Handbook
Security practices (blueprint)
Purpose: Deep, project-agnostic guides for core security practices. Each practice describes its principles, methodology, tooling, and integration with the development lifecycle.
Audience: Teams adopting Security / Cybersecurity; project-specific security configuration and findings stay in docs/security/.
Why these practices matter
Security practices are proactive defense: they turn “hope we are safe” into repeatable activities that catch design flaws early, validate implementations continuously, and ensure the organization can respond and learn when something goes wrong. Together they connect architecture, delivery, and operations so security is owned by the whole team, not isolated in a late gate.
The loop closes when incidents and test findings feed updated threat assumptions, requirements, and detection — documented at the project level in docs/security/, docs/security/threat-models/, and docs/adr/ as appropriate.
Practice guides
| Practice | Guide | Focus |
|---|---|---|
| Threat modeling | Threat modeling — methodologies and practice | STRIDE, PASTA, LINDDUN, attack trees, DFDs, risk rating, tools, SDLC integration |
| Secure code review | SECURITY.md §7 | Review checklists by language/framework, common vulnerability patterns, reviewer training |
| Security testing | Security testing — strategy and implementation | SAST, SCA, DAST, IAST, CI/CD, container/IaC scanning, vuln lifecycle, metrics |
| Penetration testing | Security testing — strategy and implementation | Scope, rules of engagement, PTES / OWASP Testing Guide, reporting, remediation tracking |
| Incident response | Security incident response | IR plan, NIST lifecycle, roles, containment, comms, tabletops, metrics |
| Supply chain security | SECURITY.md §9 | SBOM generation, dependency management, artifact signing, SLSA framework adoption |
| Secrets management | SECURITY.md §5 | Vault patterns, cloud-native secret stores, rotation policies, secret injection, audit |
Core knowledge: Security body of knowledge — principles, OWASP, authentication, cryptography, S-SDLC.
Bridge: Security ↔ SDLC ↔ PDLC bridge — how Security maps to delivery and product lifecycles.
Keep project-specific security documentation in docs/security/, threat models in docs/security/threat-models/, and security decisions in docs/adr/, not in this file.