* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr)
* 安全「測試左移」的四大實用步驟...

# 安全「測試左移」的四大實用步驟

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F08%2F4-practical-steps-shift-left-security%2F%3Flang%3Dzh-hant)  
[](https://twitter.com/share?text=%E5%AE%89%E5%85%A8%E3%80%8C%E6%B8%AC%E8%A9%A6%E5%B7%A6%E7%A7%BB%E3%80%8D%E7%9A%84%E5%9B%9B%E5%A4%A7%E5%AF%A6%E7%94%A8%E6%AD%A5%E9%A9%9F&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F08%2F4-practical-steps-shift-left-security%2F%3Flang%3Dzh-hant)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2019%2F08%2F4-practical-steps-shift-left-security%2F%3Flang%3Dzh-hant&title=%E5%AE%89%E5%85%A8%E3%80%8C%E6%B8%AC%E8%A9%A6%E5%B7%A6%E7%A7%BB%E3%80%8D%E7%9A%84%E5%9B%9B%E5%A4%A7%E5%AF%A6%E7%94%A8%E6%AD%A5%E9%A9%9F&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=zh-hant&ts=markdown)  
[](mailto:?subject=安全「測試左移」的四大實用步驟)  
Link copied  
By [Matthew Chiodi](https://www.paloaltonetworks.com/blog/author/matthew-chiodi/?lang=zh-hant&ts=markdown "Posts by Matthew Chiodi")  
Aug 15, 2019  
1 minutes  
[未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

This post is also available in: [English (英語)](https://www.paloaltonetworks.com/blog/2019/07/4-practical-steps-shift-left-security/ "Switch to 英語(English)") [简体中文 (簡體中文)](https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=zh-hans "Switch to 簡體中文(简体中文)") [日本語 (日語)](https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ja "Switch to 日語(日本語)") [한국어 (韓語)](https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=ko "Switch to 韓語(한국어)") [Português (葡萄牙語（巴西）)](https://www.paloaltonetworks.com/blog/2019/08/4-practical-steps-shift-left-security/?lang=pt-br "Switch to 葡萄牙語（巴西）(Português)")

自從現代運算開始以來，安全性已經在很大程度上與軟體開發分離開。[最近的弱點研究](https://www.paloaltonetworks.com/resources/infographics/2019-state-of-the-industry-publicly-exposed-vulnerabilities?ts=markdown)已證實這一點。考慮過去五年中所有已發佈的弱點，有 76% 來自於應用程式。有鑑於攻擊者相當關注這種根本上的轉變，因此亟需將安全嵌入到開發過程中。完成此任務的最佳方法是採取測試左移安全策略。

**界定測試左移安全**

用最簡單的術語來說，安全「測試左移」是將安全轉移到開發過程中盡可能早的時間點。現代[持續整合/持續部署](https://dzone.com/articles/what-is-cicd)通常涉及八個步驟，如下面的圖 1 所示。考慮到測試左移安全不僅可以減少網路風險，而且可以降低成本。[IBM](https://www.researchgate.net/figure/IBM-System-Science-Institute-Relative-Cost-of-Fixing-Defects_fig1_255965523) 系統科學研究所發現，在設計階段解決安全問題的成本比實施階段便宜 6 倍。這項研究還發現，在測試過程中解決安全問題的成本可能會高出 15 倍。

若要在每個步驟中嵌入安全性，需要先從明確定義的策略開始。

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Shift-Left.png)

圖 1：持續整合/持續部署

**步驟** **1** **：定義測試左移安全策略**

任何旅程的第一步都是確定打算前往的目的地。這會為您的團隊繪製最生動的畫面，呈現最終成功的樣貌。本文件中包含的關鍵項目包括願景、所有權/責任、里程碑和指標。預期策略文件隨著時間的推移而臻於成熟，而且不需要花費過多的時間來改善。隨著時間的推移而重複進行的過程相當重要。

