From 11308772514915baec3d5f9d64c8cb5eafd127fc Mon Sep 17 00:00:00 2001 From: chenmu-kk <53132802+chenmu-kk@users.noreply.github.com> Date: Mon, 3 Aug 2020 09:49:31 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E4=BA=A4=E8=AF=91=E6=96=87=20(#19221)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update 20190222 Developer happiness- What you need to know.md * Update 20190222 Developer happiness- What you need to know.md * Update 20190222 Developer happiness- What you need to know.md * Update 20190222 Developer happiness- What you need to know.md * Update 20190222 Developer happiness- What you need to know.md * Rename sources/talk/20190222 Developer happiness- What you need to know.md to translated/talk/20190222 Developer happiness- What you need to know.md --- ...eloper happiness- What you need to know.md | 79 ------------------- ...eloper happiness- What you need to know.md | 78 ++++++++++++++++++ 2 files changed, 78 insertions(+), 79 deletions(-) delete mode 100644 sources/talk/20190222 Developer happiness- What you need to know.md create mode 100644 translated/talk/20190222 Developer happiness- What you need to know.md diff --git a/sources/talk/20190222 Developer happiness- What you need to know.md b/sources/talk/20190222 Developer happiness- What you need to know.md deleted file mode 100644 index 4a6d8516e2..0000000000 --- a/sources/talk/20190222 Developer happiness- What you need to know.md +++ /dev/null @@ -1,79 +0,0 @@ -[#]: collector: (lujun9972) -[#]: translator: (chenmu-kk) -[#]: reviewer: ( ) -[#]: publisher: ( ) -[#]: url: ( ) -[#]: subject: (Developer happiness: What you need to know) -[#]: via: (https://opensource.com/article/19/2/developer-happiness) -[#]: author: (Bart Copeland https://opensource.com/users/bartcopeland) - -Developer happiness: What you need to know -====== -Developers need the tools and the freedom to code quickly, without getting bogged down by compliance and security. -![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/computer_happy_sad_developer_programming.png?itok=72nkfSQ_) - -A person needs the right tools for the job. There's nothing as frustrating as getting halfway through a car repair, for instance, only to discover you don't have the specialized tool you need to complete the job. The same concept applies to developers: you need the tools to do what you are best at, without disrupting your workflow with compliance and security needs, so you can produce code faster. - -Over half—51%, to be specific—of developers spend only one to four hours each day programming, according to ActiveState's recent [Developer Survey 2018: Open Source Runtime Pains][1]. In other words, the majority of developers spend less than half of their time coding. According to the survey, 50% of developers say security is one of their biggest concerns, but 67% of developers choose not to add a new language when coding because of the difficulties related to corporate policies. - -The result is developers have to devote time to non-coding activities like retrofitting software for security and compliance criteria checked after software and languages have been built. And they won't choose the best tool or language for the job because of corporate policies. Their satisfaction goes down and risk goes up. - -So, developers aren't able to devote time to high-value work. This creates additional business risk because their time-to-market is slowed, and the organization increases tech debt by not empowering developers to decide on "the best" tech, unencumbered by corporate policy drag. - -### Baking in security and compliance workflows - -How can we solve this issue? One way is to integrate security and compliance workflows into the software development process in four easy steps: - -#### 1\. Gather your forces - -Get support from everyone involved. This is an often-forgotten but critical first step. Make sure to consider a wide range of stakeholders, including: - - * DevOps - * Developers - * InfoSec - * Legal/compliance - * IT security - - - -Stakeholders want to understand the business benefits, so make a solid case for eliminating the security and compliance checkpoints after software builds. You can consider any (or all) of the following in building your business case: time savings, opportunity cost, and developer productivity. By integrating security and compliance workflows into the development process, you also avoid retrofitting of languages. - -#### 2\. Find trustworthy sources - -Next, choose the trusted sources that can be used, along with their license and security requirements. Consider including information such as: - - * Restrictions on usage based on environment or application type and version controls per language - * Which open source components are allowable, e.g., specific packages - * Which licenses can be used in which types of environments (e.g., research vs. production) - * The definition of security levels, acceptable vulnerability risk levels, what risk levels trigger an action, what that action would be, and who would be responsible for its implementation - - - -#### 3\. Incorporate security and compliance from day one - -The upshot of incorporating security and compliance workflows is that it ultimately bakes security and compliance into the first line of code. It eliminates the drag of corporate policy because you're coding to spec versus having to fix things after the fact. But to do this, consider mechanisms for automatically scanning code as it's being built, along with using agentless monitoring of your runtime code. You're freeing up your time, and you'll also be able to programmatically enforce policies to ensure compliance across your entire organization. - -New vulnerabilities arise, and new patches and versions become available. Consequently, security and compliance need to be considered when deploying code into production and also when running code. You need to know what, if any, code is at risk and where that code is running. So, the process for deploying and running code should include monitoring, reporting, and updating code in production. - -By integrating security and compliance into your software development process from the start, you can also benefit by tracking where your code is running once deployed and be alerted of new threats as they arise. You will be able to track when your applications were vulnerable and respond with automatic enforcement of your software policies. - -If your software development process has security and compliance workflows baked in, you will improve your productivity. And you'll be able to measure value through increased time spent coding; gains in security and stability; and cost- and time-savings in maintenance and discovery of security and compliance threats. - -### Happiness through integration - -If you don't develop and update software, your organization can't go forward. Developers are a linchpin in the success of your company, which means they need the tools and the freedom to code quickly. You can't let compliance and security needs—though they are critical—bog you down. Developers clearly worry about security, so the happy medium is to "shift left" and integrate security and compliance workflows