"Notes" NetEase Micro professional-web safety Engineer -05.web Safety System construction

Course overview

Unknown attack, how to know how to prevent? Through the previous courses we have mastered various attack skills, this lesson will teach you how to build safety in enterprises, to achieve the realm of knowledge and understanding, which is the ultimate need of each company security personnel.

Course Outline

The first section. About SDL

Section II. Vulnerability and Event handling

Section III. Security Operations overview

1. Introduction to SDL

Secure Development Life cycle (Security development Lifecycle)

Training: Core Security Training

Requirements: Security Requirements analysis/quality requirements, bug count/security and Privacy risk assessment

Design: Design Requirements analysis/reduce attack surface

Implementation: Using the specified tool/enable unsafe function/static resolution

Validation: Dynamic analysis/Fuzzy test/threat model and attack surface analysis

Release: Incident Response plan/Final security Review/release archive

Response: Execute Incident response Plan

For more information, see: HTTPS://WWW.MICROSOFT.COM/EN-US/SDL

2. Vulnerability and security handling

2.1 Security issues found:

Security Requirements Analysis: Project Early access, early detection of security issues. such as the use of web frameworks and language selection recommendations, sensitive information such as password saving scheme, whether there is upload function and so on.

Vulnerability handling: Detect security issues through scanners, automate, and perform periodically.

Event handling: The main methods include white-box testing and black-box testing, usually in black-box testing.

Intrusion detection: After the project on-line monitoring, including a variety of detection methods, by monitoring intrusion behavior to identify security issues.

Log analysis: After the project on-line analysis log, through the analysis of logs to find security issues. Common patterns are suspicious logs + manual analysis, suspicious logs + scanners.

Establish SRC: Security Emergency Response Center to discover security issues through security enthusiasts.

Collaborating with vulnerability collection platforms: Security issues are identified through vulnerability platforms through the power and impact of vulnerability platforms.

Other channels: Black production undercover, cooperation with law enforcement agencies and so on.

2.2 Handling security vulnerabilities

Defense: Input Check (check on server, data legality check: type, scope. Use white list), output cleanup (error messages, etc.), targeted defenses (cookies with HttpOnly), WAF (Web application Firewall).

FIX: Vulnerability Knowledge Base (provide detailed vulnerability description and fix method, need landing executable), bug fix cycle (need time limit, limit bug fix period according to vulnerability level), vulnerability review (requires security team review, business party and Development not trusted).

2.3 Security Event handling

Category: Intrusion/attack/information disclosure

Classification: Low risk/medium risk/high risk

Security Incident Response Process: Event confirmation, incident reporting, event handling, archiving and re-reel.

3. Security Operations Overview

Identifying and repairing security issues, building defenses, and responding quickly to attacks, SDL implements

How do I get to ground?

Internal work: Security scanning (periodic, periodic detection of security), security vulnerability alerts (attention to major vulnerabilities and time, early deployment of defense solutions, early delivery of solutions), emergency response, security monitoring and intrusion detection (by monitoring the discovery of security issues, timely response and processing).

External work Integration: the establishment of outside communication channels and processes (to provide unified external communications and IM tools, provide security-related communication groups, provide external feedback issues of the site), Security circle relationship (to understand the famous security companies and security circles, actively participate in security meetings, actively into the security circle to cooperate), Brand building (participating in cooperative meetings, holding security meetings, creating safety products and establishing safety labs).

"Notes" NetEase Micro professional-web safety Engineer -05.web Safety System construction