AppSec across the SDLC

Secure design and code in the SDLC

Secure design, code, and integration before and during development — complements manual pentest.

AppSec across the SDLC

Secure design, code, and integration before and during development — complements manual pentest.

Threat Modeling

Identify threats and controls before building or deploying the surface.

STRIDE / PASTA
Attack surface
Existing controls

Workshop + prioritized deliverable

runbook · threat-modeling

fortress@engagement:~$ stride_workshop --scope checkout_flow

threats_identified: 14 · controls_mapped: 9

deliverable: prioritized_threat_backlog.md

next: design review on HIGH items

Secuencia ilustrativa bajo alcance acordado

Coverage: Critical flows, assets, trust boundaries, and design assumptions agreed with product and engineering.
Typical deliverables: Prioritized threat map, control gaps, and actionable recommendations for the backlog.
Assumptions / modality: Facilitated sessions on diagrams or existing documentation; no invasive testing.

Secure design review

Validate architecture and design decisions before committing to implementation.

Architecture
Authentication
Data segregation

Review on design artifacts

runbook · secure-design-review

fortress@engagement:~$ design_review --artifacts adr,diagrams

findings: 6 · severity HIGH: 2

report: design_gaps_with_remediation

no invasive testing in this phase

Secuencia ilustrativa bajo alcance acordado

Coverage: Diagrams, ADRs, data models, and identity flows within agreed scope.
Typical deliverables: Design findings report with severity, impact, and remediation guidance.
Assumptions / modality: Static review; can complement a follow-on pentest.

Code review

Manual code analysis on critical paths: auth, authorization, and sensitive logic.

Auth / authz
Injection
Secrets
Business logic

Scoped repos + critical paths

runbook · code-review

fortress@engagement:~$ codereview --paths auth/,payments/

issues: 11 · secrets_leak: 0 · authz_gap: 2

findings linked to commit refs

read-only repo access

Secuencia ilustrativa bajo alcance acordado

Coverage: Agreed repositories and modules; focus on high-risk paths and exposed surfaces.
Typical deliverables: Findings with line/file reference, reproduction where applicable, and concrete recommendations.
Assumptions / modality: Read-only repo access; no deployment or active testing unless explicitly agreed.

IaC & pipeline review

Harden infrastructure-as-code and the CI/CD chain before deployment.

Terraform / K8s
CI secrets
Pipeline permissions

Terraform, K8s, CI/CD pipelines

runbook · iac-pipelines-review

fortress@engagement:~$ iac_audit --terraform modules/network

misconfigs: 8 · public_exposure: 1

quick_wins: 3 (pipeline secrets rotation)

artifact review only

Secuencia ilustrativa bajo alcance acordado

Coverage: IaC templates, manifests, CI/CD workflows, and deployment policies in scope.
Typical deliverables: Prioritized misconfigurations, supply-chain risks, and quick wins.
Assumptions / modality: Artifact review; no production changes.

SAST, DAST, SCA

Tool selection, tuning, and triage of automated scanners with manual judgment.

False positives
Threshold policies
CI integration

Tuning + findings triage

runbook · sast-dast-sca

fortress@engagement:~$ tool_tune --sast ruleset=custom_v1

noise_ratio: 0.41 → 0.12 after triage

baseline: triage_playbook attached

complements manual pentest

Secuencia ilustrativa bajo alcance acordado

Coverage: Agreed stack, existing pipelines, and candidate or deployed tools.
Typical deliverables: Tooling recommendation, tuned rules, triage baseline, and operating playbook.
Assumptions / modality: Does not replace manual pentest; reduces noise and speeds early detection.

DevSecOps gap assessment

Maturity diagnosis: processes, tooling, and ownership between development and security.

SDLC maturity
Ownership
Metrics

Assessment + roadmap

runbook · devsecops-gap

fortress@engagement:~$ maturity_scan --sdlc all_phases

gaps: 9 · quick_wins_30d: 4

roadmap: prioritized_by_impact

workshop + stakeholder interviews

Secuencia ilustrativa bajo alcance acordado

Coverage: Current design, build, deploy, and response practices; interviews with key stakeholders.
Typical deliverables: Gap matrix, impact/effort-prioritized roadmap, quick wins in 30–90 days.
Assumptions / modality: Workshops + document review; no invasive access.

Request a briefing

Looking for manual pentest on apps, APIs, or mobile? View AppSec pentest

Manual depth Request a briefing