Security controls for software development

Security controls for software development

The foundation for this post is in the post below.

• Jacco Meijer
• |
• Oct 17, 2025

Software development security

About the Software Development Lifecycle (SDLC) and how this relates to security controls and assessing software risks

read more

DevSecOps

In strong contrast to Waterfall, DevSecOps is a modern approach that integrates security throughout the entire SDLC.

Outlining security controls for software development by following the DevSecOps approach works well because security is integrated into every step of DevSecOps.

Figure 1 shows how the steps relate. Each step is outlined below and relates the step to the relevant security controls, scrum roles, scrum events and which controls could be added to automated CI/CD pipelines.

Controls from compliancy standards like ISO 27002 are not added but with the help of AI, a simple basic set can be generated. For making the list more actionable AI can also be used to generate tool recommendations.

🔧 1 - Plan

Product Owner

• Assign a security champion
• Drive proper Solution Design and Architecture (SDA)
• Facilitate risk assessments
• Classify data according to sensitivity
• Oversee privacy impact assessments
• Map security governance policies (NIST, ISO, OWASP)

Scrum planning activities

• Threat modeling on evolving requirements
• Add security requirements to user stories
• Evaluate compliance and legal requirements
• Plan rollback and deployment strategies early
• Include security-specific acceptance criteria in stories

Scrum refinement activities

• Perform or update STRIDE models
• Review new threat surfaces from backlog changes

🔧 2 - Code

Product Owner

• Enforce secure coding standards
• Provide regular security training and awareness sessions
• Enforce secure repository policies

Dev team

• Perform security focused peer code reviews
• Prevent hardcoded credentials and secrets
• Validate third party code components

Automated by CI/CD

• Run Static Application Security Testing (SAST)
• Use commit hooks for linting, tests and signing

🔧 3 - Build

Product Owner

• Enforce build integrity policy
• Support a bug bounty program
• Support Coordinated Vulnerability Disclosure (CVD)

Automated by CI/CD

• Scan dependencies for vulnerabilities
• Scan for hardcoded secrets
• Automate dependency updates
• Apply policy-as-code gates
• Integrate continuous PEN test pipelines

🔧 4 - Test

Product Owner

• Schedule manual PEN tests every N major releases
• Ensure conduction of exploratory security testing

Automated by CI/CD

• DAST, IAST, API Security Testing
• Chaos security tests
• Regression and fuzz testing
• Compliance and privacy policy validation

⚙️ 5 - Release

Product Owner

• Ensure implementation of secrets lifecycle management
• Ensure validation of rollback strategy
• Ensure that release approvals are audited

Scrum review activities

• Conduct security review and risk sign-off
• Document and communicate security decisions

Automated by CI/CD

• Generate release notes with security info (CVE, CWE, OWASP Top 10)
• Ensure artifact signing and tamper checks
• Apply version tagging policies

⚙️ 6 - Deploy

Product Owner

• Ensure that pre-deployment image scanning is performed

Automated by CI/CD

• Analyze IaC for misconfigurations
• Inject secrets securely at runtime
• Zero trust security deployment practices

⚙️ 7 - Operate

Product Owner

• Ensure that incident response outcomes and monitoring results are fed back into the backlog
• Enforce hardened runtime environments
• Ensure that containers and host operating systems are hardened
• Ensure that environment and network segmentation is maintained

Scrum retrospective activities

• Reflect on operational concerns and incidents

Automated by CI/CD

• Ensure least privilege IAM
• Enable Runtime Application Self Protection (RASP)
• Patch known vulnerabilities automatically
• Secure audit logging

⚙️ 8 - Monitor

Product Owner

• Ensure integration of SIEM/SOAR and audit log monitoring
• Ensure anomaly detection and threat intelligence
• Use ML/behavioral analytics

Scrum retrospective activities

• Track and discuss vulnerability resolution metrics
• Review incident handling effectiveness

Automated by CI/CD

• Automate incident response with playbooks and ticketing
• Detect and alert on IDS/IPS events
• Run continuous monitoring pipelines

Detect versus Protect

The number of cybersecurity tools and acronyms continues to grow steadily. For SDLC controls it is important to understand the distinction between:

• detect, identifying and alerting on threats and suspicious activities and;
• protect, actively safeguard systems and data by preventing and blocking threats.

The table below explains the roles and capabilities of IDS/IPS and SIEM/SOAR controls:

Risk analysis

This post outlines many security controls whose full implementation is only justified in very high risk or mission critical software projects.

In practice, selecting which controls to implement is guided by a cost benefit analysis. Evaluating the security improvements that each control offers to the SDLC compared to the resources required to implement them.

These benefits are best understood through thorough risk analysis. This helps identify which threats are most relevant and which controls provide the greatest value in mitigating them.

More on risk analysis is in the post below.

• Jacco Meijer
• |
• Oct 19, 2025

Risk analysis for software development

By systematically identifying and assessing potential risks, teams can reduce uncertainty and prevent costly issues.

read more

Conclusion

By embedding security into every phase of the Software Development Lifecycle (SDLC), the DevSecOps approach ensures that security is no longer an afterthought, but a continuous and integrated discipline. From planning and coding to deployment and monitoring, each step introduces targeted controls that reduce risk and increase resilience.

Rather than applying a one size fits all checklist, these controls should be tailored through risk analysis and cost benefit evaluations, ensuring that resources are focused where they matter most. Automation, tool integration and security aware roles within agile teams make it possible to maintain both speed and security.

In an environment where threats evolve rapidly, DevSecOps provides a structured yet flexible foundation for building secure software by design, by default and by deployment.