Building an Application Security System: SDL and DevSecOps Approaches

In the early stages of a startup, performance and speed often take precedence over security, leading to hidden risks such as data leakage, abuse of user‑generated assets, and insufficient isolation of personal information. Gartner reports that over 75% of security attacks occur at the application layer, and Forrester’s 2020 survey shows web applications, asset theft, and software vulnerabilities rank among the top attack vectors.

Application security focuses on protecting data and code within the application itself, covering the entire software lifecycle—from design and development to deployment and operation—while excluding network and physical layer concerns.

Typical security concerns are divided into external and internal categories, ranging from storage backup and recovery, configuration management, MQ security, service authentication, audit logging, communication encryption, capacity limits, to front‑end protections such as code obfuscation, anti‑scraping, and common web attacks (SQL injection, XSS, CSRF). The following outline lists these issues:

外部安全
后台安全
    存储安全
        系统备份和恢复
            如果现在数据库被人删了，怎么办？如何快速恢复？
            ...
        配置存储
            如果配置中心挂了，有没有办法快速恢复？
        MQ安全
            是否有必要的业务隔离？
            如果突破内网，是否有一定的鉴权逻辑？
    服务安全
        对外服务
            身份鉴权/访问控制
                用户资源安全（资产保护）
                ...
        通信保密性
            传输通道加密
            内容加密
        抗抵赖
            日志保留 6 个月
        容量安全
            各服务的 QPS 上限，容量评估
        容错
            出错信息保护
        对内服务
            身份鉴权/访问控制
            ...
    资源安全
        商业化资源业务风控
        用户账号风控
        活动地址，接口地址，兑换码防穷举遍历
    数据安全
        数据量级泄漏
        敏感数据泄露
        防拖库、撞库
前台安全
    应用安全
        代码混淆
        应用加固
        安全密码控件
        敏感资料保护
        防代理
        常见 Web 攻击
            SQL 注入
            CSRF
            XSS
            爬虫
接口安全
    SSL 加密传输
    参数加密
    防恶意调用，频控，降级
账户安全
    身份验证
    登录验证码
    超时控制
    单点登录
内部安全
    管理后台安全
        严格且精细的权限控制
        ...
代码和部署安全
    核心代码是否有专人管控
    上线的代码是否有必要的审核或 Review
    CI / CD 系统是否有必要的权限控制和安全管控
    CI / CD 流程是否实现自动化
    CI / CD 流程是否有必要的安全保护策略，如签名和密钥

Two mainstream methodologies for establishing an application security system are highlighted: Microsoft’s Security Development Lifecycle (SDL) and DevSecOps.

SDL introduces security and privacy principles at every phase of the software lifecycle—requirements, design, development, testing, and release—emphasizing security training as its core component.

DevSecOps integrates security into the DevOps pipeline, promoting a culture where development, security, and operations share responsibility. Its three key elements are empowerment, enablement, and education, ensuring security is embedded early and continuously throughout the CI/CD workflow.

The article outlines core principles for a combined approach: the development team owns security, security checkpoints are embedded throughout the workflow, dedicated security experts provide guidance and assess performance, and an efficient SRC (Security Response Center) is established.

安全培训
｜ 安全概念、威胁评估、WEB 安全、安全测试及隐私保护
    提高全体项目人员的安全意识
    进行安全培训
需求分析
｜ 建立安全标准；创建安全指标；风险点评估
    确定安全需求标准，制定安全需求表，供后续开发检测
设计阶段
｜ 建立设计方案标准；提出安全方案；风险评估建模
    建立技术方案安全标准
    对不同的业务形态提出不同的安全方案
    建立风险评估模型
开发阶段
｜ 使用安全的工具、弃用不安全的函数或方法；静态扫描
    使用安全的工具：包括编译器、框架、组件等
    弃用不安全的函数或方法
    安全规范编写代码，并在开发过程中对代码进行 Review
    静态分析
    对代码进行安全脆弱性分析和渗透性测试
测试阶段
｜ 动态安全扫描；模糊测试；评估安全方案
    动态分析（黑箱测试）
    模糊测试
    代码审计 - SRE
    代码安全扫描，开发每次更新代码都要进行扫描并查看漏洞情况，必要时请安全组提供解决方案
    WEB 应用扫描 - QA
    人工渗透扫描 - 第三方专业安全团队
部署阶段
｜ 应急响应计划或预案；安全流程确认；发布归档
    明确安全应急响应计划
    构建发布流程工具卡点 AST 工具集
        静态应用安全测试 (SAST)
        软件组件分析 (SCA)
        交互式应用安全测试 (IAST)
        动态分析测试 (DAST)
    发布归档
线上阶段
｜ 执行线上应急响应流程
    第三方专业安全团队发现问题
    安全问题等级制度
    安全问题响应流程

For early‑stage projects, the article recommends practical steps: comprehensive unit and integration testing, a reliable CI/CD pipeline, robust infrastructure that supports rollbacks, and a software architecture that separates code from configuration (e.g., using a configuration center).

In conclusion, application security is a long‑term, systematic effort that must balance rapid business growth with protective measures. By adopting a hybrid SDL‑DevSecOps approach, startups can gradually embed security checkpoints, leverage automated tools, and involve third‑party experts to continuously improve their security posture.