安全开发生命周期 (SDLC) 将安全性集成到软件开发的每个阶段——从需求到设计、编码、测试、部署和维护——而不是将其视为事后的补救。它体现了"左移"和"安全设计"的原则。
整个生命周期中的安全性
text
Integrate security into EVERY phase (not just at the end):
REQUIREMENTS → define security requirements; consider compliance
DESIGN → THREAT MODELING; secure architecture; security review of the design
DEVELOPMENT → secure coding practices; code review; SAST in the IDE/CI
TESTING → security testing (SAST, DAST, dependency scanning, pen testing)
DEPLOYMENT → secure configuration; secrets management; hardening
MAINTENANCE → patching, monitoring, incident response, ongoing scanning
→ "shift left" — address security EARLY (cheaper than fixing after a breach).
为什么左移很重要
text
The cost to fix a security flaw GROWS dramatically the later it's found:
caught in design/code (cheap) << found in testing << exploited in PRODUCTION
(very expensive: breach, damage, emergency response)
→ Building security in early (vs bolting it on / fixing breaches) is far more effective
and cheaper.