小米集团的DevSecOps实践

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"多年来，软件开发以及其引发的软件安全问题总是相生相伴。最近几年，国内有越来越多的软件开发团队和企业开始践行DevOps的研发模式。随着DevOps的发展，研发安全保障的思维和技术也在不断演化发展，其中一个重要的思想就是DevSecOps。什么是DevSecOps？它的价值是什么？DevSecOps怎样在企业落地？......针对这些问题，InfoQ记者采访了小米集团信息安全与隐私部负责人王书魁。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"据悉，王书魁有13年的安全从业经验，于2016年加入小米集团，一直都在参与小米集团整个安全体系的建立。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"“人人为安全负责”的DevSecOps理念"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"众所周知，在传统的安全流程中，开发团队负责价值交付，运维团队负责可用性保障，安全团队负责安全保障。但是，这个流程存在一些问题：安全人员与研发人员是割裂的、相互独立的，有时甚至是相互对立和冲突的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"王书魁说：“很多时候，"},{"type":"text","marks":[{"type":"strong"}],"text":"业务会觉得安全在找业务的麻烦，安全觉得业务对安全不重视，安全与业务大部分时间在扯皮，这导致安全风险的闭环管理时间周期长、成本高"},{"type":"text","text":"。“"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"并且，随着业务容器技术、无服务器技术的发展，业务的研发周期和功能迭代频率越来越快，而安全能力的滞后性则越来越明显。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}