Secure software development practices are integrated and their security is evaluated
Vulnerabilities introduced during development cost far more to fix in production than they would have cost to prevent in code review. Integrating security into the development process, through code analysis, dependency scanning, and security testing in CI/CD, catches issues before they ship. Organizations that treat security as a deployment gate rather than a development practice accumulate technical security debt continuously.
Implementation steps
- 1
Establish secure coding standards and training for developers
Define coding standards that address the OWASP Top 10 and any language-specific vulnerabilities relevant to your stack. Provide developers with security training focused on the vulnerability types most relevant to their work. Require new developers to complete secure coding training as part of onboarding.
snyk-learnsanssecure-code-warrior - 2
Integrate security testing into CI/CD pipelines
Add automated security checks to every pull request and build: static application security testing (SAST) to catch common code vulnerabilities, software composition analysis (SCA) to detect known-vulnerable dependencies, and secret scanning to prevent credentials from being committed. Configure pipelines to fail builds that introduce high or critical security findings.
snyksemgrepsonarqubegitleakstrufflesecuritygithub-advanced-securitydependabot - 3
Conduct regular security testing of applications
Beyond automated scanning, perform manual security testing of applications at least annually: a code review for security-sensitive components, dynamic application security testing (DAST) against running applications, and periodic penetration testing of the application attack surface. Track findings through to remediation.
burpsuiteowasp-zapnuclei
Evidence required
Secure SDLC policy or secure coding standard
A documented standard for secure development practices, including required security checks in the development process.
- · Secure coding guidelines document covering the OWASP Top 10
- · Engineering handbook section defining security requirements for code changes
- · SDLC policy document with security review gates
Security tooling integrated in CI/CD
Evidence of automated security testing tools running in the development pipeline.
- · CI pipeline configuration showing SAST and SCA steps
- · Snyk or equivalent scan results from recent builds
- · GitHub Advanced Security or similar tool enabled and configured for the repository
Related controls
The hardware and firmware of platforms are managed
Platform Security
The software of platforms is managed, including operating systems and applications
Platform Security
Data are destroyed according to policy when platforms or storage media are decommissioned
Platform Security
Log records are generated and made available for continuous monitoring
Platform Security