Secure Development
Security in SDLC Phases
| Phase | Security Measure | Description |
|---|---|---|
| Design | Threat modeling | Identification of attack vectors before implementation |
| Implementation | Secure coding guidelines | OWASP Top 10, input validation, parameterized queries |
| Code review | Four-eyes principle | Security-relevant changes require peer review |
| Test | Automated security tests | SAST, dependency scan in CI/CD |
| Deployment | Hardening | Least privilege, secure configuration, secrets management |
| Operations | Monitoring + patching | Log analysis, vulnerability scanning, patch management |
CI/CD Security Pipeline
Every commit passes through the following automated checks:
| Step | Tool Category | Blocks on Failure |
|---|---|---|
| Markdown lint / Code lint | markdownlint, ESLint | Yes |
| Build | Framework-specific | Yes |
| Dependency audit | npm audit, Trivy | On high/critical |
| SAST (if applicable) | Code analysis | On critical |
Dependency Management
| Measure | Description |
|---|---|
| Lockfile | All dependencies are versioned and locked (package-lock.json) |
| Automated updates | Dependabot checks weekly for new versions |
| Audit | npm audit in CI pipeline, blocks on high/critical |
| Review | New dependencies require justification and review |
| Minimization | As few dependencies as possible, preferring actively maintained ones |
Secrets Management
| Requirement | Implementation |
|---|---|
| No secrets in code | Pre-commit hook checks for patterns (API keys, passwords) |
| Environment variables | Secrets via environment variables, not in files |
| CI/CD secrets | Via GitHub Actions Secrets, not in the repository |
| Rotation | Regular rotation of API keys and service accounts |
CRA SYNERGY
The product-related secure development pipeline (SBOM generation, Cosign signing, multi-engine vulnerability scanning) is documented in the CRA Compliance Documentation. NIS2 secure development standards complement CRA requirements by covering infrastructure and operational codebases.