Implementing a security program is critical to ensure good code practices. Often many of the threats deal with the OWASP Top 10 Web Application Security Risks.
As a minimum, a security program should include:
-
Software Composition Analysis (SCA) - Security and Licenses
-
Static Application Security Testing (SAST) - code scanning
-
Dynamic Application Security Test (DAST)
-
Penetration Testing (PENTEST)
-
Security Log Management (SLM)
-
Cyber Threat Intelligence (CTI)
-
Secrets detection
-
Container scanning
-
Security Operations
-
Infrastructure as code scanning
-
Security Self-Assessment (SSA) or Security Posture.
-
Data Protections Agreements and arrangements. Should be compromised into an ISAE 3000 GDPR.
-
Bug bounty program
-
Responsible Disclosure (RD)
- Snyk (https://snyk.io/)
- Aikido (https://www.aikido.dev/)
- Polaris
- SonarCube