Secure development lifecycle prompts

Design a secure code review process for a [language/framework] application using [Git/GitLab/GitHub/Bitbucket]. Include:
- Pre-commit hooks for secret detection and linting
- Mandatory peer review requirements with security checklist
- Automated SAST tool integration ([tool name] or recommend)
- Security-focused review criteria for common vulnerabilities (OWASP Top 10)
- Escalation process for critical findings
- Evidence collection for compliance audits (ISO 27001 A.14.2, SOC 2 CC8.1)

Output as a Markdown procedure document and tool configuration files.

Create a comprehensive security testing strategy for [application type] in [development environment]. Include:
- SAST tools and configuration for [language]
- DAST tools for runtime testing
- SCA (Software Composition Analysis) for dependency vulnerabilities
- Container image scanning (if applicable)
- Integration points in CI/CD pipeline
- Severity thresholds and build failure criteria
- Remediation SLAs by severity level
- Reporting for security and compliance teams

Map each control to ISO 27001 Annex A.8.8, A.14.2 and SOC 2 CC8.1.

Generate penetration testing requirements and scope documentation for [application/system] that meets [ISO 27001/SOC 2/PCI DSS] standards. Include:
- Testing scope (APIs, web app, mobile, infrastructure)
- Exclusions and safe harbor conditions
- Required credentials and access levels
- Testing methodology (OWASP, PTES, custom)
- Reporting format and timeline
- Remediation verification process
- Annual testing schedule
- Third-party tester qualification criteria

Align with ISO 27001 A.14.2.8 and SOC 2 CC7.1 requirements.

Create a dependency management and software supply chain security policy for [tech stack]. Address:
- Approved package repositories and registries
- Dependency version pinning vs. range strategies
- Automated vulnerability scanning ([Snyk/Dependabot/other])
- Update cadence for different severity levels
- Process for evaluating new dependencies
- License compliance checks
- SBOM (Software Bill of Materials) generation
- Third-party component risk assessment

Map to ISO 27001 A.8.30, SOC 2 CC8.1, and NIST SSDF practices.

Design an open source component evaluation checklist for [organization type]. Include criteria for:
- Security track record and CVE history
- Maintenance activity and community health
- License compatibility
- Code quality and security practices
- Alternative options assessment
- Ongoing monitoring requirements
- Documentation of approval decision
- Deprecated package sunset process

Output as a form template and approval workflow.

Design a secrets management architecture for [application environment] using [HashiCorp Vault/AWS Secrets Manager/Azure Key Vault/GCP Secret Manager]. Include:
- Secret storage and rotation strategy
- Access control policies (RBAC)
- Integration with application code ([language/framework])
- Environment-specific secret handling (dev/staging/prod)
- Audit logging configuration
- Emergency access procedures
- Migration plan from hardcoded secrets
- Developer onboarding guide

Align with ISO 27001 A.8.24, A.9.4.3, SOC 2 CC6.7, and NIST SP 800-57.

Create a secret detection and remediation procedure for [version control system]. Include:
- Pre-commit hooks using [tool name or recommend]
- Repository scanning for historical leaks
- Automated alerting on secret detection
- Immediate response steps (rotation, revocation)
- Root cause analysis template
- Developer training requirements
- Metrics for tracking incidents
- Integration with incident management

Map to ISO 27001 A.17.1, SOC 2 CC7.4.

Generate secure coding guidelines for [language/framework] development that address:
- Input validation and sanitization
- Output encoding for XSS prevention
- SQL injection prevention
- Authentication and session management
- Cryptographic operations and key handling
- Error handling and logging (avoid sensitive data exposure)
- File upload security
- API security (rate limiting, authentication)
- Security headers configuration
- OWASP Top 10 mitigations specific to [framework]

Include code examples for each guideline. Map to ISO 27001 A.14.2 and SOC 2 CC8.1.

Design API security standards for [REST/GraphQL/gRPC] APIs in [language/framework]. Cover:
- Authentication mechanisms (OAuth 2.0, JWT, API keys)
- Authorization and scope management
- Rate limiting and throttling
- Input validation and schema enforcement
- Output filtering (prevent data over-exposure)
- CORS and content security policies
- Versioning strategy with security implications
- Logging and monitoring requirements
- Security testing approach (fuzzing, auth bypass tests)

Align with ISO 27001 A.14.1, OWASP API Security Top 10, and SOC 2 CC6.1-CC6.2.

Create a secure development environment configuration guide for [team size] developers working on [application type]. Include:
- Workstation hardening requirements (OS, disk encryption, firewall)
- Required security tools (antivirus, EDR, VPN)
- Access controls for development resources
- Separation of environments (local, dev, staging, prod)
- Data handling for production data in non-prod environments
- VPN/network access requirements
- Software installation and update policies
- Incident reporting procedures

Map to ISO 27001 A.6.2.2, A.8.9, SOC 2 CC6.4.

Design a production data anonymization process for [data type] used in [development/testing] environments. Include:
- Data classification and sensitivity assessment
- Anonymization techniques (masking, tokenization, synthetic data)
- Tool recommendations for [database type]
- Automated pipeline for data refresh
- Validation that anonymization is irreversible
- Access controls for anonymized datasets
- Documentation for audit evidence
- GDPR Article 25 and ISO 27001 A.8.11 compliance mapping

Design a secure deployment pipeline for [application] to [cloud platform/on-premises]. Include:
- Code signing and artifact verification
- Automated security checks before deployment
- Approval gates and RBAC for production deployments
- Rollback procedures and version control
- Configuration management and drift detection
- Secrets injection (no hardcoded credentials)
- Post-deployment validation tests
- Audit logging of all deployments
- Change management integration

Align with ISO 27001 A.12.1.2, A.14.2.9, SOC 2 CC8.1.

Create an emergency change procedure for critical security patches in [environment]. Address:
- Severity assessment and escalation criteria
- Expedited approval process
- Testing requirements (minimum viable vs. full regression)
- Communication plan (stakeholders, users, auditors)
- Deployment window and rollback plan
- Post-deployment monitoring
- Documentation requirements for compliance
- Lessons learned and process improvement

Map to ISO 27001 A.12.1.2, SOC 2 CC8.1, and incident management requirements.

Generate an SDLC security evidence collection guide for [ISO 27001/SOC 2/both] audits. Include:
- Code review records and approval trails
- SAST/DAST/SCA scan reports with remediation tracking
- Penetration test reports and remediation evidence
- Security training completion records for developers
- Change management logs for security-relevant changes
- Incident postmortems related to vulnerabilities
- Dependency update logs and vulnerability assessments
- Policy acknowledgment records

Create a spreadsheet template mapping each evidence type to specific controls.