NIST 800-53 specifies aspects of the development process. This includes comparable scrutiny of sensitive artifacts, such as Infrastructure-as-a-Code, scripts, other inputs like application code development. Security testing must be integrated into the deployment pipeline. Developers must demonstrate that they have explicitly addressed security requirements and have performed processes such as threat modelling and deriving quality metrics.

Development Practices

There are five common design practices for security, which are valid for application design and deployment pipeline. Security is only valid having a good design and good coding practices. Lists exists which define secure coding practices and are utilized by static analysis tools (e.g. Sonar Cube). A security gate within the deployment pipeline is testing for coding practices, another one is testing for various runtime attack methods, such as cross-site scripting:

1. Provide clients with the least privilege necessary to complete their task. Temporary access should bre rescinded right after use.
2. Mechanisms should be as small and simple as possible, as small modules with narrow interfaces are faster to test. This way each module can be tested more quickly because it is smaller and the number of interface parameters to test will be smaller because the interface is narrow.
3. Every access to every object must be checked. During initialization, useage, shutdown and restart.
4. Minimize the number of mechanisms common to more than one user and depended on by all users. Every shared mechanism is a potential information path.
5. Utilize fail-safe defaults. Argue why a particular process or client needs to have acess, not why that process or client should not have access.