**步驟** **2** **：瞭解在組織中建立軟體的位置和方式**

測試左移安全最具挑戰性的一面可能是首先要瞭解組織中建立軟體的方式和位置。根據公司的規模，這可能涉及從簡單到極具挑戰性的不同範圍。

此步驟的目標是先查看整個組織，並記錄公司的整體軟體流程。中大型組織會想要從宏觀層面開始，然後深入到各個業務部門。每個業務部門很可能都有各自的軟體開發流程和工具。在此階段確定的關鍵項目包括誰撰寫程式碼 (人員)、如何從開發筆記型電腦流向生產 (流程)，以及使用哪些系統來啟用流程 (技術)。這也可以稱為持續整合/持續部署工具鏈。毫無疑問，大部份軟體開發都是在公有雲中完成。

**步驟** **3** **：確定並實作安全品質防護措施**

品質保證一直是軟體開發生命週期的一部份。不過，軟體品質不曾涵蓋安全性。必須改變這種情況，前面步驟中完成的工作將協助您實現這一點。軟體開發流程的每個步驟都是提供回應和找出安全問題的機會。最有效的安全團隊都是從小規模開始著手。小規模能夠為開發團隊提供簡單有效的工具，這些工具將在日常開發活動中發揮作用。Palo Alto Networks 最近對[一套這樣的工具](https://scanapidoc.redlock.io/)開放了原始碼，可供免費使用。

**步驟** **4** **：評估並持續訓練開發團隊撰寫安全的程式碼**

測試左移安全過程的一部份是確保完成大部分程式碼的人員首先建立安全的程式碼。如果您並未客觀衡量這些人員目前擁有的技能，而且沒有計劃隨著時間的推移持續提升他們的技能，就很難達成建立安全程式碼的目標。在一項調查中，有 19% 的開發人員表示他們不熟悉 [OWASP 十大安全風險](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf)，這是一個不容忽視的問題。DevOps 服務供應商 [GitLab](https://about.gitlab.com/developer-survey/2019/) 最近發佈的一項調查更進一步證實了這一點，該調查發現 70% 的程式設計人員期望編寫安全程式碼，不過只有 25% 的人認為本身的組織採取「良好」的安全實務。

**測試左移安全的運行方式**

讓我們看看以下兩種情境，其中的開發簡化為建構、部署和執行階段。在情境 1 中，開始進行開發而不考慮安全性。僅在執行階段檢查軟體品質。這通常會導致在發現弱點後安全性與開發之間不容易溝通。

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-1-Shift-Left.png)

不過，在情境 2 中，安全團隊已經花時間瞭解了組織內部的開發流程。他們還花時間在持續整合/持續部署管道中嵌入了安全流程和工具，因而產生自動的安全品質防護措施。

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/07/Scenario-2-Shift-Left.png)

**結論**

運用上述四大步驟有助於組織邁向堅實的道路，不僅可以將安全測試左移，而且可以將安全性與開發劃上等號。隨著組織將安全測試左移作為雲端遷移之旅的一部分，自動化和 API 驅動的安全控制變得極為重要。Palo Alto Networks [Prisma](https://www.paloaltonetworks.com/prisma/cloud/cloud-workload-protection-platform?ts=markdown) 會保護 DevOps 和您的持續整合/持續部署管道，以確保安全團隊能夠做到這一點。

*** ** * ** ***

## Related Blogs

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### Strata Copilot - 加速邁向自發性網路安全性的未來](https://www.paloaltonetworks.com/blog/network-security/introducing-strata-copilot/?lang=zh-hant)

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### 醫療企業是勒索軟體攻擊者的首要目標](https://www.paloaltonetworks.com/blog/2021/10/healthcare-organizations-are-the-top-target/?lang=zh-hant)

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### 適用於 5G 的零信任：實現安全的數位轉型](https://www.paloaltonetworks.com/blog/2021/10/zero-trust-for-5g-digital-transformation/?lang=zh-hant)

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### 網路攻擊鎖定金融服務企業的 3 個原因以及防禦方式](https://www.paloaltonetworks.com/blog/2021/10/financial-services-cyberattacks/?lang=zh-hant)

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### 連續 7 年提供出色的客戶服務](https://www.paloaltonetworks.com/blog/2021/10/delivering-outstanding-customer-service/?lang=zh-hant)

### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown)

[#### Palo Alto Networks 研究：61% 的企業難以確保在家工作的遙距網絡安全](https://www.paloaltonetworks.com/blog/2021/09/state-of-hybrid-workforce-security-2021/?lang=zh-hant)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language