Security
Comprehensive security practices - threat modeling, secure coding, and vulnerability management
Security is not an afterthought—it must be integrated throughout the software development lifecycle. For regulated software, security is both a quality imperative and a compliance requirement.
Security in the Development Lifecycle
| Phase | Security Activities | Key Outputs |
|---|---|---|
| Design | Threat modeling, security requirements | Threat model, security controls |
| Development | Secure coding practices, code review | Secure code, review evidence |
| Build | SAST, dependency scanning | Vulnerability reports |
| Test | DAST, penetration testing | Security test results |
| Deploy | Configuration hardening, secrets management | Secure infrastructure |
| Monitor | Runtime protection, incident response | Security alerts, audit logs |
Core Security Principles
Defense in Depth
Apply multiple layers of security controls:
Principle of Least Privilege
Grant minimum permissions necessary:
| Context | Implementation |
|---|---|
| User Access | Role-based access control (RBAC) |
| Service Accounts | Scoped permissions per service |
| API Keys | Limited scope, short-lived tokens |
| Database | Restricted table/column access |
| Infrastructure | Minimal IAM policies |
Secure by Default
- Deny access unless explicitly permitted
- Encrypt data at rest and in transit
- Enable security features by default
- Require explicit opt-out for security controls
Security Considerations
Infrastructure Security
Denial of Service (DoS/DDoS) Mitigation:
- Rate limiting at API gateway
- CDN with DDoS protection
- Auto-scaling to absorb traffic spikes
- Geographic restrictions where appropriate
Security Information and Event Management (SIEM):
- Integration of multiple data streams
- Threat analysis based on analytic rules
- Correlation of security events
- Automated alerting and response
Intrusion Protection Systems (IPS):
- Network-based sensors
- Host-based intrusion detection
- Behavioral analysis
- Automated blocking of malicious activity
Network Forensics:
- Full packet capture capabilities
- Root cause analysis tools
- Incident reconstruction
- Evidence preservation for compliance
Anti-Malware Protection:
- Endpoint protection on all systems
- Zero-day threat detection
- Malware signature identification
- Automated quarantine and removal
SecDevOps Integration
Security must be integrated into DevOps practices:
Security Team Approaches
| Practice | Description |
|---|---|
| Continuous Research | Dedicate time weekly to investigate emerging threats |
| Re-teaming | Embed security members in development teams |
| Detection Focus | Prioritize attack detection over pure prevention |
| Automation | Apply tools like Puppet/Chef to security configurations |
| Base Image Control | Own and secure the base images used across environments |
| Policy as Code | Codify security policy for automated enforcement |
| Feedback Loop | Include security in every CI/CD change review |
Security in CI/CD Pipeline
# Example security-integrated pipeline
stages:
- lint
- security-scan
- build
- test
- security-test
- deploy
security-scan:
stage: security-scan
parallel:
- script: npm audit --audit-level=high
- script: trivy fs --severity HIGH,CRITICAL .
- script: semgrep --config auto .
security-test:
stage: security-test
script:
- zap-baseline.py -t $APP_URL
- nuclei -u $APP_URL -severity critical,highCompliance Frameworks
Security and Risk Assessments
For regulated systems, align with appropriate frameworks:
| Framework | Focus Area | Applicability |
|---|---|---|
| NIST Cybersecurity Framework | Comprehensive security | All industries |
| FedRAMP | Federal cloud security | Government contractors |
| HIPAA Security Rule | Healthcare data protection | Healthcare systems |
| PCI DSS | Payment card security | Payment processing |
| SOC 2 | Service organization controls | SaaS providers |
NIST CSF Core Functions
Security Testing Types
| Type | When | Tools | Purpose |
|---|---|---|---|
| SAST | Build time | Semgrep, SonarQube, CodeQL | Find code vulnerabilities |
| SCA | Build time | Snyk, Dependabot, npm audit | Find dependency vulnerabilities |
| DAST | Runtime | OWASP ZAP, Burp Suite | Find running app vulnerabilities |
| IAST | Runtime | Contrast, Hdiv | Instrument-based testing |
| Penetration Testing | Pre-release | Manual + tools | Simulate real attacks |
| Fuzzing | Development | AFL, libFuzzer | Input edge case testing |
Testing Frequency
| Test Type | Frequency | Trigger |
|---|---|---|
| SAST | Every commit | CI/CD pipeline |
| SCA | Every build | CI/CD pipeline |
| DAST | Weekly/Release | Scheduled + pre-deploy |
| Penetration Test | Quarterly/Annually | Major releases, audits |
OWASP Top 10 Mitigations
| Vulnerability | Prevention |
|---|---|
| Injection | Parameterized queries, input validation |
| Broken Authentication | MFA, secure session management |
| Sensitive Data Exposure | Encryption, proper key management |
| XML External Entities | Disable XXE in parsers |
| Broken Access Control | RBAC, deny by default |
| Security Misconfiguration | Hardened defaults, automated config |
| Cross-Site Scripting (XSS) | Output encoding, CSP headers |
| Insecure Deserialization | Integrity checks, type constraints |
| Known Vulnerabilities | Dependency scanning, timely updates |
| Insufficient Logging | Comprehensive audit logging |
Security Roles
| Role | Responsibilities |
|---|---|
| Security Advisor | Architecture review, policy guidance, risk assessment |
| Security Tester | Penetration testing, vulnerability assessment |
| Information Assurance Analyst | Compliance verification, audit preparation |
| HIPAA Compliance Officer | PHI protection, HIPAA compliance oversight |
See Specialist Roles for detailed role descriptions.
Best Practices
Do
- Integrate security into every phase of development
- Automate security testing in CI/CD pipelines
- Conduct regular threat modeling sessions
- Keep dependencies updated and scanned
- Implement comprehensive logging and monitoring
- Train developers on secure coding practices
- Practice incident response regularly
Don't
- Treat security as a final checkbox
- Store secrets in code or configuration files
- Ignore security findings until later
- Assume perimeter security is sufficient
- Log sensitive data (PII, credentials)
- Skip security reviews for "small" changes
- Rely solely on automated tools
Related Resources
- Threat Modeling
- Secure Coding
- Vulnerability Scanning
- Secrets Management
- Observability
- Microsoft Playbook: Security
Compliance
This section fulfills ISO 13485 requirements for planning of product realization (7.1), design inputs (7.3.3), design verification (7.3.6), improvement (8.5.1), and control of records (4.2.4), and ISO 27001 requirements for threat intelligence (A.5.7), vulnerability management (A.8.8), configuration management (A.8.9), network security (A.8.20), cryptography (A.8.24), and secure development lifecycle (A.8.25-29).
How is this guide?
Last updated on