CN-121980561-A - Software development environment safety protection method and system based on data encryption

Abstract

The invention relates to the technical field of development environment protection, in particular to a software development environment safety protection method and system based on data encryption, comprising a data monitoring module, a strategy execution module, a strategy center module, a safety channel scheduling module, an encryption and decryption engine module, a key strategy synchronization module, a data stream authentication protection module and a compliance privacy design module, wherein an adaptive and endogenous closed-loop active immune system can be successfully constructed through the cooperative linkage of the modules, and the traditional passive and static data encryption is converted into an active, dynamic and full-link data safety base which is deeply fused with a software development flow.

Inventors

• Hao Zongqian

Assignees

• 青岛远鼎达科技有限公司

Dates

Publication Date

20260505

Application Date

20260123

Claims (10)

1. 1. The software development environment safety protection system based on data encryption is characterized by comprising a data monitoring module, a strategy execution module, a strategy center module, a safety channel scheduling module, an encryption and decryption engine module, a key strategy synchronization module, a data stream authentication protection module and a compliance privacy design module; The system comprises a data monitoring module, a key strategy synchronization module, a compliance privacy design module, a strategy central module, a safety channel scheduling module, an encryption and decryption engine module, a data stream authentication protection module, a key strategy synchronization module, a safety channel scheduling module and a compliance privacy design module, wherein the data monitoring module, the key strategy synchronization module and the compliance privacy design module are all connected with the strategy central module, the strategy central module is connected with the strategy execution module, the safety channel scheduling module is connected with the strategy central module, the encryption and decryption engine module is connected with the safety channel scheduling module, the data stream authentication protection module is respectively connected with the strategy central module and the encryption and decryption engine module, the key strategy synchronization module is connected with the safety channel scheduling module, and the compliance privacy design module is connected with the data monitoring module. The data monitoring module is used for carrying out full-link real-time monitoring on operation behaviors, data flows and asset states in the software development environment; The policy execution module is used for executing the access control and operation interception policy issued by the policy backbone module in a development environment; The strategy center module is used for analyzing and risk evaluating the monitoring data, generating and issuing an encrypted control instruction; the security channel scheduling module is used for planning a security transmission path for the sensitive data, scheduling encryption resources and guaranteeing transmission auditability; the encryption and decryption engine module is used for executing encryption and decryption operations on the sensitive data; The key strategy synchronization module adopts a high-availability architecture and is used for synchronizing keys and strategies to ensure global consistency; The data stream authentication protection module is used for generating an authentication token for the control instruction and realizing secondary authentication to defend replay attack; The compliance privacy design module is used for embedding compliance requirements into a development flow, automatically identifying risks and driving policy generation.
2. 2. The data encryption-based software development environment security protection system of claim 1, The data monitoring module comprises a behavior acquisition sub-module, an asset sensing sub-module and an upper Wen Jian die module and a lower Wen Jian die module, wherein the behavior acquisition sub-module is connected with the asset sensing sub-module, the asset sensing sub-module is connected with the context modeling sub-module, and the upper Wen Jian die module and the lower Wen Jian die module are connected with the strategy center module; the behavior acquisition sub-module is used for acquiring operation and log data of the development environment; The asset perception sub-module is used for automatically finding and marking sensitive assets in the codes; the up-down Wen Jian die module is used for constructing a security context and is added to the monitoring data for reporting.
3. 3. The data encryption-based software development environment security protection system of claim 2, The policy execution module comprises an access control sub-module, an operation interception sub-module and a policy cache synchronization sub-module, wherein the access control sub-module is connected with the operation interception sub-module; the access control sub-module is used for implementing dynamic permission judgment based on the security context; the operation interception sub-module is used for blocking and alarming illegal operations in real time according to the control instruction; the policy cache synchronization sub-module is used for locally caching policies and providing degradation support to ensure policy consistency.
4. 4. A software development environment security system based on data encryption as recited in claim 3, wherein, The strategy center module comprises a dynamic risk analysis sub-module, an intelligent strategy arrangement sub-module and an instruction signature issuing sub-module, wherein the dynamic risk analysis sub-module is connected with the data monitoring module and the intelligent strategy arrangement sub-module; The dynamic risk analysis sub-module is used for identifying a specific safety risk scene; the intelligent policy arrangement sub-module is used for mapping risks into a treatment action sequence and generating a policy identifier; the instruction signature issuing sub-module is used for digitally signing the control instruction to ensure the integrity and non-repudiation of the control instruction.
5. 5. The data encryption based software development environment security protection system of claim 4, The security channel scheduling module comprises a key scheduling sub-module, a self-adaptive security routing sub-module and a channel auditing sub-module, wherein the key scheduling sub-module is connected with the strategy central module and the encryption and decryption engine module, the self-adaptive security routing sub-module is connected with the strategy central module, and the channel auditing sub-module is connected with the self-adaptive security routing sub-module; The key scheduling sub-module is used for scheduling and managing the encryption keys according to the need; the self-adaptive safe routing sub-module is used for dynamically planning a transmission path of sensitive data; And the channel audit sub-module is used for establishing an audit log and forming a data flow evidence chain.
6. 6. The data encryption based software development environment security protection system of claim 5, The encryption and decryption engine module comprises a multi-algorithm engine sub-module, a security key injection sub-module and a trusted execution environment sub-module, wherein the multi-algorithm engine sub-module is connected with the security key injection sub-module; The multi-algorithm engine submodule is used for supporting various encryption algorithms and automatically executing the encryption algorithms according to instructions; The safety key injection submodule is used for safely receiving, storing and resetting key materials; The trusted execution environment sub-module provides a hardware isolated execution environment for high security level operations.
7. 7. The data encryption based software development environment security protection system of claim 5, The self-adaptive safe routing sub-module comprises a path decision unit and a tunnel management unit, wherein the path decision unit is connected with the tunnel management unit; the path decision unit is used for calculating an optimal safety path for each sensitive data transmission request and sending the path information to the tunnel management unit; The tunnel management unit is used for dynamically establishing and maintaining the end-to-end encryption tunnel according to the decision of the path decision unit received from the path decision unit.
8. 8. The data encryption based software development environment security protection system of claim 6, The trusted execution environment submodule comprises a remote proving unit and a sealed storage unit, wherein the remote proving unit is connected with the sealed storage unit; The remote proving unit is used for proving the integrity and the credibility of the current execution environment to the strategy central module before the encryption and decryption operation is executed, and generating an unlocking instruction after the proving is passed; The sealed storage unit is used for encrypting and storing the key with the highest security level in a use state in the trusted execution environment, and providing key access right only after receiving the unlocking instruction of the remote proving unit.
9. 9. The data encryption-based software development environment security protection system of claim 1, The key strategy synchronization module is also specifically connected with an internal key storage cluster; The internal key storage cluster adopts a high-availability architecture based on multi-copy synchronization and automatic fault switching, and is used for locally and durably storing an active key synchronized by an external key management system and providing low-delay key service for the encryption and decryption engine module.
10. 10. The software development environment safety protection method based on data encryption adopts the software development environment safety protection system based on data encryption as claimed in claim 1, and is characterized by comprising the following steps, The data monitoring module monitors the development environment in full link real time and reports the collected security event and asset state data to the strategy central module; meanwhile, the compliance privacy design module converts the embedded compliance requirement into a policy rule and inputs the policy rule into the policy central module; The strategy center module analyzes the data and evaluates the risk to generate an encrypted control instruction; In order to defend replay attack, the data stream authentication protection module generates an authentication token for the control instruction, and the key strategy synchronization module ensures that the key and strategy required by executing the instruction are globally consistent in the system; then, the control instruction is issued, the policy execution module receives the instruction, the access control and interception are executed in the environment, the security channel scheduling module receives the instruction, and a security path is planned for the sensitive data, the scheduling resources are scheduled, and the transmission auditability is ensured; the sensitive data to be transmitted is sent to an encryption and decryption engine module, and after the module verifies the instruction and the token, encryption and decryption operations are executed; The transmission auditability ensured by the security channel scheduling module forms a security closed loop, and the compliance privacy design module continuously scans and converts strategies to drive a strategy center to make a new round of decisions, so that the system realizes dynamic and endogenous security protection.

