57 lines
1.7 KiB
Markdown
57 lines
1.7 KiB
Markdown
# Shift-Left Security
|
||
|
||
## Definition
|
||
"Shift left" means identifying security flaws early in the software development lifecycle. By focusing on these issues initially, teams can tackle and fix them before they become bigger problems.
|
||
|
||
## Core Principle
|
||
将安全测试左移到软件开发生命周期的早期阶段,而非等到开发完成后才进行安全检查。
|
||
|
||
## Cost Efficiency
|
||
| 发现阶段 | 相对修复成本 |
|
||
|---------|------------|
|
||
| 设计阶段 | 1x |
|
||
| 开发/代码审查 | 5-10x |
|
||
| 测试阶段 | 10-30x |
|
||
| 生产环境 | 30-100x |
|
||
|
||
## Implementation
|
||
|
||
### Design Phase
|
||
- 威胁建模(Threat Modeling)
|
||
- 安全需求定义
|
||
- 安全架构评审
|
||
|
||
### Development Phase
|
||
- [[SAST]] 静态代码分析
|
||
- [[SCA]] 依赖扫描
|
||
- 安全编码规范检查
|
||
- IDE 安全插件集成
|
||
|
||
### CI/CD Integration
|
||
- 在构建阶段自动运行安全扫描
|
||
- [[Break-the-Build]] 机制阻止高风险构建
|
||
- 自动依赖更新和漏洞告警
|
||
|
||
## Best Practices
|
||
1. 开发者编写安全代码,从一开始就重视安全
|
||
2. 安全专家与开发团队紧密协作
|
||
3. 使用自动化工具减少人工审查负担
|
||
4. 建立安全编码标准并持续培训
|
||
|
||
## Relationship with Shift-Right
|
||
- [[Shift-Left-Security]] ← complements → [[Shift-Right-Security]]
|
||
- 左移处理开发阶段的安全问题
|
||
- 右移处理生产环境特有的安全问题
|
||
- 两者结合形成完整的安全覆盖
|
||
|
||
## Related Concepts
|
||
- [[DevSecOps]] — 包含 Shift Left 策略的方法论
|
||
- [[SAST]] — 静态应用安全测试
|
||
- [[SCA]] — 软件组成分析
|
||
- [[OWASP-Top-Ten]] — 常见安全漏洞标准
|
||
- [[Threat Modeling]] — 威胁建模
|
||
- [[Break-the-Build]] — 安全失败时停止构建
|
||
|
||
## Sources
|
||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|