Developer fundamentals

Secure SDLC, governed pipelines, dependable runtimes

Use these fundamentals to run a defensible software lifecycle: secure coding guardrails, CI/CD governance, dependency risk controls, and runtime lifecycle practices mapped to SSDF, SLSA, and customer evidence needs.

  • Updated 15 March 2026
  • Audience Platform, security, enablement leaders
  • Focus Secure SDLC · CI/CD governance · Dependency risk · Runtime lifecycle

Secure SDLC aligned to NIST SSDF and SLSA

Embed security and integrity controls at every SDLC phase so reviewers, customers, and auditors see continuous enforcement instead of point-in-time reviews.

Design and coding hygiene

  • Require threat models and security design reviews for new services, capturing decisions and mitigations against SSDF PO.2 and RV.1 expectations.
  • Enforce signed commits and verified identities on protected branches; require reviewers with code owner context for auth, crypto, and data-handling changes.
  • Run SAST, secrets scanning, IaC checks, and dependency scanning on every pull request with policy-as-code gates that block high-risk findings.

Build integrity and release readiness

  • Publish reproducible, versioned base images for CI runners and developer containers; validate them against CIS hardening profiles before promotion.
  • Emit SLSA-compliant provenance for every build (builder identity, source revision, dependency digests) and store attestations alongside SBOMs.
  • Stage releases through signed artefacts, environment-specific allowlists, and dual control for production promotions to satisfy SSDF RV.3 and SLSA Level 3.
Secure SDLC flow showing backlog intake, threat modelling, build and review, testing with provenance, release verification, and operational learning linked by evidence.
Secure SDLC guardrails flow from backlog intake through release and operations. Each phase records evidence—design decisions, signed commits, SBOMs, SLSA provenance, and runtime integrity results—so SSDF and SLSA controls are auditable without slowing delivery.

CI/CD governance and pipeline accountability

Treat pipelines like production systems: auditable, identity-aware, and hardened against tampering or unauthorized release activity.

Pipeline policy and controls

  • Harden runners with ephemeral instances, least-privilege IAM roles, and OIDC-issued tokens instead of long-lived secrets.
  • Codify approvals and segregation of duties for prod deploys; require two maintainers for infrastructure changes and emergency break-glass logging.
  • Standardize DAST, performance, and accessibility checks in the pipeline so non-functional controls are enforced before release windows.

Observability and evidence

  • Record pipeline events (approvals, promotions, attestations) to an immutable log with retention aligned to SOC 2 and customer requirements.
  • Expose DORA metrics alongside control health (scan pass rates, rollback frequency, attestation coverage) to show governance without slowing delivery.
  • Continuously validate infrastructure baselines with drift detection, policy-as-code, and automated rollback of non-compliant changes.

Dependency risk management and supplier discipline

Keep third-party code observable, licensed appropriately, and ready for rapid patching so supplier changes never surprise operations or auditors.

Intake, licensing, and monitoring

  • Gate new dependencies through a request workflow that records license type, maintenance signals, and threat model outcomes per repository.
  • Mirror critical registries (npm, PyPI, Maven, NuGet) and enforce checksum validation to reduce supply chain tampering risk.
  • Continuously score dependencies for CVEs, exploit availability, maintainer activity, and license obligations; route high-risk packages to patch or replace within defined SLAs.

Lifecycle planning and exceptions

  • Attach lifecycle dates (LTS windows, EOL, extended support) to every SBOM entry and pre-schedule modernization waves before vendor support ends.
  • Record exceptions with business owners, compensating controls (sandboxing, WAF rules, network segmentation), and explicit removal timelines.
  • Rehearse dependency swaps and framework upgrades in staging with performance baselines and regression tests to avoid customer-facing surprises.

Runtime lifecycle operations and service currency

Keep deployed services current and observable so reliability, security, and compliance evidence stay aligned through the full runtime lifecycle.

  • Run recurring inventory of runtimes, frameworks, and managed services; surface anything within 12 months of EOL to product owners with remediation paths.
  • Instrument runtime currency dashboards that pair vulnerability status with availability, latency, and error-budget burn to prioritize upgrades without sacrificing reliability.
  • Automate retirement playbooks: traffic cutover plans, data migration checkpoints, rollback criteria, and customer communications with dates tied to vendor milestones.

Control checklist for delivery teams

Confirm each delivery train meets security and reliability guardrails without slowing flow.

Build and release

  • Attested builds. Reproducible builds with provenance attestations (SLSA level targets), signed artifacts, and SBOMs stored with each release.
  • Policy-as-code. Static, SAST/DAST, license, and secrets checks enforced in CI with break-glass procedures logged and time bound.
  • Environment parity. Staging mirrors production for critical dependencies; feature flags and canary rollouts documented with rollback playbooks.

Operations and governance

  • DORA metrics with evidence. Lead time, deployment frequency, MTTR, and change fail rate paired with control health (scan pass rates, attestations, policy exceptions).
  • Access and secrets hygiene. Short-lived tokens for CI/CD and cloud roles; quarterly access reviews with orphaned credentials auto-revoked.
  • Runbook validation. On-call playbooks tested quarterly; game days cover pipeline outages, failed deployments, and dependency emergencies.

Align with the Developer enablement guide, ISO/IEC 27001 transition guide, and testing modernisation briefs to keep standards and playbooks current.

KPI and KRI scorecard

Balance speed with safety using paired indicators that engineering and risk leaders can review together.

Focus area KPIs KRIs Evidence sources
Delivery performance Lead time, deployment frequency, change fail rate, MTTR by service. Emergency change ratio; rollback frequency; error budget burn over target. Deployment logs; incident reports; enablement guide.
Supply chain health % builds with signed provenance; SBOM coverage; mean time to patch critical CVEs in dependencies. Unsigned artifacts; unpatched KEV packages; expired certificates or secrets. Build attestations; dependency scanner exports; PAM rollout guide.
Compliance readiness Policy-as-code pass rate; segregation-of-duties exceptions closed within SLA; audit trail completeness for releases. Unreviewed exceptions; missing approvals on prod deploys; absent runbook evidence. CI/CD audit logs; access reviews; identity risk briefings.

Implementation pitfalls to avoid

  • Unsigned pipelines. Allowing unsigned artifacts or missing SBOMs erodes provenance and slows incident response; enforce signature verification before promotion.
  • Drift from policy-as-code. Running scanners ad hoc instead of gating merges leads to audit gaps; treat policy checks as blocking tests with owner acknowledgements for overrides.
  • Unowned dependencies. Libraries without owners or lifecycle plans cause surprise outages; assign owners and pre-plan replacements before EOL dates.
  • Runbook rot. Outdated on-call runbooks extend MTTR; include runbook updates in post-incident action items and game day outcomes.

Reference the Enablement guide and developer tooling briefs when prioritising fixes.