Day 3 Wrap-up — Secure Development Lifecycle
Day 3 Wrap-up — Secure Development Lifecycle
Today we answered a critical question:
How do we ensure that what reaches production is secure, tested, and traceable?What We Covered
Defense in Depth
Each layer adds an independent control. Removing one does not remove the others.
| Layer | Control | Protects Against |
|---|---|---|
| Identity (Day 1) | RBAC, managed identity | Unauthorized actions |
| Network (Day 2) | Access restrictions, private endpoints | Unauthorized reachability |
| Quality Gates (Day 3) | Type checks, automated tests | Broken deployments, untested code |
| Security Scanning (Day 3) | Semgrep, Trivy, Checkov | Code vulnerabilities, dependency CVEs, IaC misconfigurations |
| API Security (Day 3) | OWASP ZAP, Helmet headers | Runtime vulnerabilities, missing headers |
| Artifact Promotion (Day 3) | Build-once-promote-many | Inconsistent deployments, time drift |
| Monitoring (Day 4) | Log Analytics, alerts | Unnoticed incidents |
What We Built
Pipeline Stages

Traceability Chain
End-of-Day Checklist
[ ] Pipeline runs quality gates before building (typecheck, tests)
[ ] Semgrep scans code for security patterns (secrets, injection, validation)
[ ] Trivy scans dependencies for CVEs and embedded secrets
[ ] Checkov scans Terraform for Azure misconfigurations
[ ] Build stage publishes artifact with metadata (BUILD_COMMIT, BUILD_VERSION)
[ ] Deployment stages download artifact (no rebuilds)
[ ] OWASP ZAP scans deployed API for missing headers and TLS issues
[ ] Test environment requires manual approval before deployment
[ ] Artifact metadata enables tracing deployment back to source commitKey Principles We Applied
1. Shift-Left Security
Don't wait until production to find vulnerabilities — scan code, dependencies, and infrastructure before deployment.
| Traditional Approach | Shift-Left Approach |
|---|---|
| Deploy → Discover CVE in prod → Scramble to patch | Scan during build → Fix before deployment → Deploy secure artifact |
| Manual security review before release | Automated scans in every pipeline run |
| Security team reviews code after development | Developers see findings immediately in PR |
2. Build-Once-Promote-Many
Never rebuild for production — compile/package once, scan once, promote the same artifact through all environments.
Why this matters: Rebuilding for prod means:
- Different dependencies (time drift)
- Untested code (prod artifact never validated in dev/test)
- Zero traceability (can't prove prod matches scanned code)
3. Quality Before Security
Run fast checks first:
- Type checking (3 seconds)
- Unit tests (5 seconds)
- Integration tests (20 seconds)
- Security scans (60-90 seconds)
If TypeScript doesn't compile, don't waste time scanning dependencies.
4. Traceability and Immutability
Every deployed artifact must answer:
- Which commit produced this?
- Which build created it?
- Which tests passed?
- Which scans cleared it?
Artifact metadata (BUILD_COMMIT, BUILD_VERSION, BUILD_NUMBER) enables full audit trail from code to production.
Security Scanning Summary
| Tool | Scans | Example Finding | When It Runs |
|---|---|---|---|
| Semgrep | Code patterns | Hardcoded API key, SQL injection risk, missing validation | Validate stage (SAST) |
| Trivy | Dependencies, secrets, config | express CVE-2022-24999, AWS key in .env | Validate stage (dependency scan) |
| Checkov | Terraform (IaC) | Storage account public access enabled, missing encryption | Validate stage (IaC scan) |
| OWASP ZAP | Running API (DAST) | Missing X-Frame-Options, weak TLS config | Post-deployment (dev environment) |
Complementary approaches: SAST finds issues in code, DAST finds issues in runtime behavior. Use both.
What Changed From Day 2
| Component | Day 2 | Day 3 |
|---|---|---|
| Backend deployment | Manual or ad-hoc | Automated pipeline with quality/security gates |
| Code quality | Manual review | Automated type checking + tests |
| Dependency vulnerabilities | Unknown | Scanned by Trivy in every build |
| Infrastructure misconfigurations | Deployed then discovered | Caught by Checkov before provisioning |
| API security | Assumed secure | Validated by OWASP ZAP after deployment |
| Deployment consistency | Rebuild per environment (risk of drift) | Build once, promote immutable artifact |
| Traceability | Unknown which code is deployed | Full audit trail (commit SHA → build ID → artifact) |
Bridge to Day 4
Today we controlled what enters the environment through code, infrastructure, dependencies, APIs, and pipelines.
Tomorrow we assume something still goes wrong and ask:
Can we see it?
Can we detect it?
Can we respond to it?Day 4 focuses on monitoring, logging, and threat detection: using Log Analytics, Azure Monitor, and security alerts to observe system behavior and respond to incidents.
Today: Secure the pipeline and prevent vulnerabilities.
Tomorrow: Monitor the system and detect threats.Day 3 Challenge
If time allows, we have a challenge: Day 3 Challenge Exercises