Bibliothèque de prompts pour l'ingénierie GRC

Prompts pour le cycle de vie du développement sécurisé

Ce que vous allez accomplir

Générez des contrôles, des procédures et des implémentations techniques pour le cycle de vie du développement sécurisé (SDLC) conformes aux exigences ISO 27001 Annexes A.8 et A.14, SOC 2 CC8.1 et NIST SP 800-218. Ces prompts vous aident à intégrer la sécurité à chaque phase du développement logiciel.

Revue de code et tests de sécurité

Processus de revue de code sécurisée

Design a secure code review process for a [language/framework] application using [Git/GitLab/GitHub/Bitbucket]. Include:
- Pre-commit hooks for secret detection and linting
- Mandatory peer review requirements with security checklist
- Automated SAST tool integration ([tool name] or recommend)
- Security-focused review criteria for common vulnerabilities (OWASP Top 10)
- Escalation process for critical findings
- Evidence collection for compliance audits (ISO 27001 A.14.2, SOC 2 CC8.1)

Output as a Markdown procedure document and tool configuration files.

Pipeline de tests de sécurité

Create a comprehensive security testing strategy for [application type] in [development environment]. Include:
- SAST tools and configuration for [language]
- DAST tools for runtime testing
- SCA (Software Composition Analysis) for dependency vulnerabilities
- Container image scanning (if applicable)
- Integration points in CI/CD pipeline
- Severity thresholds and build failure criteria
- Remediation SLAs by severity level
- Reporting for security and compliance teams

Map each control to ISO 27001 Annex A.8.8, A.14.2 and SOC 2 CC8.1.

Exigences en matière de tests d'intrusion

Generate penetration testing requirements and scope documentation for [application/system] that meets [ISO 27001/SOC 2/PCI DSS] standards. Include:
- Testing scope (APIs, web app, mobile, infrastructure)
- Exclusions and safe harbor conditions
- Required credentials and access levels
- Testing methodology (OWASP, PTES, custom)
- Reporting format and timeline
- Remediation verification process
- Annual testing schedule
- Third-party tester qualification criteria

Align with ISO 27001 A.14.2.8 and SOC 2 CC7.1 requirements.

Sécurité des dépendances et de la chaîne d'approvisionnement

Politique de gestion des dépendances

Create a dependency management and software supply chain security policy for [tech stack]. Address:
- Approved package repositories and registries
- Dependency version pinning vs. range strategies
- Automated vulnerability scanning ([Snyk/Dependabot/other])
- Update cadence for different severity levels
- Process for evaluating new dependencies
- License compliance checks
- SBOM (Software Bill of Materials) generation
- Third-party component risk assessment

Map to ISO 27001 A.8.30, SOC 2 CC8.1, and NIST SSDF practices.

Évaluation de la sécurité de l'open source

Design an open source component evaluation checklist for [organization type]. Include criteria for:
- Security track record and CVE history
- Maintenance activity and community health
- License compatibility
- Code quality and security practices
- Alternative options assessment
- Ongoing monitoring requirements
- Documentation of approval decision
- Deprecated package sunset process

Output as a form template and approval workflow.

Gestion des secrets et des identifiants

Mise en œuvre de la gestion des secrets

Design a secrets management architecture for [application environment] using [HashiCorp Vault/AWS Secrets Manager/Azure Key Vault/GCP Secret Manager]. Include:
- Secret storage and rotation strategy
- Access control policies (RBAC)
- Integration with application code ([language/framework])
- Environment-specific secret handling (dev/staging/prod)
- Audit logging configuration
- Emergency access procedures
- Migration plan from hardcoded secrets
- Developer onboarding guide

Align with ISO 27001 A.8.24, A.9.4.3, SOC 2 CC6.7, and NIST SP 800-57.

Détection et remédiation des secrets

Create a secret detection and remediation procedure for [version control system]. Include:
- Pre-commit hooks using [tool name or recommend]
- Repository scanning for historical leaks
- Automated alerting on secret detection
- Immediate response steps (rotation, revocation)
- Root cause analysis template
- Developer training requirements
- Metrics for tracking incidents
- Integration with incident management

Map to ISO 27001 A.17.1, SOC 2 CC7.4.

