
    https://github.com/Comcast/php-legal-licenses [PHP]
    https://github.com/composer/spdx-licenses [SPDX]

    View Slide

  88. 88/90
    Password Policy
    XSS
    Insider Threat
    Information Disclosure
    SQL Injection
    GDPR Policy

    View Slide

  89. 89/90
    Agile ≠ Fast
    產品負責人必須將資安官納入主要利益相關人
    借鏡 DevOps/SAFe ,引入 DevSecOps 文化
    利用軟體工程的手法 , 將複雜的流程解耦、分段
    階段性實施 DevSecOps ( 小跑步法 )
    確認團隊所有成員認同資安對於客戶的價值
    持續投入資安訓練及演練

    View Slide

  90. 90/90
    [email protected]
    https://www.facebook.com/yftzeng.tw
    https://twitter.com/yftzeng
    曾義峰 (Ant)

    View Slide