Description

Software development environment safety protection method and system based on data encryption Technical Field The invention relates to the technical field of development environment protection, in particular to a software development environment safety protection method and system based on data encryption. Background In the field of software development, digital assets such as core source codes, algorithm models, configuration keys and the like are precious intellectual property and business secrets of enterprises, in order to prevent the assets from being revealed in the development, cooperation, construction and deployment processes, traditional security practice mainly depends on a protection system based on data encryption, the system generally introduces encryption technology into a development flow as a static and isolated tool, and the traditional functional mode mainly comprises the steps of carrying out static encryption on a code warehouse in a storage link, enabling an SSL/TLS channel in a network transmission link or encrypting a configuration file in a deployment link, and the measures are as providing a basic protection coating for a data container; The traditional encryption measure is independent of a development tool chain, is a 'post-attachment' static strategy, cannot sense dynamic context in a development environment, and leads to serious disjoint of a security strategy and actual development and data flow, and like lack of an effective combination layer between a coating and a matrix, when faced with complex scenes such as internal override, supply chain attack or compliance audit, the static protection is extremely easy to bypass or lose efficacy, and a real 'immunity' capability cannot be formed. Disclosure of Invention The invention aims to provide a software development environment safety protection method and system based on data encryption, which can successfully construct an adaptive and endogenous closed-loop active immune system through the cooperative linkage of each module, and convert the traditional passive and static data encryption into an active, dynamic and full-link data safety base which is deeply fused with a software development flow. In order to achieve the above purpose, the invention provides a software development environment safety protection system based on data encryption, which comprises a data monitoring module, a strategy execution module, a strategy center module, a safety channel scheduling module, an encryption and decryption engine module, a key strategy synchronization module, a data stream authentication protection module and a compliance privacy design module; The system comprises a data monitoring module, a key strategy synchronization module, a compliance privacy design module, a strategy central module, a safety channel scheduling module, an encryption and decryption engine module, a data stream authentication protection module, a key strategy synchronization module, a safety channel scheduling module and a compliance privacy design module, wherein the data monitoring module, the key strategy synchronization module and the compliance privacy design module are all connected with the strategy central module, the strategy central module is connected with the strategy execution module, the safety channel scheduling module is connected with the strategy central module, the encryption and decryption engine module is connected with the safety channel scheduling module, the data stream authentication protection module is respectively connected with the strategy central module and the encryption and decryption engine module, the key strategy synchronization module is connected with the safety channel scheduling module, and the compliance privacy design module is connected with the data monitoring module. The data monitoring module is used for carrying out full-link real-time monitoring on operation behaviors, data flows and asset states in the software development environment; The policy execution module is used for executing the access control and operation interception policy issued by the policy backbone module in a development environment; The strategy center module is used for analyzing and risk evaluating the monitoring data, generating and issuing an encrypted control instruction; the security channel scheduling module is used for planning a security transmission path for the sensitive data, scheduling encryption resources and guaranteeing transmission auditability; the encryption and decryption engine module is used for executing encryption and decryption operations on the sensitive data; The key strategy synchronization module adopts a high-availability architecture and is used for synchronizing keys and strategies to ensure global consistency; The data stream authentication protection module is used for generating an authentication token for the control instruction and realizing secondary authentication to defend replay attack; The compliance pr