Section 09

Secure SDLC Integration

Integrating security into the Software Development Lifecycle (SDLC) ensures that security is considered at every phase—from requirements to retirement.

SDLC Security Activities

Requirements
  • • Define security requirements (confidentiality, integrity, availability)
  • • Identify compliance requirements (GDPR, HIPAA, PCI)
  • • Create abuse cases alongside use cases
  • • Data classification for all data types
Design
  • • Threat modeling (STRIDE, PASTA)
  • • Security architecture review
  • • Attack surface analysis
  • • Select secure design patterns
  • • Define security controls
Development
  • • Follow secure coding guidelines
  • • Use security linters and IDE plugins
  • • SAST in CI/CD pipeline
  • • Peer code review for security
  • • Secrets management (not in code)
Testing
  • • DAST and IAST scans
  • • Security unit tests
  • • Penetration testing
  • • Fuzz testing
  • • Dependency vulnerability scanning
Deployment
  • • Infrastructure as Code security scanning
  • • Container image scanning
  • • Configuration hardening verification
  • • Security sign-off gate
Operations
  • • Security monitoring and alerting
  • • Incident response procedures
  • • Vulnerability management
  • • Patch management
  • • Bug bounty program

Security Gates

Security gates are checkpoints where security criteria must be met before proceeding.

Pre-Commit Gate

  • • Secret scanning (prevent credential commits)
  • • Linting for security anti-patterns
  • • Pre-commit hooks

Build Gate

  • • SAST scan pass/fail
  • • Dependency vulnerability check
  • • License compliance

Deploy Gate

  • • DAST scan results
  • • Container scan pass
  • • IaC policy compliance

Release Gate

  • • Penetration test sign-off
  • • Compliance verification
  • • Risk acceptance for exceptions

Practical: GitHub Actions Security Pipeline

.github/workflows/security.yml
yaml 
name: Security Pipeline
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  secrets-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for git-based scanning
      - uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified

  sast:
    name: Static Analysis
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/owasp-top-ten
            p/cwe-top-25
            p/security-audit
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

  dependency-check:
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

  container-scan:
    name: Container Security
    runs-on: ubuntu-latest
    needs: [sast]
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t app:test .
      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: app:test
          severity: CRITICAL,HIGH
          exit-code: 1  # Fail on critical/high

  iac-scan:
    name: IaC Security
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform/
          soft_fail: false
          framework: terraform
name: Security Pipeline
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

jobs:
  secrets-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for git-based scanning
      - uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --only-verified

  sast:
    name: Static Analysis
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Semgrep
        uses: returntocorp/semgrep-action@v1
        with:
          config: >-
            p/owasp-top-ten
            p/cwe-top-25
            p/security-audit
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: semgrep.sarif

  dependency-check:
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

  container-scan:
    name: Container Security
    runs-on: ubuntu-latest
    needs: [sast]
    steps:
      - uses: actions/checkout@v4
      - name: Build image
        run: docker build -t app:test .
      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: app:test
          severity: CRITICAL,HIGH
          exit-code: 1  # Fail on critical/high

  iac-scan:
    name: IaC Security
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform/
          soft_fail: false
          framework: terraform

Practical: Pre-Commit Hooks

.pre-commit-config.yaml
yaml 
repos:
  # Secret detection — catch before they enter git
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

  # TruffleHog for high-entropy strings
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.63.0
    hooks:
      - id: trufflehog
        args: ['git', 'file://./']

  # Security linting
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.6
    hooks:
      - id: bandit
        args: ['-c', 'pyproject.toml']

  # Terraform security
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.83.6
    hooks:
      - id: terraform_tfsec

  # Dockerfile linting
  - repo: https://github.com/hadolint/hadolint
    rev: v2.12.0
    hooks:
      - id: hadolint
repos:
  # Secret detection — catch before they enter git
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

  # TruffleHog for high-entropy strings
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.63.0
    hooks:
      - id: trufflehog
        args: ['git', 'file://./']

  # Security linting
  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.6
    hooks:
      - id: bandit
        args: ['-c', 'pyproject.toml']

  # Terraform security
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.83.6
    hooks:
      - id: terraform_tfsec

  # Dockerfile linting
  - repo: https://github.com/hadolint/hadolint
    rev: v2.12.0
    hooks:
      - id: hadolint

SDLC Maturity Models

OWASP SAMM 2.0

Open framework. 5 business functions, 15 practices, 3 maturity levels each.

  • Governance: Strategy, Policy, Education
  • Design: Threat Assessment, Security Requirements, Architecture
  • Implementation: Secure Build, Secure Deploy, Defect Management
  • Verification: Architecture Assessment, Requirements Testing, Security Testing
  • Operations: Incident Management, Environment Management, Operational Management

BSIMM (Building Security In)

Data-driven model measuring what organizations actually do (not aspirational).

  • • Based on observations from 100+ organizations
  • • 4 domains, 12 practices, 122 activities
  • • Useful for benchmarking against industry peers
  • • Annual report with trend data
  • • SAMM = prescriptive, BSIMM = descriptive

DevSecOps Toolchain

Phase Tools What They Catch
Pre-Commit detect-secrets, TruffleHog, GitLeaks Hardcoded secrets, API keys
SAST Semgrep, SonarQube, CodeQL Code-level vulnerabilities, injection, XSS
SCA Snyk, Dependabot, Renovate Vulnerable dependencies, license issues
Container Trivy, Grype, Snyk Container Image CVEs, misconfig, malware
IaC Checkov, tfsec, KICS Cloud misconfigurations, policy violations
DAST OWASP ZAP, Nuclei, Burp CI Runtime vulns, OWASP Top 10 in running app

Security Champions Program

Scale Security

Security teams can't review every line of code. Security champions in each development team multiply your security capacity.

Champion Responsibilities

  • • First point of contact for security questions
  • • Participate in threat modeling sessions
  • • Review code changes for security issues
  • • Triage security scanner findings
  • • Evangelize security best practices

Champion Training

  • • OWASP Top 10 deep dive
  • • Threat modeling certification
  • • Secure code review techniques
  • • Security tool training
  • • Regular security updates and CTFs

Metrics & KPIs

Process Metrics

  • • % of projects with threat models
  • • Security training completion rate
  • • Time from vulnerability to patch
  • • Security gate pass rate

Outcome Metrics

  • • Vulnerabilities found in production
  • • Critical/High findings per release
  • • Mean time to remediate (MTTR)
  • • Security incidents per quarter

Framework Alignment

NIST CSF 2.0: PR.IP (Information Protection), ID.RA (Risk Assessment)
ISO 27002:2022: A.8.25 (Secure Development Lifecycle), A.8.28 (Secure Coding), A.8.29 (Security Testing)
OWASP SAMM 2.0: Entire framework maps to SDLC security activities
CIS Controls v8.1: 16 (Application Software Security), 7 (Continuous Vulnerability Management)
Related: Security Frameworks →
← Previous: API & Microservices Next: Case Studies →