Avoiding vulnerabilities by hand doesn't scale. Mature teams build security into the development cycle: threat-model new features, scan code and dependencies in CI, store secrets in dedicated systems, rotate keys, audit access, and take compliance seriously. The goal isn't perfection; it's making the safe path the default and surfacing the unsafe one before it ships.
← Back to SecurityMost security bugs are introduced at design, not at coding. A 30–60 minute conversation early in a feature catches whole classes of bugs that no scanner will find — missing authorization, exposed APIs, data flows that shouldn't exist, secrets in URLs.
Walk the design and ask: where can each of these go wrong?
A 1-page threat-model template attached to feature design docs is more useful than a 30-page formal model nobody reads. Ask: trust boundaries, sensitive data, auth checks, third-party calls, attack surface added. Capture mitigations as backlog items.
Scans source code for common vulnerability patterns — SQLi, command injection, hardcoded secrets, deserialization issues, dangerous APIs. Tools: Semgrep, SonarQube, CodeQL (free for open source via GitHub), Snyk Code, Checkmarx, Veracode.
Run on every PR. Fail the build on critical findings. Tune rules to your stack to keep the false-positive rate low — noisy SAST gets ignored.
Scans dependencies for known CVEs. Tools: Dependabot, Snyk, Trivy, OWASP Dependency-Check, Mend, Sonatype Nexus IQ. Generates SBOMs (CycloneDX, SPDX) for every release.
Auto-PR for safe minor/patch upgrades; alert (but don't auto-merge) major versions.
Scan commits for accidentally checked-in API keys, tokens, private keys. git-secrets, trufflehog, gitleaks, GitHub's native push protection. Run pre-commit and in CI; if a secret slips through, rotate immediately — git history is forever.
Catch misconfig before it deploys. Checkov, tfsec, Terrascan, KICS for Terraform / CloudFormation / Kubernetes manifests. Policy-as-code (OPA / Rego, Sentinel) for "no public buckets, no 0.0.0.0/0, no * IAM."
Trivy, Grype, Snyk Container, Anchore. Scans your image layers for vulnerable OS packages and language libraries. Block deploy on critical CVEs. Use minimal base images (distroless, alpine) to shrink the surface.
Runs against the deployed app, sending probing requests like an attacker would. OWASP ZAP, Burp Suite Pro, Nuclei. Catches runtime issues SAST can't — auth misconfig, server headers, leaked debug routes. Run against staging on a schedule or as part of PR previews.
AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault, Doppler, Infisical, 1Password Connect. Apps fetch at runtime via workload identity (IRSA, Workload Identity Federation, mTLS), never via long-lived static credentials.
.env Files Committed to GitEven .env.example with placeholder values has a way of becoming a real .env with real values that someone forgot to rotate. Push protection in GitHub blocks the most common mistakes; secret scanning in CI catches the rest.
Time-based rotation (90 days for high-value, 6–12 months for lower) plus event-driven rotation: every employee offboarding, every suspected leak, every dependency compromise. Automated rotation (Secrets Manager has it for RDS, IAM keys, etc.) is the only kind that actually happens.
Per-tenant or per-record envelope keys backed by a KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault, HashiCorp Vault Transit). The KMS key never leaves the HSM; data keys are short-lived. Crypto-shredding (delete the key) becomes a real GDPR right-to-erasure tool.
Log every authentication, authorization decision, admin action, and data export — with user, resource, and reason. Store in append-only storage (S3 with object lock, dedicated SIEM). Alert on anomalies — sudden surge of 403s, login from a new country, mass exports, role changes.
Define an SLA: critical CVEs patched within 24h, high within a week, medium within a month. Automate where you can — auto-merge minor/patch dependency updates, auto-rebuild base images on upstream changes.
A written runbook for "we found a bug; we found a leaked credential; we got a vulnerability report." Quarterly tabletop exercises. The first time you respond to a real incident shouldn't be your first time discussing it.
A security.txt file at /.well-known/security.txt, an email like security@yourcompany, an SLA for responding. Researchers will find issues; make it easy to report responsibly. Bug bounties (HackerOne, Bugcrowd, Intigriti) scale that further.
Annual external pen test for high-value systems and before major launches. Useful for finding deeper issues a scanner can't. Don't confuse it with continuous security; it's a snapshot, not a posture.
| Regime | Scope | You'll Need It If… |
|---|---|---|
| GDPR | Personal data of EU residents | You have any EU users (so: probably). |
| CCPA / CPRA | Personal data of California residents | You operate at any scale in the US. |
| HIPAA | US health data (PHI) | You handle medical records, claims, or telehealth. |
| PCI-DSS | Card payment data | You touch credit cards. Most teams use Stripe to stay out of scope. |
| SOC 2 | SaaS security/availability/etc. controls | Enterprise customers ask for it before they sign. |
| ISO 27001 | Info-security management system | International enterprise customers ask for it. |
| NIST 800-53 / FedRAMP | US federal systems | You sell to US government. |
| EU AI Act, DORA, NIS2 | AI risk; financial digital operational resilience; critical infrastructure | Increasingly applies as platforms grow in 2026. |
Compliance isn't security, but it forces you to write down what you do and prove you do it consistently. A team that takes SOC 2 seriously usually has better-than-average security posture as a side effect.