Summary of the work of an information security practitioner

After training in the development of Phoenix and the perfect world, I have a good understanding of security development. Next I will summarize my past experiences and lessons.
For security development, there must be a set of maturity models. For example, when the company is just starting to do it, the defined level can be lower, and less things can be done. However, with the increase in proficiency and understanding of security development, the Advanced Security Maturity Model is gradually deepened.
The following is a brief introduction to the control of the Maturity Model in my mind. If the maturity model is not classified, You can supplement it with your own characteristics.
1.Management Security Control
1.1 establish security responsibilities. The goal is to clarify their responsibilities and responsibilities in the Organization.
Work content:
A) The organizational structure of the Organization's security organizations, such as the Information Security Committee, must be high enough for a certain level of security organizations, such as under the board of directors or CEO.
B) documented security roles, responsibilities, responsibilities, and permissions granted
1.2 manage security configurations
Work content:
A) update records of all software in the system to ensure that the corresponding version and rollback can be quickly tracked in case of problems
B) The bug record and security record of all problems in the system can be used to better understand the risks existing in the existing system.
1.3 security awareness and training
Work content:
A) effectiveness of security awareness and training content
B) Tracking users' understanding of training and awareness courses
C) training and security awareness course data collection must come from internal sources and, of course, may also come from external security events
1.4 manage security list
Work content:
A) collect maintenance and logs of various systems
B) Detailed list of sensitive assets
C) security control failure causes and solutions
1.5 risk assessment
Work content:
A) identify risks during security O & M
B) identify risks in the Security Development Process
C) define unified security measurement standards within the organization
2.Coordinates security roles in the organization
2.1 define the final goal of coordination
Work content:
A) information sharing means. For example, the security department must establish a vulnerability management database to ensure that the R & D and O & M departments can obtain the information immediately. The most important thing is to obtain the relevant information, the corresponding process is obtained from these responses, which further promotes the status of the security department. The most important thing is to ensure that security problems are repaired immediately.
B) Each Department defines security personnel. This will allow them to help us promote security-related processes internally.
2.2 Coordination Mechanism
Work content:
A) security communication must be conducted on a regular or non-regular basis to get their understanding and understanding of security at the first time, if they encounter errors, we need to correct them in time so that they can follow our ideas.
B) Be sure to communicate with external security experts and security companies. In this way, you can obtain the latest security vulnerabilities and security solutions as soon as possible.
3.Establish security monitoring within the organization
3.1 event records
Work content:
A) Be sure to record the details of each security event, which can form a problem management library within the Organization. The first time an event occurs in an organization, the organization may be in disorder. However, when such a process finds the same problem, the problem can be solved immediately.
B) detailed analysis and Induction of security incidents, aiming to form a corresponding response team for classified security incidents.
3.2 level security emergencies
Work content:
A) Be sure to define a list of emergencies in advance to prevent unexpected incidents.
B) list the corresponding emergency response manuals based on the list above.
C. Report emergencies in a level-by-level manner. Some departments are afraid of taking the responsibility to conceal the dangers of the incidents. The dangers are very high. If the senior management does not understand the security risks, they cannot make good decisions.
3.3 define inspection security defense measures
Work content:
A) regularly checks WEB security defense measures
B) Regular inspection of operating system security measures
C. Regularly check network security measures
D) Regular inspection of personnel security measures
3.4 Emergency Response content
Work content:
A) system priority recovery list. Important systems must first restore the list of DDOS attacks or other important attacks.
B) emergency response plan, define emergency response plans, and conduct regular and irregular drills.
4.Security groups provide corresponding security suggestions
4.1 provide security coding suggestions
Work content:
A) Security design principles, security coding specifications, Threat modeling, and threat Tree Analysis
B) define the security system architecture and find the corresponding trust relationship. Pay attention to the trust relationship, because the trust relationship is the most prone to problems.
4.2 Security O & M Guide
Work content:
A) security reinforcement Manual
B) security process risk analysis and Corresponding Solutions
4.3 identify security requirements
Work content:
A) obtain a list of security requirements based on the requirements document.
B) Pay attention to privacy protection and restrictions of laws and regulations
C) implement unified security defense measures. The main purpose here is to uniformly handle a class of problems.
5. Verify
5.1 verify the security code vulnerability
Work content:
A) Use owasp ASDR for threat analysis and prepare the corresponding security testing manual.
B) Use the pre-release check to test the corresponding risks
C) test framework security, such as Spring, Struts, zendframework, and other related MVC architectures.
5.2 verify System Security Vulnerabilities
Work content:
A) use the corresponding framework to check system security vulnerabilities, such as OSSTMM and ISSAF.
5.3 verify Network Vulnerabilities
Work content:
A) use relevant testing tools to verify Network Vulnerabilities
Due to the extensive work in security development, I just wrote some key points. If these key points are expanded, the workload is quite large, therefore, ensuring the safe operation of a software or WEB program is not always simple.