Azure 上的安全开发最佳做法Secure development best practices on Azure

此系列文章介绍了在为云开发应用程序时要考虑的安全活动和控制措施。This series of articles presents security activities and controls to consider when you develop applications for the cloud. 其中还说明了 Microsoft 安全开发生命周期 (SDL) 的各个阶段及生命周期各阶段中要考虑的安全问题和概念。The phases of the Microsoft Security Development Lifecycle (SDL) and security questions and concepts to consider during each phase of the lifecycle are covered. 目标是帮助你定义可在生命周期的每个阶段中使用的活动和 Azure 服务,以便设计、开发和部署更安全的应用程序。The goal is to help you define activities and Azure services that you can use in each phase of the lifecycle to design, develop, and deploy a more secure application.

这些文章中提出的建议来自于我们在 Azure 安全性方面的经验以及我们客户的经验。The recommendations in the articles come from our experience with Azure security and from the experiences of our customers. 可以使用这些文章作为参考,来了解在开发项目的某个特定阶段应考虑哪些事项,但我们还是建议你至少从头到尾通读一遍所有的文章。You can use these articles as a reference for what you should consider during a specific phase of your development project, but we suggest that you also read through all of the articles from beginning to end at least once. 阅读所有文章可让你了解在项目早期阶段可能会忽视的概念。Reading all articles introduces you to concepts that you might have missed in earlier phases of your project. 在发布产品之前落实这些概念,可帮助你构建安全的软件、满足安全合规性要求并降低开发成本。Implementing these concepts before you release your product can help you build secure software, address security compliance requirements, and reduce development costs.

构建和部署安全的 Azure 应用程序,会涉及专业程度各不相同的软件设计人员、开发人员和测试人员,这些文章旨在为他们提供参考资源。These articles are intended to be a resource for software designers, developers, and testers at all levels who build and deploy secure Azure applications.

概述Overview

对于任何应用程序,安全性都是最重要的方面之一,但提供良好的安全性并非易事。Security is one of the most important aspects of any application, and it's not a simple thing to get right. 幸运的是,Azure 提供了许多服务,可帮助你保护云中的应用程序。Fortunately, Azure provides many services that can help you secure your application in the cloud. 这些文章介绍了可在软件开发生命周期各阶段实施的活动和 Azure 服务,以帮助你开发更安全的代码以及在云中部署更安全的应用程序。These articles address activities and Azure services you can implement at each stage of your software development lifecycle to help you develop more secure code and deploy a more secure application in the cloud.

安全开发生命周期Security development lifecycle

要遵循安全软件开发的最佳做法,就必须将安全性集成到软件开发生命周期的每个阶段(从需求分析到维护),而无论项目方法如何Following best practices for secure software development requires integrating security into each phase of the software development lifecycle, from requirement analysis to maintenance, regardless of the project methodology

. 随着引入关注的数据泄露和运营方面的安全缺陷被利用等情况的发生,越来越多的开发人员理解了解决安全性问题是需要贯穿整个开发过程的。In the wake of high-profile data breaches and the exploitation of operational security flaws, more developers are understanding that security needs to be addressed throughout the development process.

在开发生命周期中,解决问题的时间越晚,那么解决问题要耗费的成本也就越高。The later you fix a problem in your development lifecycle, the more that fix will cost you. 安全性问题也不例外。Security issues are no exception. 如果在软件开发早期阶段漠视安全问题,那么后面的每个阶段可能会继承前面的阶段中存在的漏洞。If you disregard security issues in the early phases of your software development, each phase that follows might inherit the vulnerabilities of the preceding phase. 最终产品将会积累很多安全问题,还可能会发生数据泄露。Your final product will have accumulated multiple security issues and the possibility of a breach. 将安全性融入开发生命周期的每个阶段,会有助于及早发现问题,并且有助于降低开发成本。Building security into each phase of the development lifecycle helps you catch issues early, and it helps you reduce your development costs.

我们按照 Microsoft 安全开发生命周期 (SDL) 的各个阶段来介绍活动和 Azure 服务,你可以利用它们在生命周期的各个阶段中完成安全软件开发实践。We follow the phases of the Microsoft Security Development Lifecycle (SDL) to introduce activities and Azure services that you can use to fulfill secure software development practices in each phase of the lifecycle.

SDL 各阶段包括:The SDL phases are:

  • 培训Training
  • 要求Requirements
  • 设计Design
  • 实现Implementation
  • 验证Verification
  • 发布Release
  • 响应Response

安全开发生命周期

在这些文章中,我们将 SDL 的各个阶段划分为三类:设计、开发和部署。In these articles we group the SDL phases into design, develop, and deploy.

让组织的安全团队共同参与Engage your organization's security team

你的组织可能有正式的应用程序安全计划,用于在开发生命周期过程中自始至终为你提供安全活动方面的帮助。Your organization might have a formal application security program that assists you with security activities from start to finish during the development lifecycle. 如果你的组织有安全性和合规性团队,那么在开始开发应用程序前一定要请他们一起参与进来。If your organization has security and compliance teams, be sure to engage them before you begin developing your application. 在 SDL 的每个阶段都要询问他们,是否存在一些被你忽视的任务。Ask them at each phase of the SDL whether there are any tasks you missed.

我们理解,许多读者可能没有可以合作的安全性或合规性团队。We understand that many readers might not have a security or compliance team to engage. 这些文章有助于为你在 SDL 各阶段需要考虑的安全性问题和决策提供指导。These articles can help guide you in the security questions and decisions you need to consider at each phase of the SDL.

资源Resources

以下资源可用于了解有关开发安全应用程序的详细信息,以及帮助保护 Azure 上的应用程序:Use the following resources to learn more about developing secure applications and to help secure your applications on Azure:

Microsoft 安全开发生命周期 (SDL) – SDL 是源于 Microsoft 的一种软件开发过程,可帮助开发人员构建更加安全的软件。Microsoft Security Development Lifecycle (SDL) – The SDL is a software development process from Microsoft that helps developers build more secure software. 它有助于在满足安全性合规要求的同时降低开发成本。It helps you address security compliance requirements while reducing development costs.

开放式 Web 应用程序安全性项目 (OWASP) – OWASP 是一个在线社区,它提供 Web 应用程序安全性领域的免费文章、方法、文档、工具和技术。Open Web Application Security Project (OWASP) – OWASP is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Microsoft 标识平台 – Microsoft 标识平台是由 Azure AD 标识服务和开发人员平台演变而来。Microsoft identity platform – The Microsoft identity platform is an evolution of the Azure AD identity service and developer platform. 它是一个全功能平台,包含身份验证服务、开源库、应用程序注册和配置、完整的开发人员文档、代理示例,以及其他开发人员内容。It’s a full-featured platform that consists of an authentication service, open-source libraries, application registration and configuration, full developer documentation, code samples, and other developer content. Microsoft 标识平台支持 OAuth 2.0 和 OpenID Connect 这样的行业标准协议。The Microsoft identity platform supports industry-standard protocols like OAuth 2.0 and OpenID Connect.

Azure 安全性与合规性蓝图 - Azure 安全性与合规性蓝图资源有助于构建和推出符合严格法规和标准的云助力应用程序。Security and Compliance Blueprints on Azure – Azure Security and Compliance Blueprints are resources that can help you build and launch cloud-powered applications that comply with stringent regulations and standards.

后续步骤Next steps

下面的文章中推荐了一些安全控制措施和活动,有助于设计、开发和部署安全的应用程序。In the following articles, we recommend security controls and activities that can help you design, develop, and deploy secure applications.