每天掃描超300億行代碼,DevSecOps在華爲的落地與實踐

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"多年來,軟件開發以及其引發的軟件安全問題總是相生相伴。最近幾年,國內有越來越多的軟件開發團隊和企業開始踐行 DevOps 的研發模式。隨着 DevOps 的發展,研發安全保障的思維和技術也在不斷演化發展,其中一個重要的思想就是 DevSecOps。什麼是 DevSecOps?它的價值是什麼?DevSecOps 怎樣在企業落地?......針對上述問題,InfoQ 記者採訪了華爲技術專家章可鐫。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,章可鐫於 2007 年加入華爲,他不僅寫過代碼,帶過產品,而且還做過交付。大約 6 年前,他的工作重心轉向軟件開發週期中安全保障能力建設工作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"從 DevOps 到 DevSecOps"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對 DevOps 領域的安全治理問題,Gartner 提出了 DevSecOps 概念。簡言之,DevSecOps 是一種旨在將安全性嵌入 DevOps 鏈條中的每個部分新方法,它有助於在開發過程早期而不是產品發佈後識別安全問題,目標是讓每個人對信息安全負責,而不僅僅是安全部門。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DevSecOps 架構如下圖所示:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/52\/05\/52b893dd7dyy3eb8c8ced74279659a05.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對上圖,章可鐫表示,自己更習慣將左右兩個圖拆開來看。左邊的“Dev 段”,聚焦軟件開發過程的安全保障;右邊的“Ops 段”,聚焦軟件運行時安全。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"換句話說,“從一個軟件或服務的角度,左邊畫個圈,保證了它‘生’來安全;右邊畫個圈,保證了它‘活’的安全。一個 DevSecOps,也就讓它有了幸福的‘生活’。”他說。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進一步看,這張圖的左、右部分可以再拆成上下兩段,因此出現四個象限。第一象限的 Configure+Detect 階段,可以理解爲對應用程序的運行時的安全保障,比如容器和基礎設施安全、RASP、WAF 等;第二象限的 Plan+Create 階段,從宏觀上可以認爲是在進行軟件的安全設計與開發前準備,更注重安全規則的制定、安全需求分析、軟件設計時的安全考慮;第三象限的 Verify+Preproduction 階段,即是對開發階段進行安全保障,可以進行 AST、Fuzz、SCA 等;第四象限的 Predict+Respond 階段,可以理解爲軟件的在網安全監測,比如監測和響應安全事件等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在章可鐫看來,DevSecOps 概念的誕生,實際上伴隨着“安全左移”的思想,即“更早”、“更快”地發現安全風險並(處理)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他說:“六西格瑪管理教過我們算過一筆賬:問題發現越早,代價越小。以我理解,DevSecOps 的目標是在軟件生命週期的全部階段,可以更早、更快地發現並處理安全問題。而它之所以出現,是因爲現有的軟件開發(運維)流程無法支撐這一目標。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DevSecOps 的核心是人,以及由人所形成的文化。章可鐫認爲,雖然 DevOps 從一開始就不斷強調工具鏈的重要性,“但我們還是期望在組織、企業和團隊中,研發業務線的人需要具備相應的素質。談到 DevSecOps 會強調安全素質,但並非要有專業安全背景,而更多的是指具備基本的安全意識“。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"爲什麼做 DevSecOps?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"章可鐫表示,一直以來,華爲傳統的電信級產品對產品質量要求非常嚴苛。這類產品在交付給客戶後,即屬於客戶資產,因此客戶(比如電信運營商)不會允許華爲技術人員隨意進出其機房,更別說遠程運維其設備。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這樣的背景下,一方面,CT 在 2000 年前後逐步向 ICT 轉型,各類網絡安全問題越來越突出;另一方面,華爲客戶對安全、隱私的重視程度越來越高,其產品必須適配客戶的網絡安全合規要求。加上安全問題的地緣政治化,網絡安全逐漸成爲事關生死存亡的命題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“而所謂的安全要求,往往只看結果——發生問題後,那種‘不知者無罪’或‘過程正確’的說法在這裏不成立。”他說。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"華爲一開始的做法很簡單,引入業界先進的工程方法和工具技術,儘可能保障華爲產品足夠安全。