Ciclul de Viata al Dezvoltarii Software Securizate: Ghid de Implementare SSDLC
Un Ciclu de Viata al Dezvoltarii Software Securizate (SSDLC) integreaza practicile de securitate in fiecare faza a dezvoltarii. Acest ghid acopera implementarea practica a activitatilor de securitate de la cerinte pana la deployment.
Prezentare Generala a Framework-ului SSDLC
Implementarea Portilor de Securitate
from dataclasses import dataclass, field
from datetime import datetime
from typing import List, Dict, Optional, Callable
from enum import Enum
import json
class SDLCPhase(Enum):
REQUIREMENTS = "requirements"
DESIGN = "design"
IMPLEMENTATION = "implementation"
VERIFICATION = "verification"
RELEASE = "release"
MAINTENANCE = "maintenance"
class GateStatus(Enum):
PENDING = "pending"
PASSED = "passed"
FAILED = "failed"
WAIVED = "waived"
@dataclass
class SecurityRequirement:
id: str
phase: SDLCPhase
title: str
description: str
verification_method: str
priority: str # critical, high, medium, low
automated: bool = False
tool: Optional[str] = None
@dataclass
class GateResult:
gate_id: str
phase: SDLCPhase
status: GateStatus
requirements_checked: int
requirements_passed: int
requirements_failed: int
critical_failures: List[str]
findings: List[Dict]
evaluated_at: datetime
evaluated_by: str
waiver: Optional[Dict] = None
class SSDLCGateManager:
def __init__(self, project_id: str):
self.project_id = project_id
self.gates: Dict[SDLCPhase, List[SecurityRequirement]] = {}
self.results: Dict[str, GateResult] = {}
self.validators: Dict[str, Callable] = {}
self._initialize_default_gates()
self._register_validators()
def _initialize_default_gates(self):
"""Initializeaza portile de securitate implicite pentru fiecare faza."""
self.gates = {
SDLCPhase.REQUIREMENTS: [
SecurityRequirement(
id="REQ-001",
phase=SDLCPhase.REQUIREMENTS,
title="Cerinte de Securitate Documentate",
description="Toate cerintele de securitate sunt documentate si revizuite",
verification_method="document_review",
priority="critical"
),
SecurityRequirement(
id="REQ-002",
phase=SDLCPhase.REQUIREMENTS,
title="Clasificare Date Completa",
description="Toate tipurile de date sunt clasificate dupa sensibilitate",
verification_method="document_review",
priority="critical"
),
SecurityRequirement(
id="REQ-003",
phase=SDLCPhase.REQUIREMENTS,
title="Cerinte de Conformitate Identificate",
description="Cerintele de conformitate aplicabile sunt documentate",
verification_method="document_review",
priority="high"
),
SecurityRequirement(
id="REQ-004",
phase=SDLCPhase.REQUIREMENTS,
title="Evaluare Risc Completa",
description="Evaluarea initiala de risc a fost efectuata",
verification_method="document_review",
priority="high"
)
],
SDLCPhase.DESIGN: [
SecurityRequirement(
id="DES-001",
phase=SDLCPhase.DESIGN,
title="Threat Model Complet",
description="Modelul de amenintari creat si revizuit",
verification_method="document_review",
priority="critical"
),
SecurityRequirement(
id="DES-002",
phase=SDLCPhase.DESIGN,
title="Revizuire Arhitectura de Securitate",
description="Arhitectura de securitate revizuita si aprobata",
verification_method="expert_review",
priority="critical"
),
SecurityRequirement(
id="DES-003",
phase=SDLCPhase.DESIGN,
title="Design Autentificare",
description="Mecanismul de autentificare proiectat conform standardelor",
verification_method="design_review",
priority="critical"
),
SecurityRequirement(
id="DES-004",
phase=SDLCPhase.DESIGN,
title="Design Autorizare",
description="Modelul de autorizare proiectat cu privilegiu minim",
verification_method="design_review",
priority="critical"
),
SecurityRequirement(
id="DES-005",
phase=SDLCPhase.DESIGN,
title="Design Criptografie",
description="Controalele criptografice proiectate conform standardelor",
verification_method="expert_review",
priority="high"
)
],
SDLCPhase.IMPLEMENTATION: [
SecurityRequirement(
id="IMP-001",
phase=SDLCPhase.IMPLEMENTATION,
title="Scanare SAST Trecuta",
description="Analiza statica completata fara probleme critice",
verification_method="automated_scan",
priority="critical",
automated=True,
tool="semgrep"
),
SecurityRequirement(
id="IMP-002",
phase=SDLCPhase.IMPLEMENTATION,
title="Scanare Dependente Trecuta",
description="Nicio vulnerabilitate critica in dependente",
verification_method="automated_scan",
priority="critical",
automated=True,
tool="snyk"
),
SecurityRequirement(
id="IMP-003",
phase=SDLCPhase.IMPLEMENTATION,
title="Scanare Secrete Trecuta",
description="Niciun secret detectat in codebase",
verification_method="automated_scan",
priority="critical",
automated=True,
tool="gitleaks"
),
SecurityRequirement(
id="IMP-004",
phase=SDLCPhase.IMPLEMENTATION,
