Security Best Practices | DevSecOps for Dev Teams
Integrate security into your SDLC with SAST, DAST, and secrets management. GitScrum tracks vulnerability remediation and security review workflows.
9 min read
Security isn't a feature you add at the endβit's a mindset that permeates every stage of development. GitScrum helps teams track security tasks, manage vulnerability remediation, and ensure security reviews happen before code reaches production. The key is making security part of the definition of done, not a separate audit that happens after launch.
Security Integration Points
| Phase | Security Activity | Automation |
|---|---|---|
| Design | Threat modeling | Partial |
| Code | Secure coding, review | Manual |
| Build | SAST, dependency scan | Full |
| Test | DAST, penetration testing | Partial |
| Deploy | Config validation | Full |
| Runtime | Monitoring, WAF | Full |
Secure Development Lifecycle
SECURITY IN SDLC
PHASE 1: DESIGN
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Threat Modeling: β
β βββ Identify assets (data, functions) β
β βββ Identify threats (STRIDE framework) β
β βββ Identify mitigations β
β βββ Document security requirements β
β β
β Security Requirements: β
β βββ Authentication needs β
β βββ Authorization model β
β βββ Data protection requirements β
β βββ Compliance requirements β
β β
β Architecture Review: β
β βββ Security architecture patterns β
β βββ Trust boundaries β
β βββ Defense in depth β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
PHASE 2: DEVELOPMENT
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Secure Coding: β
β βββ Follow secure coding guidelines β
β βββ Input validation β
β βββ Output encoding β
β βββ Parameterized queries β
β βββ Proper error handling β
β β
β Code Review: β
β βββ Security-focused review checklist β
β βββ Authentication/authorization checks β
β βββ Data handling review β
β βββ No hardcoded secrets β
β β
β IDE Security Plugins: β
β βββ Real-time security feedback β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
PHASE 3: TESTING
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Automated Testing: β
β βββ SAST (Static Analysis) β
β βββ DAST (Dynamic Analysis) β
β βββ Dependency scanning β
β βββ Container scanning β
β β
β Manual Testing: β
β βββ Penetration testing β
β βββ Security review β
β βββ Abuse case testing β
β β
β Security Test Cases: β
β βββ Authentication bypass attempts β
β βββ Authorization boundary tests β
β βββ Input validation testing β
β βββ Session management testing β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Common Vulnerabilities
OWASP TOP 10 PREVENTION
INJECTION:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk: SQL, NoSQL, OS, LDAP injection β
β β
β Prevention: β
β βββ Use parameterized queries (prepared stmt) β
β βββ Use ORM frameworks β
β βββ Validate and sanitize input β
β βββ Escape special characters β
β β
β β Bad: β
β query = "SELECT * FROM users WHERE id=" + id β
β β
β β Good: β
β query = "SELECT * FROM users WHERE id = ?" β
β stmt.setInt(1, id) β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
BROKEN AUTHENTICATION:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk: Session hijacking, credential stuffing β
β β
β Prevention: β
β βββ Multi-factor authentication β
β βββ Strong password policies β
β βββ Account lockout after failed attempts β
β βββ Secure session management β
β βββ Rotate session IDs after login β
β βββ Use secure, httpOnly cookies β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
SENSITIVE DATA EXPOSURE:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk: Data breach, PII exposure β
β β
β Prevention: β
β βββ Encrypt data at rest and in transit β
β βββ Use TLS 1.2+ for all connections β
β βββ Hash passwords with bcrypt/argon2 β
β βββ Minimize data collection β
β βββ Mask sensitive data in logs β
β βββ Secure key management β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
CROSS-SITE SCRIPTING (XSS):
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk: Session theft, defacement, malware β
β β
β Prevention: β
β βββ Encode output based on context β
β βββ Use Content Security Policy (CSP) β
β βββ Validate and sanitize input β
β βββ Use modern frameworks (auto-escaping) β
β βββ HTTPOnly cookies for sessions β
β β
β β Bad: β
β <div>{{ user.name }}</div> (no escaping) β
β β
β β Good: β
β <div>{{ user.name | escape }}</div> β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
BROKEN ACCESS CONTROL:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk: Unauthorized access to data/functions β
β β
β Prevention: β
β βββ Deny by default β
β βββ Implement access control centrally β
β βββ Enforce ownership checks β
β βββ Disable directory listing β
β βββ Log access control failures β
β βββ Rate limit API access β
β β
β β Always verify: β
β Can THIS user access THIS resource? β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Security in CI/CD
CI/CD SECURITY PIPELINE
PIPELINE STAGES:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Stage 1: Pre-Commit β
β βββ Secrets scanning (git-secrets, trufflehog) β
