开发者指南：如何与安全达成协议.pdf

1、A Developers Guide to Making a Deal with SecurityFour questions that outline how both development and security can get what they want?Larry MaccheroneDevSecOps Transformation,Contrast SecurityLinkedI beatings will continue until morale improves”Captain William Bligh(mutiny on the Bounty)LinkedI Macc

2、heroneLinkedI Security(aka,DevSecOps)is empowered engineering teams taking ownership of the security of their softwarewhile usingFlow,Feedback,and Learning(aka,the 3 ways of DevOps)to continuouslyimprove software value deliveryLinkedI go DevOps?SpeedANDQualityIs Your Dev Team Ready?Question#1LinkedI

3、 of an automated functional test suite that will grow until you trust it to prevent an“unworthy”artifact from getting to the next higher-level branchA single E2E test gets you as much as 30%test coverage and thats all you need for this prerequisiteOnly use solitary unit testing for logic and librari

4、es that are easily isolated w/little to no mocking.Even Martin Fowler now advocates for“sociable unit tests”This functional test suite must be completed prior to the pull-request merge decision1.Because you need it for Software Composition Analysis(SCA).You cant be sure that upgrading to the latest

5、version will not break your app without testing it.2.Because it maximizes the benefits of using IAST tools rather than slower and less accurate SAST tools.Quality reasons should be enough to motivate test writing but with these security reasons,such work is now twice as valuableWhy are functional te

6、sts important for security?LinkedI working agreement document(aka definition of done,Kanban entrance criteria).Connect with me on LinkedIn for the document I start all teams with.2.Devs write happy path test(s),at least,when adding functionality pre-pull-request even if QA writes more later3.Of cour