但是,他們在實踐後發現,這些優秀的工具可能還沒法適應華爲如此龐大體量的工程化要求。據悉,華爲現在落地的安全編碼檢查,一天需要掃描的代碼量級在 300 億行以上,“在引進這些工具時,沒有誰能簡單地做到”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"DevSecOps 在華爲的落地"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在嘗試 DevSecOps 時,他們希望讓安全保障能支撐快速迭代開發,同時又平衡安全檢查的深度;其次,不同的團隊、不同的業務形態,既不能太過散漫,又不能太過集權式管理。並且,安全不能只是一小部分人關心,安全團隊和開發團隊不應該是對立關係。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/15\/c8\/15f106dcdcca1b4d3yyc90bc0218a4c8.jpg","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在章可鐫看來,DevOps 的基本訴求之一是要“快”,而安全保障卻具有”快不起來“的特點。因爲安全本身需要更爲專業的知識背景,分析更復雜的攻擊方式和潛在安全問題。並且,即使使用工具,其技術棧也深於普通的檢查工具,這意味着耗時更長。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"比如,對源代碼的靜態檢查,如果只是檢查代碼風格,他們可以做到快速掃描;如果需要進行安全編碼的自動化檢查,那麼就需要進行流分析,甚至需要一個專門的編譯過程來收集必要信息。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對此,華爲的做法是分階段配置,同異步按需。一方面,抽取快速、簡單、明確的檢查工具或檢查規則,將它配置到開發作業流的前端,比如 IDE、個人代碼門禁,將厚重的內容放到後端,例如每日半夜自動觸發的全量安全驗證。另一方面,將厚重的內容進一步剝離形成異步模式,讓它成爲“慢軌”,不影響日常高速迭代的“快軌”車道。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"華爲的產品線非常豐富,從傳統電信設備到手機終端,從嵌入式到雲服務。這也意味不同的產品團隊爲了更好地適配自己的產品形態,會使用不同的開發語言,有不同的開發過程。“我們也講究‘力出一孔’,這意味着已有的能力需要儘可能複用,避免重複造輪子”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"正如 DevSecOps 宣言的起草者之一 Shannon Lietz 所說,不存在“one size fits all(一刀切)”的好事。華爲的策略是按組織層級,定義出每一層組織的“最小集”和不可逾越的“紅線”,剩下的自由發揮。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"公司級的安全團隊會提供方法、規範、組件、基礎技術和工具,而產品線對自己的安全質量負責。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後,安全團隊提供方法、規範、組件、技術和工具。Shannon Lietz 曾提到,保障安全的工作是“非常有技術含量的工作“。而由安全團隊所做的技術工作的成果落地到開發團隊時,常常被認爲是過於冗繁、小題大做。開發人員在被要求修改看起來不會影響程序正常功能的潛在問題時,就容易有牴觸情緒。並且,安全類的檢查工具常常伴有誤報。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對這個問題,“不好解決,也不太可能在短期內得到解決,這是一個持續的安全意識和行爲規範的塑型工作。我們希望營造一種有着廣泛共同安全意識的氛圍”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第一,制定各類安全規範和對應的培訓課程,範圍涵蓋軟件設計、開發、測試到運維;"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第二,對參與公司安全生態建設的團隊和個人給予激勵;"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第三,在已有的流程節點上設置合理安全評審內容,以無縫結合到現有流程,(儘可能自動化地)反饋研發過程中的安全風險;"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第四,提取工具生成的各類數據以支撐數字化運營,來證實工具的作用或發現工具的不足並持續改進,例如用機器學習的方式來降解誤報,取得很好的效果。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據悉,華爲提出了一個矩陣式運營的概念。舉個例子,在 SAST 落地時,對橫向的過程分爲 IDE、代碼提交門禁、版本級全量檢查三個子場景;在組織層面,分爲公司、產品線、具體產品三個層級,形成一個 3X3 的運營體系。在這九宮格的每個格子裏,都有對應的規範、方法、策略、工具和人,以這種方式,儘可能地保證足夠的靈活度,並且不會成爲一盤散沙。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"如何挑選 DevSecOps 工具"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在工具層面,章可鐫稱“希望‘吸收宇宙能量’”,在可選擇的範圍內,選擇最成熟、能力最強的工具。