How do Internet companies create their own security strategy and blueprint? Speaking from a strategic viewpoint, Aberdeen Group mentioned three phrases: find and fix, defend and defer, and secure at the source.
Safety assessment is a find and fix process. Through vulnerability scanning, penetration testing, code auditing, etc., we can identify known security issues of the system, design and implement a safety solution, and ultimately solve these problems. Intrusion detection system, web application firewall, and anti-DDOS equipment are some of the tools that can perform such defensive tasks. They are also essential for ensuring safety. They can either help prevent the problem in the first place or respond quickly enough to eliminate any security incidents that may arise in the future. This part of the security strategy is what is called defend and defer.
Finally we come to the secure at the source aspect, which is what SDL is all about; it can reduce security risks at the source to improve the quality of finished products. These three strategies are complementary to each other. When something goes wrong in SDL, you can fix it by conducting scanning and security assessment periodically. For intrusion detection, web application firewall (WAF), and other systems, we can first quickly attend to the incident and assess the damage afterward. Even if one of the three processes is absent, the company’s security system will probably be dysfunctional, providing chances of attack.
Security operations apply to all aspects of the company. Your security strategy need to routinely take care of port scanning, vulnerability scanning, code scanning, and other hair white box scanning.
Because security is a continuous process (In the “My Security worldview,” I have emphasized this point), we can never be sure whether the network administrator has already opened the SSH port to the Internet due to negligence or whether a small project has somehow escaped security checks and been leaked out secretly. Such negligence by the management may break the security line of defense built up by hard work. Assuming that the management and processes are unreliable, you need to go through security operations, making safety and health checks periodically, to identify problems. The fix phase of the process is divided into two: One involves routine scanning tasks to find loopholes, which need timely repair; another is when the security incident occurs or 0 day vulnerabilities are published, which need emergency response. Well-established systems and processes are essential for this, as well as assigning responsibility to a dedicated person.
SDL can also be seen as part of security operations, but because it is closely related to software engineering, it is quite independent. In the process of security operations, it is inevitable to deal with a variety of security products and security tools. Some security products are commercial while others are open-source tools, and even self-developed security teams will also need some security tools. These security products will generate a lot of logs, which turn out very valuable to security operations. Through the association between events, we can comprehensively analyze a company’s security status, and issue warnings for future security, then provide a reference for decision making. Connecting the various security logs with security events is called SOC (security operation center). Establishing SOC can be regarded as an important goal of security operations.