Automated Testing
Fault Injection Testing
Mentions fuzzing etc, but this could be expanded to include why this is important in terms of testing for vulnerability, but more likely this belongs under CI
Lacks testing on secrets leaking to logs etc.
Code reviews
Mentions automated whenever possible, which ties well into CI, but does not mention security specifically. IMO automated test, static code analysis should do most of the heavy lifting here.
Layout issue: move pull request to templates to match other part of the docs or move it up one laying and just call it pull request template without the extra layer.
Continuous Delivery
Contains a bit on secret management
Lacks points about secure deployments and what the best practices are in terms of deploying securely to different types of targets, and environments, eg sign artifact and verify binary via hash on deployment.
CI/CD could be merged into one section as there is already quite a bit of overlap between them
Octopus Deploy could be added to low code solution tooling?
Continuous integration
Contains sections:
Credential Scanning:
pre-commit hooks seem a bit hidden away in a recipe?
Secrets Rotation
Penetration testing
Static Code Analysis
Only a little information on Static code analysis, lacks information on how you can use it for PRs and what aspects. Could be expanded a bit and reorg the CI section to be more coherent and with more of a red thread. eg keep tooling specific information under a tool page.
Dependency and Container Scanning
Tools lacks Github action, Bitbucket pipelines, Gitlab pipelines,
Lacks information about fuzzing tools and how they are used.
Layout issue: Move the Azure DevOps service connection page under the tooling page
Layout issue: Dependency scanning page could be moved 1 level up.
Layout issue: Pen-testing page could be moved 1 level up
Layout issue: static code analysis page could be moved 1 level up
Design
Layout issue: Move diagram type subpages one level up so empty dropdown in gone to improve the navigation on the page
Developer experience
Could use a section drawing links with Continuous integration on how to use static code analysis, and other CI tools while developing to catch issues earlier, there are a few mentions of some tooling already, but it feels more like CI tooling scattered around, instead of integration them into the natural workflow.
Machine learning
Contains section on Responsible AI in ISE, but lacks best practices on how to handle, store and work with PII and sensitive data, there is something under privacy. but I feel like design references from working with data in a secure manner would a nice to have.
Observability
Doesn't really contain anything about security specifically.
Logs for early detection of attacks.
Preventing tampering of logs
System logs related to logins and what users are doing on servers, failed login attempts etc. are listed as something that should be logged under best practices.
Privacy
Contains sections on generating anonymized data, but i feel it's a bit hidden.
Security
Mentions of the OWASP Top 10
Recommended Tools
Vulnerability Scanning
Runtime Security
Binary Authorization
K8s Security
I feel like the tooling belongs under continuous integration, with mentions in Developer experience on how to integrate them into your IDE/Editor
Source control
Has a section on Working with Secrets in Source Control, but lacks mention of pre-commit hooks
Automated Testing Fault Injection Testing Mentions fuzzing etc, but this could be expanded to include why this is important in terms of testing for vulnerability, but more likely this belongs under CI Lacks testing on secrets leaking to logs etc. Code reviews Mentions automated whenever possible, which ties well into CI, but does not mention security specifically. IMO automated test, static code analysis should do most of the heavy lifting here.
Layout issue: move pull request to templates to match other part of the docs or move it up one laying and just call it pull request template without the extra layer.
Continuous Delivery Contains a bit on secret management Lacks points about secure deployments and what the best practices are in terms of deploying securely to different types of targets, and environments, eg sign artifact and verify binary via hash on deployment. CI/CD could be merged into one section as there is already quite a bit of overlap between them Octopus Deploy could be added to low code solution tooling? Continuous integration Contains sections:
Credential Scanning: pre-commit hooks seem a bit hidden away in a recipe? Secrets Rotation Penetration testing Static Code Analysis Only a little information on Static code analysis, lacks information on how you can use it for PRs and what aspects. Could be expanded a bit and reorg the CI section to be more coherent and with more of a red thread. eg keep tooling specific information under a tool page. Dependency and Container Scanning Tools lacks Github action, Bitbucket pipelines, Gitlab pipelines,
Lacks information about fuzzing tools and how they are used.
Layout issue: Move the Azure DevOps service connection page under the tooling page
Layout issue: Dependency scanning page could be moved 1 level up.
Layout issue: Pen-testing page could be moved 1 level up
Layout issue: static code analysis page could be moved 1 level up
Design Layout issue: Move diagram type subpages one level up so empty dropdown in gone to improve the navigation on the page Developer experience Could use a section drawing links with Continuous integration on how to use static code analysis, and other CI tools while developing to catch issues earlier, there are a few mentions of some tooling already, but it feels more like CI tooling scattered around, instead of integration them into the natural workflow. Machine learning Contains section on Responsible AI in ISE, but lacks best practices on how to handle, store and work with PII and sensitive data, there is something under privacy. but I feel like design references from working with data in a secure manner would a nice to have. Observability Doesn't really contain anything about security specifically. Logs for early detection of attacks. Preventing tampering of logs System logs related to logins and what users are doing on servers, failed login attempts etc. are listed as something that should be logged under best practices. Privacy Contains sections on generating anonymized data, but i feel it's a bit hidden. Security Mentions of the OWASP Top 10 Recommended Tools Vulnerability Scanning Runtime Security Binary Authorization K8s Security I feel like the tooling belongs under continuous integration, with mentions in Developer experience on how to integrate them into your IDE/Editor Source control Has a section on Working with Secrets in Source Control, but lacks mention of pre-commit hooks