Some (relatively) easy wins not mentioned?

[noncombatant]

Some or much of this can go under 2.5 Security libraries.

• "Simply do not" rely heavily on C and C++. There's no reason a new product trying to meet security requirements would use them.
• We can say a bit more about template languages, such as what specifically we're trying to avoid: eval-type bugs (XSS, SQL injection, shell injection, et c.). For example, Go's html/template is good, Trusted Types is good; while some other web frameworks treat DOM-XSS as the fundamental feature. Basically, we need to explain Why.
• Similarly, while SQL ORMs can be good (or bad), parameterized queries are free and worth a mention.
• I don't see any mention of fuzzing.

[ChrisJohnRiley]

Hi Chris,

Sorry for the late reply. Would love to chat about your comments here and see how we can support coverage where possible.

If your down for a quick alignment, feel free to grab a US friendly time slot here I'll bring some snacks from the MK.