title="Revizuire Cod de Securitate",
description="Revizuirea codului focusata pe securitate completata",
verification_method="peer_review",
priority="high"
),
SecurityRequirement(
id="IMP-005",
phase=SDLCPhase.IMPLEMENTATION,
title="Standarde de Codare Securizata",
description="Codul respecta standardele de codare securizata",
verification_method="automated_scan",
priority="high",
automated=True,
tool="eslint-security"
)
],
SDLCPhase.VERIFICATION: [
SecurityRequirement(
id="VER-001",
phase=SDLCPhase.VERIFICATION,
title="Scanare DAST Trecuta",
description="Testarea dinamica completata fara probleme critice",
verification_method="automated_scan",
priority="critical",
automated=True,
tool="zap"
),
SecurityRequirement(
id="VER-002",
phase=SDLCPhase.VERIFICATION,
title="Testare de Penetrare",
description="Testarea de penetrare completata pentru functionalitati critice",
verification_method="expert_testing",
priority="critical"
),
SecurityRequirement(
id="VER-003",
phase=SDLCPhase.VERIFICATION,
title="Teste Unitare de Securitate",
description="Testele unitare de securitate trec",
verification_method="automated_test",
priority="high",
automated=True,
tool="pytest"
),
SecurityRequirement(
id="VER-004",
phase=SDLCPhase.VERIFICATION,
title="Testare Securitate API",
description="Testarea securitatii API completata",
verification_method="automated_scan",
priority="high",
automated=True,
tool="burp"
)
],
SDLCPhase.RELEASE: [
SecurityRequirement(
id="REL-001",
phase=SDLCPhase.RELEASE,
title="Aprobare Securitate",
description="Aprobarea echipei de securitate obtinuta",
verification_method="approval",
priority="critical"
),
SecurityRequirement(
id="REL-002",
phase=SDLCPhase.RELEASE,
title="Toate Problemele Critice Rezolvate",
description="Nicio problema critica de securitate deschisa",
verification_method="finding_review",
priority="critical"
),
SecurityRequirement(
id="REL-003",
phase=SDLCPhase.RELEASE,
title="Documentatie de Securitate",
description="Documentatia de securitate completa",
verification_method="document_review",
priority="high"
),
SecurityRequirement(
id="REL-004",
phase=SDLCPhase.RELEASE,
title="Plan de Raspuns la Incidente",
description="Planul de raspuns la incidente documentat",
verification_method="document_review",
priority="high"
)
]
}
def _register_validators(self):
"""Inregistreaza functiile de validare pentru verificari automate."""
self.validators = {
"semgrep": self._validate_sast,
"snyk": self._validate_dependencies,
"gitleaks": self._validate_secrets,
"zap": self._validate_dast,
"eslint-security": self._validate_linting,
"pytest": self._validate_tests
}
def evaluate_gate(self,
phase: SDLCPhase,
evaluator: str,
scan_results: Dict = None,
manual_checks: Dict = None) -> GateResult:
"""Evalueaza poarta de securitate pentru o faza."""
requirements = self.gates.get(phase, [])
findings = []
passed = 0
failed = 0
critical_failures = []
for req in requirements:
result = self._evaluate_requirement(req, scan_results, manual_checks)
findings.append({
"requirement_id": req.id,
"title": req.title,
"status": result["status"],
"details": result.get("details", ""),
"priority": req.priority
})
if result["status"] == "passed":
passed += 1
else:
failed += 1
if req.priority == "critical":
critical_failures.append(req.id)
# Determina statusul general al portii
status = GateStatus.PASSED if failed == 0 else GateStatus.FAILED
if failed > 0 and len(critical_failures) == 0:
# Doar esecuri non-critice - se poate eventual continua cu derogare
status = GateStatus.FAILED
gate_result = GateResult(
gate_id=f"{self.project_id}_{phase.value}_{datetime.utcnow().strftime('%Y%m%d%H%M%S')}",
phase=phase,
status=status,
requirements_checked=len(requirements),
requirements_passed=passed,
requirements_failed=failed,
critical_failures=critical_failures,
findings=findings,
evaluated_at=datetime.utcnow(),
evaluated_by=evaluator
)
self.results[gate_result.gate_id] = gate_result
return gate_result
def _evaluate_requirement(self,
req: SecurityRequirement,
scan_results: Dict,
manual_checks: Dict) -> Dict:
"""Evalueaza o singura cerinta."""
if req.automated and req.tool:
# Foloseste validarea automata
validator = self.validators.get(req.tool)
if validator and scan_results:
tool_results = scan_results.get(req.tool, {})
return validator(tool_results, req)
# Verificare manuala
if manual_checks and req.id in manual_checks:
check = manual_checks[req.id]
return {
"status": "passed" if check.get("passed") else "failed",
"details": check.get("notes", "")
}
return {"status": "pending", "details": "Neevaluat"}
def _validate_sast(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele scanarii SAST."""
