ai
Burp Suite Pro Shift Left Security —
Shift Left Security
Burp Suite Pro Shift Left Security IDE CI/CD Developer Training OWASP SAST DAST Penetration Test Security Culture
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน Prometheus Alertmanager Technical Debt Management
| Phase | Security Activity | Tool | Cost to Fix | Who |
|---|---|---|---|---|
| Design | Threat Modeling | STRIDE, OWASP Threat Dragon | $1x | Architect + Security |
| Code | SAST, Linter, IDE Plugin | SonarQube, Snyk, Semgrep | $5x | Developer |
| PR Review | Security Code Review | Burp Suite + Manual Review | $10x | Developer + Security |
| Build | DAST in CI Pipeline | Burp Suite Pro REST API | $15x | CI/CD Automation |
| Staging | Full DAST Scan | Burp Suite Enterprise | $30x | Security Team |
| Production | Penetration Test | Burp Suite Pro (manual) | $100x | Security Team / External |
CI/CD Pipeline Integration
# === Burp Suite in CI/CD ===
# GitHub Actions with Burp Suite REST API
# name: Security Scan
# on: [push]
# jobs:
# dast:
# runs-on: ubuntu-latest
# services:
# app:
# image: myapp:}
# ports: ['8080:8080']
# steps:
# - name: Wait for app
# run: |
# for i in $(seq 1 30); do
# curl -s http://localhost:8080/health && break
# sleep 2
# done
# - name: Start Burp Scan
# run: |
# SCAN_ID=$(curl -s -X POST http://burp:1337/v0.1/scan \
# -H "Content-Type: application/json" \
# -d '{"urls":["http://app:8080"],"scan_configurations":[{"type":"NamedConfiguration","name":"Audit checks - light active"}]}' \
# | jq -r '.scan_id // empty')
# echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV
# - name: Wait for Scan
# run: |
# while true; do
# STATUS=$(curl -s http://burp:1337/v0.1/scan/$SCAN_ID | jq -r '.scan_status')
# [ "$STATUS" = "succeeded" ] && break
# [ "$STATUS" = "failed" ] && exit 1
# sleep 30
# done
# - name: Check Issues
# run: |
# CRITICAL=$(curl -s http://burp:1337/v0.1/scan/$SCAN_ID/issues \
# | jq '[.[] | select(.severity=="high" or .severity=="critical")] | length')
# if [ "$CRITICAL" -gt 0 ]; then
# echo "Found $CRITICAL critical/high issues!"
# exit 1
# fi
from dataclasses import dataclass
@dataclass
class PipelineStage:
stage: str
tool: str
check: str
fail_on: str
time: str
stages = [
PipelineStage("Pre-commit", "Semgrep + git hooks",
"SAST patterns (SQLi, XSS, hardcoded secrets)",
"Any security finding", "~5 seconds"),
PipelineStage("PR Check", "SonarQube + Snyk",
"Code quality + dependency vulnerabilities",
"Critical/High CVE, Security Hotspot", "~2 minutes"),
PipelineStage("Build", "Burp Suite DAST (light)",
"Quick active scan of new endpoints",
"Critical findings only", "~10 minutes"),
PipelineStage("Staging Deploy", "Burp Suite DAST (full)",
"Full active + passive scan",
"Critical + High", "~30-60 minutes"),
PipelineStage("Pre-prod", "Burp Enterprise scheduled",
"Comprehensive scan with all checks",
"Any new Critical/High", "~2-4 hours"),
]
print("=== Security Pipeline ===")
for s in stages:
print(f" [{s.stage}] Tool: {s.tool}")
print(f" Check: {s.check}")
print(f" Fail on: {s.fail_on} | Time: {s.time}")Developer Workflow
# === Developer Security Workflow ===
@dataclass
class DevWorkflow:
step: str
action: str
tool: str
time: str
frequency: str
workflow = [
DevWorkflow("Write Code", "Use IDE security plugin for real-time feedback",
"Snyk IDE / SonarLint / Semgrep",
"Real-time", "Every code change"),
DevWorkflow("Local Test", "Run Burp Proxy, test new feature manually",
"Burp Suite Community (free)",
"5-10 min", "New features with user input"),
DevWorkflow("Pre-commit", "Run security linter via git hooks",
"pre-commit + Semgrep rules",
"~5 sec", "Every commit"),
DevWorkflow("PR Description", "Add security considerations section",
"PR Template with security checklist",
"2 min", "Every PR"),
DevWorkflow("Code Review", "Review partner checks security items",
"Security checklist + Burp findings",
"10-15 min", "Every PR"),
DevWorkflow("Monthly Training", "Complete 1 PortSwigger Academy lab",
"PortSwigger Web Security Academy",
"30-60 min", "Monthly"),
]
print("=== Developer Workflow ===")
for w in workflow:
print(f" [{w.step}] {w.action}")
print(f" Tool: {w.tool}")
print(f" Time: {w.time} | Frequency: {w.frequency}")
# Security Champions
champions = {
"Selection": "1 Champion per 5-8 developers, volunteer preferred",
"Training": "Extra 4-8 hours/month security training",
"Responsibilities": "Review PRs for security, run Burp scans, triage findings",
"Tools Access": "Burp Suite Pro license, Security scanning tools",
"Recognition": "Bonus, title, conference budget, career growth",
"Meeting": "Monthly Champions meeting to share findings and trends",
}
print(f"\n\nSecurity Champions Program:")
for k, v in champions.items():
print(f" [{k}]: {v}")Metrics and ROI
# === Security Metrics ===
@dataclass
class SecurityMetric:
metric: str
before_shift_left: str
after_shift_left: str
improvement: str
metrics = [
SecurityMetric("Vulns found in production",
"40% of total findings", "5% of total findings",
"87% reduction"),
SecurityMetric("Mean Time to Fix (Critical)",
"30 days", "3 days",
"90% faster"),
SecurityMetric("Cost per vulnerability fix",
"$10,000-$25,000", "$500-$2,000",
"80-90% cheaper"),
SecurityMetric("Developer security awareness",
"20% can identify OWASP Top 10", "80% can identify OWASP Top 10",
"4x improvement"),
SecurityMetric("Security debt",
"Growing 20% per quarter", "Decreasing 10% per quarter",
"Trend reversed"),
SecurityMetric("Deployment frequency",
"Blocked by security 30% of deploys", "Blocked 5% of deploys",
"83% fewer blocks"),
]
print("=== Shift Left ROI ===")
for m in metrics:
print(f" [{m.metric}]")
print(f" Before: {m.before_shift_left}")
print(f" After: {m.after_shift_left}")
print(f" Improvement: {m.improvement}")เคล็ดลับ
- Automate: ใส่ Security Scan ใน CI/CD ทุก Pipeline ให้เป็นอัตโนมัติ
- Champions: มี Security Champion ในทุกทีม ช่วยยกระดับความรู้
- Academy: ให้ Developer เรียน PortSwigger Academy ฟรี ทุกเดือน
- Checklist: ใส่ Security Checklist ใน PR Template
- Culture: สร้าง Security Culture ไม่ใช่แค่ Tool ต้องเปลี่ยน Mindset
Shift Left Security คืออะไร
ทดสอบความปลอดภัยตั้งแต่เริ่มพัฒนา Design Threat Modeling Code SAST PR DAST CI Pipeline Staging Penetration Test พบเร็ว แก้ถูกกว่า
แนะนำเพิ่มเติม — XM Signal
เนื้อหาเกี่ยวข้อง — PHP Livewire Microservices Architecture
เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: A/B Testing ML Production Setup Guide —
