Recently, we have started to build SDL from scratch, and it is still a blank slate with no resources. I have summed up the various tools and frameworks that can be used in the entire process and shared them with everyone.

The SDL of Internet companies must be integrated with the existing CI/CD (Continuous Integration/Continuous Deployment) system (such as IDE, Gitlab, Jenkins, JIRA, etc.) to produce a better effect.

The construction of SDL must be integrated with agile development, continuous delivery, and technical operations, which is to say that it should conform to the idea of security integrated in design.

SDL can be roughly divided into 4 stages in practical implementation:Planning phase, coding phase, testing phase, deployment phase.

1. Planning Phase

In the planning phase, it is necessary to have clear security requirements, carry out security design, threat modeling, supplier security assessment, security training, etc. Security requirements need to be integrated into software requirements measurement, UML modeling, itemized project management, and other work.

Security design principles include:

Threat Modeling Tools:

SeaSponge is an open source web threat model modeling tool provided by Mozilla, which can easily establish web threat models through browsers.
Threat Dragon is a free open source threat modeling tool provided by OWASP.
Microsoft Threat Modeling is a free threat modeling tool provided by Microsoft.

Third-party security assessment:

The Google open source VSAQ (Vendor Security Assessment Questionnaire) assessment tool can be used.

Security Training:

Security training is a long-term task that should start from the employee's entry.

2. Coding Phase

The main tasks in the coding phase include:

1. Establish Security Coding Standards
2. Static Source Code Security Analysis
3. Open Source Component Security Scanning (OSS)
4. Security Filtering Libraries & Middleware
5. Security Compilation Check

Public Security Coding Standards Reference: OWASP Secure Coding Practice

IDE code detection plugins:

Plugins for Java coding standards: P3C IDE
Plugins for Java vulnerability detection: Findbugs and its successor Spotbugs
Plugins for .NET vulnerability detection: Puma Scan
Plugins supporting C/C++: cppcheck

Open-source component security scanning (OSS) tools:

Commercial products for OSS: BlackDuck
Open-source license compliance checking products: FOSSology
Open-source products for component vulnerability checks: Dependency-Track (can be used with Maven or Jenkins)
Component vulnerability detection products: synk (can scan for vulnerabilities in node.js npm, ruby, java dependencies)
The most comprehensive security checks in terms of dependencies are provided by SourceClear's: EFDA

Security filtering libraries & middleware:

Common Java security filtering libraries: ESAPI
For Node.js web security filtering libraries, refer to: egg-security
Browser-side filtering libraries include: DOMPurify

Security compilation check:

Check buffer overflow through the /GS option in Visual Studio compilation options, and check control flow security through the /guard:cf option.
iOS APP security compilation options include: -fobjc-arc, -fstack-protector-all, -pie

3. Testing phase

3.1 Automated security testing

Automated security testing includes static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST)

Static application security testing, which is a white-box testing of applications.

Commercial products include: Fortify, Qianxin Code Security Guardian
Open-source PHP source code vulnerability scanning products: RIPS, progpilot
A comprehensive security scanning tool for Python, Ruby, and Go languages: huskyCI
The main security scanning tools for Java include: spotbugs and related plugins fb-contrib, find-sec-bugs
A comprehensive security scanning tool for C/C++: flawfinder
A comprehensive security scanning tool supporting multiple languages: Infer
A comprehensive platform for static application security testing: SonarQube

Dynamic application security testing, which is a black-box testing of applications.

Commercial products include: AWVS, AppScan, Greenbone Vulnerability Scanner
Open-source products include: Arachni
A product for automated testing of REST API: Astra
A product for security testing of Web Service: WSSAT
An open-source DAST testing product for Android: Qark

Interactive application security testing, acting on the internal security vulnerabilities of the application.

Commercial products include: Synopsys Seeker, Veracode, CxIAST
Open-source products for PHP include: PHP taint, PHP Aspis
Open-source products for Java include: security_taint_propagation

3.2 Manual Security Testing

Code audit and fuzz testing

Manual code audit: OWASP Code Audit Guide
Common fuzz testing tools for protocols: Peach fuzzer (can perform black-box testing on various files and protocols)
Fuzz testing tools for binary vulnerabilities include: Asan, Tsan, Msan, Ubsan
Open-source Fuzz testing platforms include: OSS-Fuzz

Web Security Testing

Web Security Testing: OWASP Security Testing Guide
Mainly used tools: BurpSuite, Fiddler

Mobile Security Testing

Mobile Security Testing: OWASP Mobile Security Testing Guide
Open-source products include: MobSF
Tools for manual Android testing include: Drozer, AppUse, Xposed, Frida
Tools for manual iOS testing include: needle, iOSSecAudit

4. Deployment Phase

The deployment phase mainly ensures that the developed products can be safely released. Relevant work includes: certificate key management, security configuration reinforcement, operation audit, and penetration testing. Internet companies should establish a secure and controllable release platform, ensure the automation of configuration, and ensure that the release is credible and auditable.

Certificate Key Management:

The Certificate Key Management System (KMS) is mainly used to be responsible for the secure storage, issuance, and revocation of API private keys, cloud IAM/STS certificates, database passwords, X.509 certificates, SSH certificates, application signature certificates, and encrypted communication keys. The leakage of these certificate passwords is directly related to the company's data security.

Open-source KMS product: Vault

Operation Audit:

Mainly ensure the controllability and security auditability of the release process. Technologies配套 with operation audit include DMS database management system, bastion host, etc.

The DMS database management system can be used to manage the unified data, authentication and authorization, security audit, data trends, data tracking, BI charts, and performance optimization of Internet companies, solving the problems of uncontrollable and unauditable database access by operation and development in the past. Open-source products supporting MySQL include: Yearning

The bastion host records and tracks operation and provides fine-grained and centralized access control to the host, while reducing the exposure surface of key business hosts to the outside. Open-source bastion host products include: JumpServer, Guacamole

Penetration Testing:

This is a long-term and continuous process to ensure the security of the business after its launch through comprehensive penetration testing of the business, system, and network.