β βββ Linting for security patterns β
β βββ Local SAST quick scan β
β β
β Stage 2: Build β
β βββ SAST (full scan) β
β βββ Dependency vulnerability scan β
β βββ License compliance check β
β βββ Container image scan β
β β
β Stage 3: Test β
β βββ Security unit tests β
β βββ DAST scan (against test env) β
β βββ API security testing β
β β
β Stage 4: Deploy β
β βββ Infrastructure as Code scanning β
β βββ Configuration validation β
β βββ Secret rotation verification β
β β
β Stage 5: Runtime β
β βββ WAF/security monitoring β
β βββ Anomaly detection β
β βββ Security logging and alerting β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
QUALITY GATES:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Block deployment if: β
β βββ Critical vulnerabilities found β
β βββ High severity issues not acknowledged β
β βββ Secrets detected in code β
β βββ Dependency with critical CVE β
β βββ Compliance check fails β
β β
β Warn but allow if: β
β βββ Medium vulnerabilities found β
β βββ Outdated dependencies β
β βββ Minor compliance deviations β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Secrets Management
SECRETS HANDLING
SECRETS TO PROTECT:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β βββ API keys and tokens β
β βββ Database credentials β
β βββ Encryption keys β
β βββ Service account credentials β
β βββ SSL/TLS certificates β
β βββ Third-party integration secrets β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
NEVER DO:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Hardcode secrets in source code β
β β Commit secrets to version control β
β β Store secrets in environment files in repo β
β β Log secrets in application logs β
β β Share secrets via email or chat β
β β Use same secrets across environments β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
SECRETS MANAGEMENT APPROACH:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Storage: β
β βββ Use secrets manager (Vault, AWS Secrets) β
β βββ Environment variables (injected at deploy) β
β βββ Never in code or config files β
β β
β Access: β
β βββ Principle of least privilege β
β βββ Audit access to secrets β
β βββ Rotate secrets regularly β
β β
β Rotation: β
β βββ Automated rotation where possible β
β βββ Rotation schedule documented β
β βββ Procedure for emergency rotation β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Code Review
SECURITY REVIEW CHECKLIST
AUTHENTICATION:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Strong password requirements enforced β
β β Account lockout after failed attempts β
β β Session management secure β
β β Logout invalidates session β
β β Password reset flow secure β
β β MFA implemented where appropriate β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
AUTHORIZATION:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Access control on every endpoint β
β β Ownership verified for resources β
β β Role-based access properly implemented β
β β No horizontal privilege escalation β
β β No vertical privilege escalation β
β β Default deny policy β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
DATA HANDLING:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Input validated and sanitized β
β β Output encoded appropriately β
β β Sensitive data encrypted β
β β PII handled according to policy β
β β No sensitive data in logs β
β β Secure data transmission β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
ERROR HANDLING:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Generic error messages to users β
β β Detailed errors only in logs β
β β No stack traces exposed β
β β Errors don't reveal system info β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Incident Response
SECURITY INCIDENT PROCESS
SEVERITY LEVELS:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Critical: Active breach, data exfiltration β
β Response: Immediate, all hands β
β β
β High: Vulnerability being exploited β
β Response: Within hours β
β β
β Medium: Significant vulnerability found β
β Response: Within days β
β β
β Low: Minor security issue β
β Response: Within sprint β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
INCIDENT RESPONSE STEPS:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β 1. Identify and Confirm β
β βββ Validate the incident is real β
β βββ Assess severity β
β βββ Notify security team β
β β
β 2. Contain β
β βββ Isolate affected systems β
β βββ Revoke compromised credentials β
β βββ Block attack vectors β
β β
β 3. Eradicate β
β βββ Remove malicious code/access β
β βββ Patch vulnerabilities β
β βββ Reset credentials β
β β
β 4. Recover β
β βββ Restore from clean backups β
β βββ Verify system integrity β
β βββ Resume normal operations β
β β
β 5. Learn β
β βββ Post-incident review β
β βββ Document lessons learned β
β βββ Implement preventive measures β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Best Practices
Anti-Patterns
β Security as afterthought or final gate
β Hardcoded credentials in source code
β No automated security scanning
β Ignoring dependency vulnerabilities
β No security training for developers
β Generic error handling exposing internals