A responsible enterprise invests in a software product only if it has been secured with the proper measures at the appropriate time within the software’s product life cycle. 组织必须了解这些安全措施是如何工作的, 实现和行为——在什么情况下它们会失败. The most promising route to impressing this knowledge upon software development teams is the designation of full-time security experts.
有很多论文, 说明构建安全产品的注意事项的指南和手册. Thus, the security community knows (or should know) what must be done to create a secure product. It is also apparent who should take care of these tasks: the teams building and operating the software.
So, the objective seems simple: Embed security expertise into product teams so that they can build secure products. 在一般情况下, the basic means of knowledge development are guidelines and training that can be referenced when designating security roles on the team.
有一点需要注意:知识的发展必须是成功的. Will the team absorb the input and implement security measures according to best practices? 一些做. 他们遵守规则,生产出高于平均水平的安全产品. 许多, 然而, 不, 原因如下, ranging from pressure to get to market to competing priorities to complete ignorance. 好产品与坏产品的比例取决于许多因素. 然而, 勤奋与疏忽项目的比例还有待改进, 即使拥有一个完全安全的产品是雄心勃勃的.
普通的安全方法并不总是足够的
安全开发过程并不是一个新概念. One would expect the challenge of how to instill security knowledge to have already been addressed. 确实有一些现有的解决方案, but it is worth examining under which circumstances they succeed—and where they fail.
的指导方针
编写安全设计和编码的指导方针相对简单. 然而,说服人们阅读这些指导方针是比较棘手的. Achieving security through guidelines is challenging because readers must understand the intent of the guidelines’ author(s) and be able to translate it into concrete measures during a product’s life cycle.
培训
而分散安全文件是有帮助的, it should be supplemented by directly targeting the security knowledge of product teams via training. 培训背后的主要思想是,那些知道得好的人, 做得很好, 类似于谚语“如果你给一个人一条鱼”, 你喂他一天. 如果你教一个人钓鱼,你就喂了他一辈子.”1
但是,仅仅通过几个小时或几天的培训是无法形成安全心态的. 这个课题的复杂性和广泛性需要不断的学习努力.
安全冠军
某些人员可以被指定为安全冠军并通过更长时间进行培训, 更深入的培训机会. 因此,这些人员能够更好地执行安全任务.
有人可能会问, “Will they have time to do the job right and be powerful enough to enforce essential security measures?”
当然, 安全冠军能够而且应该成为更全面的战略的一部分, 组织范围的网络安全战略. 然而,仅凭这一点是不够的. There is always an upcoming deadline that is more important or the discussion with the central security team is unproductive or there is no appropriate expertise available.
单独或联合使用, these security education methods 不 make promising candidates for solving the security knowledge gap. 所有项目的可持续安全成功需要一个更全面的方法.
引进专职产品安全专家
The solution to the challenge of creating secure products is to hire and train engineers fully dedicated to security. They should serve as vehicles to foster a strong sense of security within the product teams. A security engineer should possess a combination of security knowledge, development skills (e.g., coding, design, architecture), infrastructure security insights and other relevant qualifications. 在理想的情况下, the security engineer is someone who can configure and code the product’s security characteristics. 安全本质上是工程师的首要目标, 而不仅仅是完成更重要的任务后再考虑的奖金.
虽然仍然需要遵守和审计检查清单和培训(e.g., 用于安全编码), 内销的权力, knowledge and drive helps product teams implement the right security practices in the right context.
内销的权力, knowledge and drive helps product teams implement the right security practices in the right context.
有几个因素使这一角色能够应对本文讨论的挑战:
- Adding a security engineer to a product team ensures that someone who inherently understands security guidelines and requirements is available.
- The ideal security engineer continuously hones their skills to become more qualified over time so that seldom-used knowledge and concepts 不 fade.
- 一个专职的安全工程师有更少的竞争优先级,并且可以, 因此, 致力于产品安全工作. 可能仍然需要妥协(1).e., 将安全性与其他优先级进行比较), 但无论何时都要把安全放在首位, 透明的, 基于风险的决策可以更容易地做出.
的抗辩
不幸的是,在很多情况下,这种技术不能扩展. 经常, the scaling argument is a synonym for the proposed strategy being too expensive or requiring more resources than the organization has available. 但事实可能并非如此.
考虑在所有项目中花费X时间的适当的安全工作. Does it matter if X activities are performed by a smaller group of security engineers or a larger group of developers? 从高层次的角度来看,肯定不会,原因如下:
- 一个更小的专家团队——每个人负责更多的项目, 有更多的经验, 接受更好的训练——效率更高. They know the tools and are better equipped to verify results and eliminate vulnerabilities.
- A security engineer with the mission of supporting all projects’ security is likely to have more power and objectivity.
- A security engineer supporting the security of several products can potentially align and enforce standards across all products or services.
- The security engineer is much less pressured by the notion of the “train leaving the station” as that person is incentivized differently (e.g., 通过接受不是来自项目负责人的指令, 但从部门主管或中央安全主管那里).
- 工程师可以更好地判断必须做的事情,因为他们有更广泛的经验, meaning they can tune efforts for security up or down per project based on its context. (Anyone who has ever written guidelines knows how challenging it is to include contextual information in a one-size-fits-all document).
即使指定了安全工程师, the product team may still need to perform some security tasks because the security engineer likely cannot write all security-relevant code or configurations. The final decision as to whether a security measure should be applied or not is up to the project and budget owner.
澳门赌场官方下载s must also consider that utilizing security engineers may also have certain challenges:
- 寻找专家可能会很辛苦. 尽管全球网络劳动力比以往任何时候都要多,但市场仍然紧张.2
- The scaling argument may be applicable if one has a significant number of small projects to complete. 这种限制来自于专家切换上下文的能力. 同时支持5个项目可能行得通,但支持20个项目可能行不通.
- 虽然建议的方法使安全性更加透明, 这是件好事吗, 如果规模只是缺乏安全投资意愿的借口, this approach may fail when the cost of hiring the security engineers is made apparent.
结论
如果澳门赌场官方下载希望获得产品安全的权利, 必须指定一个合格的人员来执行开发中的安全任务. It cannot be broadly assumed that project teams can (or will) ensure secure products themselves. 中央安全团队的许多成员主要关注流程设计, 指导方针和治理, 这是不够的. Merely reviewing security concepts or checklists provided by development teams is not the solution, 要么. 更确切地说,是去玄叶3 应该采取安全措施, wherein flaws are fixed directly in the production area on the shop floor as soon as they arise.
尾注
1 什么时候,B.; “授人以渔——领导力课程”BenjaminWann.com, 2021年5月13日
2 Poremba,年代.; “网络安全人才短缺:2023年展望,” 网络安全潜水, 2023年1月5日
3 bto。”什么是Gemba:定义和工具”
奥利弗·克林,CISA
是否有30年以上经验的IT专业人员. 他专门研究信息安全及其在软件开发中的作用. 目前,克林是公司的高级经理 adesso SE是一家上市咨询和IT服务公司. 他领导着一个由专门的安全工程师和渗透测试人员组成的团队, 为客户提供安全专业知识支持.