Indicaciones para el ciclo de vida de desarrollo seguro
Qué lograrás
Generar controles, procedimientos e implementaciones técnicas para el ciclo de vida de desarrollo seguro (SDLC) que cumplan con los requisitos de ISO 27001 Anexo A.8 y A.14, SOC 2 CC8.1 y NIST SP 800-218. Estas indicaciones te ayudan a integrar la seguridad en cada fase del desarrollo de software.
Revisión de código y pruebas de seguridad
Proceso de revisión de código seguro
Design a secure code review process for a [language/framework] application using [Git/GitLab/GitHub/Bitbucket]. Include:
- Pre-commit hooks for secret detection and linting
- Mandatory peer review requirements with security checklist
- Automated SAST tool integration ([tool name] or recommend)
- Security-focused review criteria for common vulnerabilities (OWASP Top 10)
- Escalation process for critical findings
- Evidence collection for compliance audits (ISO 27001 A.14.2, SOC 2 CC8.1)
Output as a Markdown procedure document and tool configuration files.Pipeline de pruebas de seguridad
Create a comprehensive security testing strategy for [application type] in [development environment]. Include:
- SAST tools and configuration for [language]
- DAST tools for runtime testing
- SCA (Software Composition Analysis) for dependency vulnerabilities
- Container image scanning (if applicable)
- Integration points in CI/CD pipeline
- Severity thresholds and build failure criteria
- Remediation SLAs by severity level
- Reporting for security and compliance teams
Map each control to ISO 27001 Annex A.8.8, A.14.2 and SOC 2 CC8.1.Requisitos de pruebas de penetración (Penetration testing)
Generate penetration testing requirements and scope documentation for [application/system] that meets [ISO 27001/SOC 2/PCI DSS] standards. Include:
- Testing scope (APIs, web app, mobile, infrastructure)
- Exclusions and safe harbor conditions
- Required credentials and access levels
- Testing methodology (OWASP, PTES, custom)
- Reporting format and timeline
- Remediation verification process
- Annual testing schedule
- Third-party tester qualification criteria
Align with ISO 27001 A.14.2.8 and SOC 2 CC7.1 requirements.Seguridad de dependencias y cadena de suministro
Política de gestión de dependencias
Create a dependency management and software supply chain security policy for [tech stack]. Address:
- Approved package repositories and registries
- Dependency version pinning vs. range strategies
- Automated vulnerability scanning ([Snyk/Dependabot/other])
- Update cadence for different severity levels
- Process for evaluating new dependencies
- License compliance checks
- SBOM (Software Bill of Materials) generation
- Third-party component risk assessment
Map to ISO 27001 A.8.30, SOC 2 CC8.1, and NIST SSDF practices.Evaluación de seguridad de código abierto (Open source)
Design an open source component evaluation checklist for [organization type]. Include criteria for:
- Security track record and CVE history
- Maintenance activity and community health
- License compatibility
- Code quality and security practices
- Alternative options assessment
- Ongoing monitoring requirements
- Documentation of approval decision
- Deprecated package sunset process
Output as a form template and approval workflow.Gestión de secretos y credenciales
Implementación de la gestión de secretos
Design a secrets management architecture for [application environment] using [HashiCorp Vault/AWS Secrets Manager/Azure Key Vault/GCP Secret Manager]. Include:
- Secret storage and rotation strategy
- Access control policies (RBAC)
- Integration with application code ([language/framework])
- Environment-specific secret handling (dev/staging/prod)
- Audit logging configuration
- Emergency access procedures
- Migration plan from hardcoded secrets
- Developer onboarding guide
Align with ISO 27001 A.8.24, A.9.4.3, SOC 2 CC6.7, and NIST SP 800-57.Detección y remediación de secretos
Create a secret detection and remediation procedure for [version control system]. Include:
- Pre-commit hooks using [tool name or recommend]
- Repository scanning for historical leaks
- Automated alerting on secret detection
- Immediate response steps (rotation, revocation)
- Root cause analysis template
- Developer training requirements
- Metrics for tracking incidents
- Integration with incident management
Map to ISO 27001 A.17.1, SOC 2 CC7.4.Estándares de codificación segura
Guías de codificación segura
Generate secure coding guidelines for [language/framework] development that address:
- Input validation and sanitization
- Output encoding for XSS prevention
- SQL injection prevention
- Authentication and session management
