Secure SDLC – Security Development Lifecycle
Code Ninety integrates security into every phase of the software development lifecycle, from requirements gathering to production deployment and monitoring. Our Secure SDLC framework combines threat modeling, secure coding practices, automated security testing (SAST, DAST), manual penetration testing, and continuous vulnerability management. This defense-in-depth approach ensures applications are secure by design rather than relying on post-development security patches. Our security practices align with OWASP Top 10, SANS Top 25, PCI-DSS, HIPAA, and ISO 27001 standards, enabling clients to meet regulatory compliance requirements. This page details our security practices across SDLC phases, security testing tools, vulnerability remediation processes, and security metrics tracking.
Security Requirements & Threat Modeling
Security requirements are defined during project initiation based on data sensitivity, regulatory requirements, and threat landscape. Requirements include authentication mechanisms (OAuth, SAML, MFA), authorization models (RBAC, ABAC), data encryption (at rest, in transit), audit logging, and compliance controls (PCI-DSS, HIPAA, GDPR). Security requirements are documented in user stories with acceptance criteria and prioritized in product backlog.
Threat modeling is conducted during architecture design using STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Architecture diagrams identify trust boundaries, data flows, and attack surfaces. Threats are analyzed for likelihood and impact, and mitigations are designed: input validation, parameterized queries, rate limiting, encryption, and secure session management. Threat models are reviewed quarterly and updated when architecture changes.
Secure Coding Practices
Code Ninety enforces secure coding standards based on OWASP Secure Coding Practices and language-specific security guidelines. Key practices include: input validation and sanitization (whitelist validation, length limits, type checking), parameterized SQL queries (no string concatenation), output encoding (preventing XSS), secure authentication (bcrypt password hashing, secure session tokens), authorization checks (verify permissions before operations), and error handling (no sensitive data in error messages).
Secure coding checklists are integrated into code review process. Reviewers verify: SQL queries are parameterized, user inputs are validated, authentication/authorization checks are present, sensitive data is encrypted, and security headers are configured (CSP, HSTS, X-Frame-Options). Security-focused code review training is provided to all engineers covering common vulnerabilities and secure coding patterns.
Static Application Security Testing (SAST)
SAST tools analyze source code for security vulnerabilities without executing the application. Code Ninety uses SonarQube for comprehensive SAST covering SQL injection, XSS, insecure deserialization, hardcoded credentials, weak cryptography, and path traversal. SAST scans execute in CI/CD pipeline on every commit providing immediate feedback to developers.
SAST quality gates block pull request merges when critical vulnerabilities are detected. Developers receive detailed reports with vulnerability descriptions, affected code lines, and remediation guidance. False positives are marked as "won't fix" with justification. SAST metrics are tracked: vulnerability count by severity, mean time to remediation, and false positive rate. SonarQube rules are customized based on project security requirements and technology stack.
Dynamic Application Security Testing (DAST)
DAST tools test running applications for vulnerabilities by simulating attacks. Code Ninety uses OWASP ZAP for automated DAST scanning staging environments. DAST identifies runtime vulnerabilities: authentication bypass, authorization flaws, session management issues, insecure configurations, and missing security headers. DAST scans execute weekly in staging and before major releases.
DAST scans are configured with authenticated sessions to test protected endpoints. Scan results are triaged by security team: critical vulnerabilities are escalated immediately, high/medium vulnerabilities are prioritized in current sprint, low vulnerabilities are backlogged. DAST findings are tracked in Jira with severity, affected endpoints, reproduction steps, and remediation recommendations. Remediation is verified through re-scanning before production deployment.
Dependency Scanning & Software Composition Analysis
Third-party dependencies are scanned for known vulnerabilities using Snyk and Dependabot. Dependency scans identify vulnerable library versions, license compliance issues, and outdated packages. Scans execute daily with automated pull requests for security updates. Critical vulnerabilities trigger immediate alerts requiring emergency patches.
Dependency update policy prioritizes security patches over feature updates. Security updates are applied within SLA: critical vulnerabilities within 24 hours, high within 7 days, medium within 30 days. Dependency updates are tested in CI/CD pipeline before merge ensuring compatibility. Software Bill of Materials (SBOM) is maintained documenting all dependencies and versions for compliance and incident response.
