从反模式到最佳实践：DevSecOps 自动化和安全实用指南.pdf

1、From Anti-Patterns to Best PracticesA Practical Guide to DevSecOps Automation and Security1(FUD)Fear 2Uncertainty Doubt Computer Security is about humans 3$id https:/ integration standards project co-leadOpenCRE.org maintainerFounder of 4ItineraryObservability1.Shifting left badly2.Offering bad secu

2、rity servicesReporting3.Misusing Source of Truth dashboards4.Security alphabet soupMeasuring5.Bad metrics5 DontAutorun free/vendor tools(Shift Left)Outsource tool&result management to your teamsForce strict SLAs for teams(unless required for regulation)6 ExampleUse Code Scanning per day per teamBloc

3、k teams that fail X number of Code Scan runsDemand everyone fix Critical Code Scan findings after 3 days7Observability8 Why Noise Alert fatigue Lack of context Humans focus on delivery,they should not focus on security alerts9 Do Add context to your tools Dare to ignore findings automatically Dare t

4、o fix automatically(beyond dependabot)10 Do Add context to your tools Dare to ignore findings automatically Dare to fix automatically(beyond dependabot)11 Example Tag teams per scope/deployment setup(internal/external)Ignore noisy tools/rules Vertex API-Code-Bison model-“please generate a fix for co

5、ntext”12 Dont Automagically run centrally configured,immutable scans“somewhere else”and give teams only the reports with things to fix.13 ExampleRun open source container image scanning toolTeams get results for their production images when they releaseReleases blocked on Critical findings14“Secure

6、Baseline”!=“Secure”Noise Cryptic Messages Lack of Context Lack of Information Why 15 Provide everyone with an immutable baseline.“As a minimum we care about”Let teams/champions decide what their particular team/scenario needs and customize both scanning and reporting Do16 Sane,distroless(or minimal)