- Cryptographic operations and key handling
- Error handling and logging (avoid sensitive data exposure)
- File upload security
- API security (rate limiting, authentication)
- Security headers configuration
- OWASP Top 10 mitigations specific to [framework]
Include code examples for each guideline. Map to ISO 27001 A.14.2 and SOC 2 CC8.1.Estándares de seguridad para API
Design API security standards for [REST/GraphQL/gRPC] APIs in [language/framework]. Cover:
- Authentication mechanisms (OAuth 2.0, JWT, API keys)
- Authorization and scope management
- Rate limiting and throttling
- Input validation and schema enforcement
- Output filtering (prevent data over-exposure)
- CORS and content security policies
- Versioning strategy with security implications
- Logging and monitoring requirements
- Security testing approach (fuzzing, auth bypass tests)
Align with ISO 27001 A.14.1, OWASP API Security Top 10, and SOC 2 CC6.1-CC6.2.Seguridad del entorno de desarrollo
Configuración de un entorno de desarrollo seguro
Create a secure development environment configuration guide for [team size] developers working on [application type]. Include:
- Workstation hardening requirements (OS, disk encryption, firewall)
- Required security tools (antivirus, EDR, VPN)
- Access controls for development resources
- Separation of environments (local, dev, staging, prod)
- Data handling for production data in non-prod environments
- VPN/network access requirements
- Software installation and update policies
- Incident reporting procedures
Map to ISO 27001 A.6.2.2, A.8.9, SOC 2 CC6.4.Anonimización de datos de producción
Design a production data anonymization process for [data type] used in [development/testing] environments. Include:
- Data classification and sensitivity assessment
- Anonymization techniques (masking, tokenization, synthetic data)
- Tool recommendations for [database type]
- Automated pipeline for data refresh
- Validation that anonymization is irreversible
- Access controls for anonymized datasets
- Documentation for audit evidence
- GDPR Article 25 and ISO 27001 A.8.11 compliance mappingSeguridad en lanzamientos y despliegues
Pipeline de despliegue seguro
Design a secure deployment pipeline for [application] to [cloud platform/on-premises]. Include:
- Code signing and artifact verification
- Automated security checks before deployment
- Approval gates and RBAC for production deployments
- Rollback procedures and version control
- Configuration management and drift detection
- Secrets injection (no hardcoded credentials)
- Post-deployment validation tests
- Audit logging of all deployments
- Change management integration
Align with ISO 27001 A.12.1.2, A.14.2.9, SOC 2 CC8.1.Gestión de cambios para actualizaciones de seguridad
Create an emergency change procedure for critical security patches in [environment]. Address:
- Severity assessment and escalation criteria
- Expedited approval process
- Testing requirements (minimum viable vs. full regression)
- Communication plan (stakeholders, users, auditors)
- Deployment window and rollback plan
- Post-deployment monitoring
- Documentation requirements for compliance
- Lessons learned and process improvement
Map to ISO 27001 A.12.1.2, SOC 2 CC8.1, and incident management requirements.Carga tus estándares de desarrollo actuales o documentos de arquitectura para obtener indicaciones más personalizadas que se alineen con tus prácticas existentes.
Documentación de cumplimiento
Paquete de evidencias de seguridad de SDLC
Generate an SDLC security evidence collection guide for [ISO 27001/SOC 2/both] audits. Include:
- Code review records and approval trails
- SAST/DAST/SCA scan reports with remediation tracking
- Penetration test reports and remediation evidence
- Security training completion records for developers
- Change management logs for security-relevant changes
- Incident postmortems related to vulnerabilities
- Dependency update logs and vulnerability assessments
- Policy acknowledgment records
Create a spreadsheet template mapping each evidence type to specific controls.El código y las configuraciones generadas deben probarse en entornos de preproducción y validarse frente a tu modelo de amenazas específico antes del despliegue.
Indicaciones relacionadas
Consulta Indicaciones de seguridad en infraestructura y nube para el endurecimiento de la infraestructura de CI/CD
Consulta Indicaciones de DevSecOps y automatización para flujos de trabajo de pruebas de seguridad automatizadas
Consulta Indicaciones de control de acceso y gestión de identidad para controles de acceso de desarrolladores
¿Te fue útil?