Know your architecture

• [ ] Produce and maintain a diagram of all components and interactions among them, including the protocols that communications travel over.

Threat modeling

• [ ] Produce and maintain a threat model for your application: identify vulnerabilities and attack paths (ref the architecture diagram) and then implement effective security controls.

Dependency tracking

• [ ] Enumerate and track (ideally automated within the repo) all third party libraries and code, including their licences and owners. Get involved in the maintenance of open source code if possible.

Champion security

• [ ] Engage subject matter experts within the company to pull security in, rather than keeping as an external function that does enforcement. Find developers interested in being security champions.

Use the pipeline

• [ ] Introduce security checks as early in the development process as possible, meeting developers where they work. Manage releases through automated verification as code is merged.

The platform does it

• [ ] Companies that employ a platform strategy can achieve high value density by “writing once” (common elements and security controls in the platform) and “running everywhere” (benefit the portfolio that leverages the platform).