1
Plan & Threat Modeling
Embed security in planning: abuse cases, risk, user stories
Activities
STRIDE, attack trees, risk-based backlogs, security requirements.
Plan
Embed security in planning: abuse cases, risk, user stories
STRIDE, attack trees, risk-based backlogs, security requirements.
SAST, SCA, secret scanning, secure code review
OWASP Top 10, commit signing, branch protections, pre-commit hooks.
CI hardening, supply chain, IaC scanning, least-privilege runners
SBOM, provenance (SLSA), policy-as-code, drift detection.
DAST, API testing, fuzzing, test environment parity
AuthN/Z tests, rate limiting, negative testing, chaos testing
Container scanning, policies, admission control, secrets injection
Image signing, SBOM attestations, runtime profiles, eBPF.
Observability, runtime protection, incident readiness, SLIs/SLOs
SIEM/SOAR, alert tuning, runbooks, post-incident reviews.