编者按: The following is a sponsored blog post from Adobe.
产品开发组织中的中央安全团队在实现安全的产品生命周期过程中起着至关重要的作用. 正是这个团队推动了组织的中心安全愿景,并与各个团队一起工作,以满足他们的主动安全需求. I lead the technical team of proactive security researchers at Adobe. 他们都是公认的安全专家,能够帮助公司适应不断变化的威胁环境. 除了掌握最新的安全问题和可能需要到位的潜在缓解措施之外, 安全团队还面临着不断发展技能和保持与业务紧密结合的挑战.
This post focuses on the challenges faced by the security team and potential ways to overcome them.
Increase in technologies as a function of time
A company’s product portfolio is a combination of its existing products, 新产品发布和收购旨在帮助弥合产品功能差距或扩展到新的业务领域. Over time, this brings a wide variety of technologies and architectures into the company. 此外, 采用新技术的速度远远高于淘汰旧技术的速度. 因此, 中央安全团队需要跟上正在采用的新技术堆栈和体系结构,同时还需要维护现有技术堆栈和体系结构的可管理状态. 由于新技术在很短的时间内涌入开发环境,收购可能会使这种情况进一步复杂化.
Security is not immune to business evolution
云计算和移动领域迫使澳门赌场官方下载重新思考他们应该如何向客户提供产品和服务. Adobe也经历了类似的转变,从一家提供桌面产品的公司转变为一家试图在桌面产品之间取得适当平衡的公司, 云和移动. A security team needs to also quickly align with such business changes.
Multi-platform comes with a multiplication factor
When the same product is offered on multiple operating systems, on multiple form factors (such as mobile and desktop), 或者部署在多个基础设施上, security considerations can increase due to the unique qualities of each platform. 中央安全团队需要了解并熟练掌握这些考虑因素,以提供有效的主动建议.
主题专业知识有局限性
强大的主题专业知识有助于安全团队在向团队传授可靠的安全建议方面的可信度. For security-sensitive areas, experts in the team are essential to providing much deeper advice. That said, any one individual cannot be an expert on every security topic. Expertise is something that needs to be uniformly distributed throughout a team.
These challenges can be addressed by growing the team organically and through hiring. 仅仅为了获得新技能而招聘并不是最好的策略——今天所需的技能明天很快就会过时. 因此,安全团队需要采用允许其不断发展并保持最新的策略. 下面将讨论一些这样的策略.
丁字形的技能
Security researchers in a security team should aim for a t型技能组合. This allows for a fine balance between breadth and depth in security. The breadth is useful to help cover baseline security reviews. The depth helps researchers become specific security subject matter experts. 拥有许多主题专家可以增强整个团队的技能,因为其他团队成员可以向他们学习,并且当他们的专业领域有需求时,他们也可以提供指导.
强大的计算机科学基础
Product security is an extension of engineering work. Security requires understanding good design patterns, architecture, code, testing strategies, etc. 编写好的软件需要强大的计算机科学基础,而不管你最终从事的是哪一层技术堆栈. 强大的计算机科学技能也有助于使安全技能、语言和平台无关. 具有较强的计算机科学技能, 安全研究人员可以一次性学习新的安全概念,然后根据需要将其应用于不同的平台. 有如此强大的基础, the cost of finding out the “how” on new platforms is relatively small.
Hire for your gaps but also focus on ability to learn quickly
A working product has so many pieces and processes that make it work. If you can make a mental image of what it takes to make software, you can more clearly see strengths and weaknesses in your security team. 例如, engineering a service requires a good understanding of code (and the languages of choice), 框架, 技术堆栈(如队列), web服务器, 后端数据库, 第三方库), 用于部署的基础设施, TLS配置, 测试方法, 源代码控制系统, 整体设计和架构, REST接口, 与各种其他服务的互连, the tool chain involved — the list is extensive. 当招聘, 评估候选人的一个方面是他或她是否通过激情和过去的工作经验为团队带来安全优势,可以填补团队现有的空白. 然而,评估应聘者学习新技能的意愿可能更为重要. 学习的能力, 适应, 不要拘泥于一种现有的技能,这是在招聘时寻找候选人的一个重要因素. 第二个目标是为团队添加各种安全技能,并尽量避免重复团队中已有的技能集.
“Skate where the puck’s going, not where it’s been”
To stay current with the business needs and where engineering teams are headed, 对于安全团队来说,花一部分时间调查产品团队所采用的新技术的安全含义是很重要的. As 韦恩·格雷茨基有句名言, “you want to skate where the puck’s going, not where it’s been.” However, security teams need to cover larger ground. You do have to stay current with new technologies being adopted. Older technologies still get used in the company, as only some teams may move away from them. So, it would be wise not to ignore those older technologies by maintaining expertise in those areas, 虽然目标是让团队远离这些技术,因为它们变得更加难以有效地保护. Predicting future areas of investment is difficult. 安全团队可以通过查看行业趋势并与工程团队交谈来找出他们的发展方向,从而使这项任务变得更容易. The managers of a security team also have a responsibility to stay informed about new technologies, as well as future directions their respective companies may go in, in order to invest in newer areas to grow the team.
随大流
If a business has made a decision to invest in cloud or mobile or change the way it does business, 安全团队应该是公司中最早发现这种变化并尽早制定适应计划的团队之一. If the business moves in a certain direction and the security team does not, it can unfortunately label a team as being one that only knows the older technology stack. 此外, it is vital for the security team to show alignment with a changing business. 安全团队的领导主要负责检测这些变化,并尽早开始为它们制定计划.
自动化和创建时间
如果一个任务被多次执行, 安全团队应该评估任务是否可以自动化,或者工具是否可以更有效地完成任务. The time reduced through automation and tooling can help free up time and resources, which can then be used to invest in newer areas that are a priority for the security team.
发展一个安全团队可能会面临许多潜在的挑战,这些挑战对于外部观察者来说并不总是显而易见的. The industry’s primary focus is on the new threat landscapes being faced by the business. 有机增长和招聘的健康组合将帮助安全团队适应和不断发展,以适应由他们无法直接控制的因素引入的变化. 安全研究人员和管理团队都有责任不断学习,并花时间检测安全领域的任何潜在变化.
作者简介: 担任云运营安全总监, Mohit领导的团队负责对Adobe的运营环境(AWS)进行主动安全审查, Azure, data centers) as a part of Adobe's Secure Product Lifecycle. 他的团队还推动运营安全堆栈,产品团队将其用于满足其安全需求并扩展其运营环境的安全监控. His team is also responsible for pushing security requirements, design and implementation of Adobe's own operational platform.
