代码疫苗技术在DevSecOps体系下的实践

摘要：安全工具在帮助开发人员构建安全软件方面发挥着至关重要的作用。然而，在不影响DevOps 部署速度或交付频率的情况下，引入和充分利用安全工具是具有挑战性的。通过分析当下传统安全工具存在的问题，提出了目前已成功应用于交互式应用安全测试（IAST）工具和运行时应用自保护（RASP）工具的代码疫苗技术。阐述了代码疫苗技术在DevSecOps 体系下的实践，并以Log4j2 组件的远程代码执行漏洞的防护为例，梳理了代码疫苗技术的防护流程。

关键词：DevSecOps；代码疫苗技术；RASP；IAST；DevOps

Abstract: Security tools play a vital role in helping developers build secure software. However, it is challenging to introduce and fully utilize security tools without compromising the speed or frequency of DevOps deployments. By analyzing the current problems of traditional security tools, the code vaccine technology covering interactive application security testing (IAST) technology and runtime application self-protection (RASP) technology is proposed. The practice of code vaccine technology under the DevSecOps system is expounded. Taking the remote code execution vulnerability protection of Log4j2 component as an example, the protection process of code vaccine technology is summarized.

Keywords: DevSecOps; code vaccine technology; RASP; IAST; DevOps