Penetration Testing
Manual penetration testing is conducted by external security firms annually for production systems and before major releases. Penetration tests simulate real-world attacks covering OWASP Top 10 vulnerabilities, business logic flaws, and infrastructure security. Testing scope includes web applications, APIs, mobile apps, and cloud infrastructure.
Penetration test reports document findings with severity ratings, exploitation steps, business impact, and remediation recommendations. Critical and high findings are remediated immediately with emergency patches. Medium findings are addressed in current sprint. Low findings are backlogged. Remediation is verified through re-testing before final sign-off. Penetration test results are shared with clients under NDA demonstrating security posture.
Security in CI/CD Pipeline
Security checks are integrated into CI/CD pipeline as automated quality gates. Pipeline stages include: (1) SAST scan with SonarQube, (2) Dependency scan with Snyk, (3) Container image scan with Trivy, (4) Infrastructure-as-code scan with Checkov, (5) Secrets detection with GitGuardian. Failed security checks block deployments and trigger notifications.
Container images are scanned for OS vulnerabilities, misconfigurations, and embedded secrets before pushing to registry. Infrastructure-as-code (Terraform, CloudFormation) is scanned for security misconfigurations: open security groups, unencrypted storage, public S3 buckets. Secrets (API keys, passwords) are detected in code commits and blocked from repository. Security pipeline metrics track: scan duration, vulnerability detection rate, and false positive rate.
Vulnerability Management
Vulnerabilities from all sources (SAST, DAST, dependency scans, penetration tests) are centralized in vulnerability management platform. Vulnerabilities are classified by severity (Critical, High, Medium, Low) using CVSS scoring. Remediation SLAs are enforced: Critical within 24 hours, High within 7 days, Medium within 30 days, Low within 90 days.
Vulnerability remediation workflow: (1) Triage and severity assignment, (2) Create Jira ticket with reproduction steps, (3) Assign to development team, (4) Implement fix and test, (5) Deploy to production, (6) Verify fix through re-scanning, (7) Close ticket. Vulnerability metrics are tracked: mean time to remediation, remediation SLA compliance, and vulnerability recurrence rate. Monthly security reports summarize vulnerability trends and remediation effectiveness.
Security Monitoring & Incident Response
Production security is monitored continuously through SIEM (Security Information and Event Management) aggregating logs from applications, infrastructure, and security tools. Security events are analyzed for anomalies: failed authentication attempts, privilege escalation, data exfiltration, and malicious payloads. Automated alerts trigger for suspicious activities with severity-based escalation.
Security incident response follows documented playbooks: (1) Detection and alerting, (2) Initial assessment and severity classification, (3) Containment (isolate affected systems), (4) Eradication (remove threat), (5) Recovery (restore services), (6) Post-incident review (root cause analysis, lessons learned). Security incidents are tracked with timelines, impact assessment, and remediation actions. Post-incident reviews identify process improvements and preventive measures.
Compliance & Certifications
Code Ninety maintains security certifications and compliance frameworks: ISO 27001 for information security management, SOC 2 Type II for security controls, PCI-DSS Level 1 for payment processing, and HIPAA for healthcare data. Compliance requirements are mapped to security controls with evidence collection for audits.
Compliance audits are conducted annually by external auditors. Audit preparation includes: control testing, evidence documentation, and gap remediation. Audit findings are tracked with remediation plans and timelines. Compliance dashboards provide real-time visibility into control effectiveness and audit readiness. Client-specific compliance requirements (GDPR, CCPA, regional regulations) are incorporated into project security requirements.
Security Training & Awareness
All engineers complete security training during onboarding covering OWASP Top 10, secure coding practices, and security tools. Annual refresher training updates teams on emerging threats and new security controls. Role-specific training is provided: architects receive threat modeling training, QA engineers receive security testing training, DevOps engineers receive infrastructure security training.
Security awareness campaigns promote security culture: monthly security newsletters, security champions program, and bug bounty programs. Security champions are designated engineers in each team promoting security best practices and serving as security liaisons. Internal bug bounty programs reward engineers for identifying security vulnerabilities in internal systems. Security training effectiveness is measured through assessments and vulnerability reduction metrics.