Section 1
Security Requirements & Threat Modeling
Build security in from the design phase
- Define security requirements alongside functional requirements
- Conduct threat modeling for new features (STRIDE, PASTA)
- Identify sensitive data flows and protection requirements
- Document attack surfaces and trust boundaries
- Review architectural decisions for security implications
- Create security user stories and acceptance criteria
- Establish security gates for each development phase
Section 2
Static Application Security Testing (SAST)
Find vulnerabilities in source code before deployment
- Integrate SAST tools in IDE for real-time feedback
- Run SAST scans on every pull request in CI/CD
- Configure custom rules for organization-specific patterns
- Prioritize findings by severity and exploitability
- Track remediation SLAs (Critical: 24h, High: 7d)
- Use incremental scanning for faster feedback loops
- Tune rules to reduce false positives over time
Section 3
Software Composition Analysis (SCA)
Manage open source risks and vulnerabilities
- Generate SBOM for all applications and dependencies
- Scan dependencies for known CVEs continuously
- Block critical vulnerabilities from reaching production
- Monitor for newly disclosed vulnerabilities (zero-day)
- Enforce license compliance policies (GPL, AGPL)
- Track transitive dependencies and their risks
- Automate dependency updates with security patches
Section 4
Secrets & Sensitive Data Detection
Prevent credential leaks in code and configs
- Scan commits for secrets before push (pre-commit hooks)
- Block PRs containing hardcoded credentials
- Scan entire repository history for leaked secrets
- Integrate with secret managers for secure storage
- Rotate exposed secrets immediately upon detection
- Monitor public repositories for leaked credentials
- Implement entropy-based detection for unknown patterns
Section 5
Dynamic Application Security Testing (DAST)
Test running applications for vulnerabilities
- Run DAST scans against staging/QA environments
- Test authentication and session management
- Scan for OWASP Top 10 vulnerabilities
- Include API security testing (REST, GraphQL)
- Implement authenticated scanning for full coverage
- Schedule regular full scans for comprehensive testing
- Integrate results with developer ticketing systems
Section 6
CI/CD Pipeline Security
Secure your build and deployment pipeline
- Implement security quality gates at each stage
- Sign and verify all artifacts and container images
- Use least-privilege access for CI/CD service accounts
- Audit and rotate CI/CD secrets regularly
- Enable branch protection and require security reviews
- Implement infrastructure as code scanning
- Monitor pipeline for unauthorized changes