from the start. You'll get more done, get it right the first time, and spend far less time retrofitting code. - --------------------------------------------------------------------------------- - -via: https://opensource.com/article/19/2/developer-happiness - -作者:[Bart Copeland][a] -选题:[lujun9972][b] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://opensource.com/users/bartcopeland -[b]: https://github.com/lujun9972 -[1]: https://www.activestate.com/company/press/press-releases/activestate-developer-survey-examines-open-source-challenges/ diff --git a/translated/talk/20190222 Developer happiness- What you need to know.md b/translated/talk/20190222 Developer happiness- What you need to know.md new file mode 100644 index 0000000000..a172fce94d --- /dev/null +++ b/translated/talk/20190222 Developer happiness- What you need to know.md @@ -0,0 +1,78 @@ +[#]: collector: (lujun9972) +[#]: translator: (chenmu-kk) +[#]: reviewer: ( ) +[#]: publisher: ( ) +[#]: url: ( ) +[#]: subject: (Developer happiness: What you need to know) +[#]: via: (https://opensource.com/article/19/2/developer-happiness) +[#]: author: (Bart Copeland https://opensource.com/users/bartcopeland) + +开发者的福音:你必须知道的事 +====== +开发者需要工具和快速编程的自由,不会因为合规性和安全性使得它停滞而无法进行下去。 +![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/computer_happy_sad_developer_programming.png?itok=72nkfSQ_) + +个人需要合适的工具来完成工作。比如说没有比修车中途才发现 你没有完成工作的专业工具更沮丧的事情了。同样的道理也适用在开发者身上:你需要工具来发挥你的最大才能,而不会因为合规性和安全性的需求打断你的工作流程,因此你可以更快速地编码。 + +根据ActiveState的最新研究显示,超过一半的开发人员(具体为51%),每天只需要花费1-4小时的时间进行编程[Developer Survey 2018: Open Source Runtime Pains][1]。换句话说,大多数开发人员花费不到一半的时间编程。根据调查,一半的开发人员认为安全是他们最大的担忧之一,但是由于公司政策方面的原因,67%的开发人员选择在编程时不添加新的语言。 + +结果是开发人员不得不投入更多的精力在非编码的活动上,例如在构建软件和语言之后检查软件的安全性和合规性标准。而且由于公司政策的原因,他们无法选择适合的开发工具或语言。他们的满意度会下降同时风险提高。 + +因此,开发人员无法将时间投入在高价值的工作上。这会带来额外的商业风险,因为他们的上市时间变了慢,并且公司因为没有授权开发人员在不受公司政策影响的前提下决定最佳技术的能力而增加了技术债务。 + +### 固化安全性和合规性的工作流程 + +我们如何解决这个问题呢?一种方式是通过四个简单的步骤将有安全性和合规性的工作流程集成在软件开发中: + +#### 1\. 集中你的力量 + +获得所有相关人员的支持,这是一个经常被遗忘但却至关重要的第一步。确保考虑到了广泛的利益相关者,包括: + + * 开发运维 + * 开发人员 + * 信息安全 + * 合法/合规 + * IT安全 + + + +利益相关者想要了解相关的商业利益,因此要做一个稳固的案例来消除软件构建后的安全性和合规性的检查点。你可以在构建你的商业案例中考虑以下任何一个(或者全部)因素:节省时间,机会成本和开发人员生产力。在开发处理过程中,你也可以通过集成安全性和合规性的工作流程来避免语言的改造。 + +#### 2\. 寻找可信赖的资源 + +接下来,选择可使用的可靠资源,以及他们的许可证和安全要求。考虑到如下相关信息: + + * 基于环境或应用程序类型以及每种语言的版本控制的使用限制 + * 允许哪些开源组件,例如,特定的程序包 + * 哪种环境类型可以使用哪种许可证(例如,研究与生产) + * 安全级别的定义,可接受范围内的漏洞风险级别,什么样的风险级别会触发一个措施,这个措施是什么并且谁来负责它的执行呢 + + + +#### 3\. 从第一天开始就融入安全性和合规性 + +合并安全性和合规性的工作流程的结果是最终它将安全性和合规性固化成代码中的第一行。它消除了公司政策的麻烦,因为您是按照规范进行编码,而不是必须事后解决问题。但要做到这一点,请考虑在构建代码时采用自动扫描代码的机制,以及对运行时代码使用无代理监视。你可以节省时间,还可以通过编程实施策略来确保整个组织的合规性。 + +出现新的漏洞,并且提供有效的新补丁和版本。所以,将代码部署到生产中以及运行代码时,需要考虑安全性和合规性。你需要知道哪些(如果有的话)代码存在风险以及该代码在何处运行。所以,部署和运行代码的过程应该包括监视,报告和更新生产中的代码。 + +通过一开始就在你的软件开发过程中集成安全性和合规性,你还可以在部署后跟踪代码的运行位置,并在新的威胁出现时获得警报。你也能追踪当你的应用程序何时受到攻击,并通过自动执行软件策略做出响应。 + +如果你的软件开发过程中已经引入了安全性和合规性的工作流程,你将会提高你的生产率。您将能够通过增加编码时间、提高安全性和稳定性、以及在维护和发现安全性和合规性的威胁方面节省的成本和时间来衡量价值。 +### 集成所带来的幸福 + +如果你不开发和更新软件,你的公司将无法前进。开发人员是公司成功的关键,这意味着他们需要快速编写代码的工具和自由。尽管合规性和安全性至关重要,但你不能让这个需求阻碍你的发展。开发人员显然很担心安全性,因此最好的办法就是“左移”,从一开始就集成安全性和合规性的工作流程。你将可以做更多的事情,在第一次就可以完成,而花费更少的时间进行代码更新。 + +-------------------------------------------------------------------------------- + +via: https://opensource.com/article/19/2/developer-happiness + +作者:[Bart Copeland][a] +选题:[lujun9972][b] +译者:[chenmu-kk](https://github.com/chenmu-kk) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://opensource.com/users/bartcopeland +[b]: https://github.com/lujun9972 +[1]: https://www.activestate.com/company/press/press-releases/activestate-developer-survey-examines-open-source-challenges/