Unity is sharing an open version of its internal Secure Software Development Life Cycle (SSDLC) so that others can benefit from our work. Even better, we’re inviting everyone to contribute to improving them so that we can refine standards for best practices together.
Unity正在共享其内部安全软件开发生命周期(SSDLC)的开放版本,以便其他人可以从我们的工作中受益。 更好的是,我们邀请每个人为改进它们做出贡献,以便我们可以共同完善最佳实践的标准。
Unity’s security team documented its SSDLC for developers who work at Unity to ensure the quality of our codebase security. This content comes from a variety of sources and distills industry best practices and the combined experience of our security team.
Unity的安全团队为在Unity工作的开发人员记录了SSDLC,以确保我们的代码库安全性。 该内容来自各种来源,并提炼了行业最佳实践以及我们安全团队的综合经验。
This information is not exhaustive, complete, or perfect, but we’re publishing it anyway – Unity’s SSDLC is now public, with a broad open-source license.
这些信息不是详尽,完整或完美的,但是无论如何我们都在发布它 -Unity的SSDLC现在是公开的 ,具有广泛的开源许可证。
By releasing this set of documents openly, we hope to contribute to the broader security community and help other teams that are in the process of defining and developing their own SSDLC.
通过公开发布这组文档,我们希望为更广泛的安全社区做出贡献,并帮助正在定义和开发自己的SSDLC的其他团队。
We also see this as a rare opportunity to recognize the excellent work of our security engineers. Security engineering efforts often go unrecognized, with little to no credit for establishing the practices that become industry standards. Authorship and attribution are a core tenet of this documentation. If it’s adopted by other companies, then we invite them to also share it with their customers as well. Finally, it’s a chance for us to share some of the steps we take in securing our products with you, since we also want the creators and customers we serve to have the best advice possible to secure their hard work.
我们也认为这是认识我们安全工程师出色工作的难得机会。 安全工程方面的努力通常无法得到认可,几乎没有建立起成为行业标准的实践的功劳。 作者和署名是本文档的核心宗旨。 如果其他公司采用了它,那么我们也邀请他们也与 他们的 客户 分享它 。 最后,我们有机会与您分享为保护产品而采取的一些步骤,因为我们还希望我们所服务的创作者和客户能够获得最好的建议,以确保他们的辛勤工作。
SSDLC中有什么(What’s in our SSDLCspan style=”font-weight: bold;”>)
Without digging deep into the fine details, this section breaks down the structure of our library. We’ve organized our articles into five broad categories: Coding Practice, Language Best Practices, Security Process, Tools and Automation, and Training.
在不深入研究细节的情况下,本节将分解我们的库的结构。 我们将文章分为五大类:编码实践,语言最佳实践,安全流程,工具和自动化以及培训。
Coding Practice captures common security best practices from a source code perspective. Here, you’ll find our recommendations to developers around API best practices, common web attacks, and secrets management.
编码实践从源代码的角度捕获了常见的安全最佳实践。 在这里,您会发现有关 API最佳做法 , 常见的网络攻击 和 机密管理方面的 建议给开发 人员 。
The Language Best Practices section digs into security considerations specific to different programming languages, with recommendations for Node.js, Golang, C#, and Ruby. We’d love to see you help us expand this section – there are a lot of languages out there!
“ 语言最佳实践” 部分深入探讨了特定于不同编程语言的安全注意事项,并针对 Node.js , Golang , C# 和 Ruby 提出了建议 。 我们希望看到您能帮助我们扩展本节–这里有很多语言!
The Security Process articles are potentially the most important, if least technical, area. This section will help you to establish consistency in your program and provide a process to properly triage risk in your organization. Here we cover our bug bar and risk rating systems, security requirements, and design and implementation reviews.
在 安全流程 文章可能是最重要的,如果至少技术等领域。 本节将帮助您在程序中建立一致性,并提供适当地分类组织中风险的过程。 在这里,我们介绍了我们的 错误栏 和 风险评级 系统, 安全要求 以及 设计 和 实现 审查。
We’ll be adding to Tools and Automation and Training sections after the team has prepared some of Unity’s internal security tooling for this open-source release.
在团队为该开源版本准备了一些Unity内部安全工具之后,我们将在“工具,自动化和培训”部分中添加内容。
需要我们的SSDLC吗你可以拥有它。 (Want our SSDLCYou can have it.)
We designed this SSDLC for you to use it as your own. That means you can clone or fork this repository, find and replace “Unity” with “WidgetCo.,” and share it with your developers. The measure of our success for this project is that you clone and reuse it.
我们为您设计了此SSDLC,以供您自己使用。 这意味着您可以克隆或派生此存储库,找到“ Unity”并将其替换为“ WidgetCo。”,并与开发人员共享。 我们能否成功完成此项目,是您克隆并重复使用它。
This release is just the beginning. We want your feedback. Fork it and make it better (and let us know so that we can adopt your version to improve our own), but please be sure to respect the contribution guidelines and share your knowledge and experience with the community. We’re excited to see our best practices merge with the community’s into a cohesive framework.
此版本仅仅是开始。 我们希望得到您的反馈。 分叉它并使其更好(并让我们知道,以便我们可以采用您的版本来改进我们自己的版本),但是请务必遵守贡献准则,并与社区分享您的知识和经验。 我们很高兴看到我们的最佳实践与社区的融合成为一个有凝聚力的框架。
Access Unity SSDLC
访问Unity SSDLC
翻译自: https://blogs.unity3d.com/2019/12/04/democratizing-the-secure-software-development-life-cycle/
文章知识点与官方知识档案匹配,可进一步学习相关知识Java技能树首页概览91322 人正在系统学习中 相关资源:软件标书范本(技术部分)_软件技术标书-项目管理文档类资源-CSDN文库
来源:culiao6493
声明:本站部分文章及图片转载于互联网,内容版权归原作者所有,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!