critical_count = results.get("critical", 0)
high_count = results.get("high", 0)
if critical_count > 0:
return {
"status": "failed",
"details": f"Gasite {critical_count} probleme critice"
}
return {"status": "passed", "details": f"Nicio problema critica, {high_count} high"}
def _validate_dependencies(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele scanarii de dependente."""
critical_vulns = results.get("vulnerabilities", {}).get("critical", 0)
if critical_vulns > 0:
return {
"status": "failed",
"details": f"Gasite {critical_vulns} vulnerabilitati critice"
}
return {"status": "passed", "details": "Nicio vulnerabilitate critica"}
def _validate_secrets(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele scanarii de secrete."""
secrets_found = results.get("secrets_count", 0)
if secrets_found > 0:
return {
"status": "failed",
"details": f"Gasite {secrets_found} potentiale secrete"
}
return {"status": "passed", "details": "Niciun secret detectat"}
def _validate_dast(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele scanarii DAST."""
high_risks = results.get("high", 0)
critical_risks = results.get("critical", 0)
if critical_risks > 0 or high_risks > 0:
return {
"status": "failed",
"details": f"Critical: {critical_risks}, High: {high_risks}"
}
return {"status": "passed", "details": "Niciun risc high/critical"}
def _validate_linting(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele linting-ului de securitate."""
errors = results.get("errors", 0)
if errors > 0:
return {
"status": "failed",
"details": f"Gasite {errors} erori de securitate lint"
}
return {"status": "passed", "details": "Toate regulile de securitate lint trec"}
def _validate_tests(self, results: Dict, req: SecurityRequirement) -> Dict:
"""Valideaza rezultatele testelor de securitate."""
failed_tests = results.get("failed", 0)
passed_tests = results.get("passed", 0)
if failed_tests > 0:
return {
"status": "failed",
"details": f"{failed_tests} teste de securitate esuate"
}
return {"status": "passed", "details": f"Toate {passed_tests} testele de securitate trec"}
def request_waiver(self,
gate_id: str,
requirement_ids: List[str],
justification: str,
requestor: str,
risk_acceptance: str) -> Dict:
"""Solicita derogare pentru cerinte esuate."""
gate_result = self.results.get(gate_id)
if not gate_result:
return {"success": False, "error": "Poarta negasita"}
# Verifica daca cerintele pot fi derogate (non-critice)
non_waivable = [r for r in requirement_ids if r in gate_result.critical_failures]
if non_waivable:
return {
"success": False,
"error": f"Nu se pot deroga cerinte critice: {non_waivable}"
}
waiver = {
"waiver_id": f"waiver_{gate_id}_{datetime.utcnow().strftime('%Y%m%d%H%M%S')}",
"gate_id": gate_id,
"requirement_ids": requirement_ids,
"justification": justification,
"risk_acceptance": risk_acceptance,
"requested_by": requestor,
"requested_at": datetime.utcnow().isoformat(),
"status": "pending_approval",
"approvals": []
}
return {"success": True, "waiver": waiver}
def generate_compliance_report(self) -> Dict:
"""Genereaza raport de conformitate SSDLC."""
report = {
"project_id": self.project_id,
"generated_at": datetime.utcnow().isoformat(),
"phases": {},
"summary": {
"total_requirements": 0,
"passed": 0,
"failed": 0,
"waived": 0,
"pending": 0
}
}
for phase in SDLCPhase:
phase_results = [r for r in self.results.values() if r.phase == phase]
if phase_results:
latest = max(phase_results, key=lambda x: x.evaluated_at)
report["phases"][phase.value] = {
"status": latest.status.value,
"evaluated_at": latest.evaluated_at.isoformat(),
"findings": latest.findings
}
report["summary"]["total_requirements"] += latest.requirements_checked
report["summary"]["passed"] += latest.requirements_passed
report["summary"]["failed"] += latest.requirements_failed
return reportIngineria Cerintelor de Securitate
Codul pentru SecurityRequirementsManager, SecureCodeReviewChecklist si integrarea CI/CD ramane la fel ca in versiunea in engleza, deoarece contine configurari de cod si YAML care nu necesita traducere.
Bune Practici
Implementarea SSDLC
- Incepe devreme: Integreaza securitatea din faza de cerinte
- Automatizeaza portile: Foloseste CI/CD pentru verificari automate de securitate
- Defineste criterii clare: Stabileste criterii masurabile de acceptare/respingere
- Urmareste metrici: Monitorizeaza eficacitatea portilor de securitate in timp
Porti de Securitate
- Problemele critice trebuie sa blocheze intotdeauna progresul
- Implementeaza un proces de derogare pentru probleme non-critice
- Solicita justificare documentata si acceptare a riscului
- Revizuire periodica a deciziilor de derogare
Imbunatatire Continua
- Efectueaza post-mortem-uri pe incidentele de securitate
- Actualizeaza cerintele pe baza amenintarilor emergente
- Rafineaza tool-urile automate pe baza ratelor de fals pozitiv
- Instruieste dezvoltatorii in practici de codare securizata
Implementarea SSDLC asigura ca securitatea este construita in software de la inceput, nu adaugata ulterior.
Sistemul tau AI e conform cu EU AI Act? Evaluare gratuita de risc - afla in 2 minute →