他們會參考各大知名評估機構的推薦,也會進行對比測試選型。不僅關注整體的能力,而且更關注工具是否可以覆蓋華爲業務場景下常見的或最新的安全問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時,他們也會關注開源軟件的動向。他表示,“當我們選擇開源工具時,更注重的可能不是它‘現在有什麼’,而是它‘能爲我們達成什麼’。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"華爲技術人員會在開源工具的基礎上進行更深層次的研發,“而不是僅僅把它往 CI\/CD 上一扔,或者只做一些規則適配”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"工具的挑選或自研完成後,華爲會把它集成到與之對應的安全工具平臺上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"據章可鐫介紹,在設計階段,華爲有自己的威脅建模工具 SecDesign、隱私分析評估與管理平臺 SecPCP;在開發階段,有安全編碼檢查平臺 SecSolar;在測試階段,有安全測試雲 SecGuard。在 Ops 階段,華爲也有相應的工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他說:“優秀工具經過各平臺優秀的工程化能力加持,再與流水線一起,形成一條研發端自動化安全工具鏈,服務於華爲產品線,形成企業級安全保障能力。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論是選擇現有工具,還是合作、自研工具,華爲看重的是這個工具是否適合其業務場景。優秀的工具不僅具備普適能力、易於集成、生態開放的特點,而且它在某一點的能力是非常精專的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,他們正在 DevSecOps 領域做一些新的嘗試:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓更資深、更專業的安全服務進一步工具化、工程化,比如華爲現在可以通過人工+工具輔助的方式完成較大規模的緩衝區溢出問題的形式化驗證,未來試圖實現完全自動化;"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"提供安全隱私評估和管理的作業平臺,例如,在 GDPR、WP29 和國內隱私保護相關法律法規的要求下,產品需要關注哪些設計要素?如果僅由產品開發團隊去分析,那要耗費大量人力並且不專業;"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓應用安全測試編排(ASTO)更合理,各類測試可以產生更好的聯動。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"DecSecOps 的發展趨勢"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於 DevSecOps 的未來發展,章可鐫分享了幾個個人觀點:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"更左移"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更左移,以期待更早地發現問題。以前有人說“質量是設計出來的”,他認爲安全質量也可以朝這個方向去努力。“我們看到,很多初創公司或掙扎在生存線上的公司可能並不太關注安全,或僅關注 Ops 段的安全”。而有能力的公司會把安全控制向左移到 Dev 階段。一開始,關注點會在後端測試階段;再進一步,他們會追求在編碼階段就杜絕引入安全問題,考慮 Security as Code。更有追求者會在設計甚至需求分析階段就考慮到儘可能多的安全威脅因素並制定消減措施。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"更開放"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DevSecOps 秉承了 DevOps 的開放思想。章可鐫認爲談到安全,他理解爲生態開放、心態開放。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"生態的開放:兼容幷包,例如提供開放的集成能力(可以集成第三方,也能被第三方集成)、工具能力二次開發。不僅是規則定製,甚至可以將分析過程的中間結果也開放出來,以滿足更靈活的定製化需求。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"心態的開放:理解安全是更專業的話題,需要專業的解決之道,願意學習安全知識而非抗拒,比如安全設計與編碼規範。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"更高效"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從安全角度看,對“高效”的訴求尤其強烈。對此有深入理解的人認識到有一些安全的工作無法避免人工操作,這也意味着需要更長時間。舉個例子,設計階段的安全分析工作還沒有太好的自動化工具;那些更專業的安全服務目前還無法實現全自動化。SAST 基於編譯的增量分析還需要解決不少的問題,當提高檢查敏感度參數時,就需要安全團隊的專家協作進行代碼人工檢視以及工具告警的人工排查。如何更高效地確保產品生命週期的安全,這將是 DevSecOps 的永恆課題。"}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章