Help Center/ Cloud Adoption Framework / Cloud Adoption Framework and Practices/ O&M Governance/ Secure Operations/ Software Engineering Security
Updated on 2025-05-07 GMT+08:00
View PDF
Share

Software Engineering Security

Software engineering security involves applying security principles, practices, and technologies throughout the software development lifecycle to reduce vulnerabilities and ensure software confidentiality, integrity, and availability. It covers all phases from requirement analysis, design, coding, testing to deployment and maintenance.

  • Security design

    Enterprises must adhere to security and privacy design principles, specifications, and legal requirements. During security requirement analysis and design, they analyze threats using service scenarios, data flow diagrams, and network models. Threat, mitigation, and security design solution libraries, derived from the enterprise's security engineering experience and industry best practices, are used for this analysis. Identified threats lead to the development of mitigation measures and corresponding security solutions by application architects. These measures are then translated into security requirements and functions. Security test cases are created based on the company's test case library to ensure system security.

  • Secure coding and testing

    Enterprises must develop secure coding guidelines and ensure that development and test personnel pass relevant training and exams before their onboarding. Additionally, enterprises should implement static code scanning tools for regular checks. The results are integrated into the CI/CD pipeline and assessed against quality thresholds to evaluate application security. All application systems must clear static code scanning alerts before release to ensure no coding-related security issues.

    To ensure application security, all cloud services undergo multiple rounds of testing by application test personnel before release. This includes testing for authentication, authorization, API security, and database security. Test cases cover both security requirements from the design phase and penetration test cases from an attacker's perspective. Systems that fail security tests are not permitted to go online.

  • Third-party software security management

    Enterprises must establish clear security requirements and comprehensive control processes for open-source and third-party software. This includes strict controls during selection, security testing, code security, risk scanning, legal review, application, and exit phases. For instance, during selection, open-source software must meet cybersecurity assessment requirements. When in use, third-party software should be integrated into the application system and evaluated in combination with self-developed software to ensure no new security issues arise.

    Additionally, when vulnerabilities in open-source or third-party software are disclosed, they must be promptly detected and fixed. These software components must be tested as part of the application system to verify that known vulnerabilities are addressed. The list of fixed vulnerabilities should be included in the application system's release notes.

  • Configuration and change management

    Configuration and change management are crucial for maintaining application system security. Enterprises must manage configurations of all application systems, including extracting configuration models (item types, attributes, and relationships) and recording configuration details. Professional CMDB tools are used to manage these configuration items and their relationships.

    Changes to application systems, such as operating system, database, middleware, and application updates, can impact system security and stability. These changes must be managed through structured processes. After change requests are generated, the change manager assesses the change level and submits the requests to the change committee for approval, and then the changes can be implemented as planned. Before implementation, changes must be fully tested in staging environments, using techniques like gray release and blue-green deployment, to ensure the committee understands the actions, duration, rollback procedures, and potential impacts.

  • Security approval for rollout

    To ensure that application systems comply with laws, regulations, and enterprise security specifications, and to minimize cybersecurity and privacy compliance risks, cloud security experts from the CCoE team must participate in application rollout activities. They work with application teams to analyze and verify if the related versions or services meet regional security and privacy compliance requirements.

    To facilitate quick rollouts of application systems with low and medium security and compliance risks, cloud security experts provide a security and privacy compliance self-check list. This list outlines the compliance requirements that enterprises must meet. Application teams use this list for self-checks during development, deployment, and rollout. Systems with medium and low risks can be rolled out after passing the self-check, with results submitted to cloud security experts for audit. High-risk systems require more resources for stricter detection and approval, ensuring both security and timely rollout.

Parent topic: Secure Operations