Normes de codage sécurisé

Directives de codage sécurisé

Generate secure coding guidelines for [language/framework] development that address:
- Input validation and sanitization
- Output encoding for XSS prevention
- SQL injection prevention
- Authentication and session management
- Cryptographic operations and key handling
- Error handling and logging (avoid sensitive data exposure)
- File upload security
- API security (rate limiting, authentication)
- Security headers configuration
- OWASP Top 10 mitigations specific to [framework]

Include code examples for each guideline. Map to ISO 27001 A.14.2 and SOC 2 CC8.1.

Normes de sécurité des API

Design API security standards for [REST/GraphQL/gRPC] APIs in [language/framework]. Cover:
- Authentication mechanisms (OAuth 2.0, JWT, API keys)
- Authorization and scope management
- Rate limiting and throttling
- Input validation and schema enforcement
- Output filtering (prevent data over-exposure)
- CORS and content security policies
- Versioning strategy with security implications
- Logging and monitoring requirements
- Security testing approach (fuzzing, auth bypass tests)

Align with ISO 27001 A.14.1, OWASP API Security Top 10, and SOC 2 CC6.1-CC6.2.

Sécurité de l'environnement de développement

Configuration d'un environnement de développement sécurisé

Create a secure development environment configuration guide for [team size] developers working on [application type]. Include:
- Workstation hardening requirements (OS, disk encryption, firewall)
- Required security tools (antivirus, EDR, VPN)
- Access controls for development resources
- Separation of environments (local, dev, staging, prod)
- Data handling for production data in non-prod environments
- VPN/network access requirements
- Software installation and update policies
- Incident reporting procedures

Map to ISO 27001 A.6.2.2, A.8.9, SOC 2 CC6.4.

Anonymisation des données de production

Design a production data anonymization process for [data type] used in [development/testing] environments. Include:
- Data classification and sensitivity assessment
- Anonymization techniques (masking, tokenization, synthetic data)
- Tool recommendations for [database type]
- Automated pipeline for data refresh
- Validation that anonymization is irreversible
- Access controls for anonymized datasets
- Documentation for audit evidence
- GDPR Article 25 and ISO 27001 A.8.11 compliance mapping

Sécurité de la mise en production et du déploiement

Pipeline de déploiement sécurisé

Design a secure deployment pipeline for [application] to [cloud platform/on-premises]. Include:
- Code signing and artifact verification
- Automated security checks before deployment
- Approval gates and RBAC for production deployments
- Rollback procedures and version control
- Configuration management and drift detection
- Secrets injection (no hardcoded credentials)
- Post-deployment validation tests
- Audit logging of all deployments
- Change management integration

Align with ISO 27001 A.12.1.2, A.14.2.9, SOC 2 CC8.1.

Gestion du changement pour les mises à jour de sécurité

Create an emergency change procedure for critical security patches in [environment]. Address:
- Severity assessment and escalation criteria
- Expedited approval process
- Testing requirements (minimum viable vs. full regression)
- Communication plan (stakeholders, users, auditors)
- Deployment window and rollback plan
- Post-deployment monitoring
- Documentation requirements for compliance
- Lessons learned and process improvement

Map to ISO 27001 A.12.1.2, SOC 2 CC8.1, and incident management requirements.

Téléchargez vos normes de développement ou documents d'architecture actuels pour obtenir des prompts plus personnalisés et alignés sur vos pratiques existantes.

Documentation de conformité

Pack de preuves de sécurité SDLC

Generate an SDLC security evidence collection guide for [ISO 27001/SOC 2/both] audits. Include:
- Code review records and approval trails
- SAST/DAST/SCA scan reports with remediation tracking
- Penetration test reports and remediation evidence
- Security training completion records for developers
- Change management logs for security-relevant changes
- Incident postmortems related to vulnerabilities
- Dependency update logs and vulnerability assessments
- Policy acknowledgment records

Create a spreadsheet template mapping each evidence type to specific controls.

Le code et les configurations générés doivent être testés dans des environnements hors production et validés par rapport à votre modèle de menace spécifique avant tout déploiement.

Prompts associés

Consultez les Prompts pour la sécurité des infrastructures et du cloud pour le durcissement de l'infrastructure CI/CD
Consultez les Prompts pour le DevSecOps et l'automatisation pour les workflows de tests de sécurité automatisés
Consultez les Prompts pour le contrôle d'accès et la gestion des identités pour les contrôles d'accès des développeurs

Cela vous a-t-il été utile ?