Information security in engineering
Overview
Information security in software teams embeds secure design, implementation, and operations into the SDLC: threat modeling, dependency hygiene, secrets management, and incident readiness. Security is a shared responsibility between developers, platform, and governance—not only an audit checkbox.
Key concepts
- STRIDE / threat modeling — Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege.
- Least privilege — IAM roles scoped to minimum permissions.
- Secrets — Never commit tokens; use vaults or managed secret stores.
- Supply chain — Lockfiles, provenance, and vulnerability scanning (SCA).
- Shift left — Catch issues in PRs and design reviews, not only in prod.
Secure SDLC touchpoints
Sample: PR security checklist
- AuthZ checked for new endpoints (role/tenant).
- User input validated and output encoded where rendered.
- No new secrets in repo; rotation plan if leaked in logs.
- Dependencies updated or risk accepted with ticket.