| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
|---|---|---|---|---|---|---|---|---|---|
| Developers | IDE | Languages | SCM providers | Build solutions | Servers | Embedded PC | URL | SaaS solutions | CDN |
| QA team | SCV | Frameworks | Pull requests | Deployment platforms | Operating systems | PCB | hostname | Third party APIs | Cloud services |
| DevOps team | Local tests | Libraries | Secrets mgmt | Releases | Webservers | USB dongle | Payment gateways | ||
| Package Maintainers | Git repos | Package Managers | Git repos | Functional tests | Application servers | GPU/CPU | Identity Providers | ||
| Page Builders | Packages | Security tests | Web engines | Analytics | |||||
| Open source | API test frameworks | Databases | Proxies | ||||||
| Proprietary Code | Unit tests | ||||||||
| People | Local Reqs | Source Code | Integration | Deployment | Runtime | Hardware | DNS | Services | Cloud |
This includes any local applications, configurations, or other dependencies that are needed to for the people building software to successfully do their job.
- IDE
- Source code versioning tools
- Local tests
- Local git repositories
- Page builders
Linting, static analysis, software composition analysis
Source code stored on devs laptop, private packages, install scripts, deployment scripts
- Individual engineers
- Choice of tools has different security outcomes
- Git has several local security features which are typically not used
- If an IDE is used, what extensions or plugins are enhancing security?
- How do you encouage automated security tests in local environments?
- The development environment should be secured
- What challenges does BYOD bring with it?
- Use of git or other version control systems
- .gitignore files
- Endpoint detection and response (EDR)
- Linting
- Local secret scans
- Local SCA scans
- Pre-commit git hooks