Embed Security as a Core Engineering Principle

This standard mandates the integration of security practices into every stage of the development lifecycle, ensuring security is built-in, not added as an afterthought.

1. Embed Security as a Core Engineering Principle:

Security must be part of engineering, not an afterthought. This approach ensures that systems are secure by design.

• 1.1 Secure Coding Practices:
  • 1.1.1 Security Reviews:
    • Follow secure coding practices and conduct regular security reviews.
    • Implement secure coding guidelines and checklists.
  • 1.1.2 Security Training:
    • Provide regular security training to developers and engineers.
    • Automate security awareness training.
• 1.2 Automated Security and Compliance:
  • 1.2.1 Security Scanning Automation:
    • Automate security scanning and compliance enforcement in CI/CD.
    • Integrate SAST, DAST, and dependency scanning tools.
  • 1.2.2 Compliance as Code:
    • Implement compliance as code to automate compliance checks.
    • Utilise policy-as-code tools like OPA.
• 1.3 Secure Access and Authentication:
  • 1.3.1 Least Privilege Access:
    • Implement least privilege access to protect sensitive resources.
    • Automate the management of access controls.
  • 1.3.2 Encryption and Authentication:
    • Implement encryption and secure authentication practices.
    • Automate key management and certificate rotation.

By embedding security as a core engineering principle, organisations can ensure secure systems by design.

---