🛡️ Security

🏛️ Context: Every enterprise should centralise identity in one IdP. Evaluate Okta/Entra ID for cloud-first; Keycloak for open-source self-hosted. Enforce MFA universally. Plan for identity federation with partners and acquisitions.

🏛️ Context: OIDC + OAuth 2.0 is the standard for modern applications. Use authorisation code flow with PKCE for web/mobile. Short-lived access tokens + refresh tokens. Never store sensitive data in JWTs (they're base64, not encrypted).

🏛️ Context: Enforce MFA universally — it blocks 99%+ of credential-based attacks. Push for phishing-resistant methods: hardware keys (YubiKey) for admins, passkeys for all users. SMS-based 2FA is the weakest option.

🏛️ Context: RBAC is sufficient for most applications. ABAC enables fine-grained, context-aware access. OPA/Cedar externalise policy from code — enables consistent enforcement across services and simplifies auditing. Design for least privilege.

🏛️ Context: Standing admin access is the #1 target for attackers. Implement JIT access for all production systems. Vault stores and rotates secrets (API keys, database credentials). Every privileged session should be logged and reviewable.

🏛️ Context: Enable encryption at rest for all storage by default — most cloud services support it natively. Use customer-managed keys (CMK) for sensitive workloads. Implement key rotation policies. Plan for crypto-agility (algorithm upgrades).

🏛️ Context: TLS 1.3 everywhere, no exceptions. mTLS for service-to-service communication (service mesh automates this). Automate certificate issuance and rotation with cert-manager and ACME (Let's Encrypt). Plan for short-lived certificates.

🏛️ Context: Vault is the gold standard for secrets management. Dynamic secrets (generated per session, auto-expire) eliminate the shared credential problem. Integrate with CI/CD — pipelines pull secrets at runtime, never store them.

🏛️ Context: Classification drives protection strategy: not all data needs the same controls. Automate PII detection in data pipelines. Implement dynamic data masking for non-production environments. DLP at email, endpoint, and cloud storage.

🏛️ Context: Zero trust is the target architecture — migrate incrementally. Start with identity (strong AuthN for all users), then microsegmentation, then device trust. Google's BeyondCorp is the reference implementation. VPN is not zero trust.

🏛️ Context: WAF is table stakes for public-facing applications. Use managed rulesets as baseline and add custom rules for application-specific patterns. Combine with rate limiting and bot management. Log all blocked requests for analysis.

🏛️ Context: L3/L4 DDoS protection is built into most cloud providers at no extra cost (AWS Shield Standard). L7 (application-layer) DDoS is harder — requires WAF, rate limiting, and CDN. Design for graceful degradation under attack.

🏛️ Context: Design network architecture around trust boundaries, not convenience. Public → DMZ → Application → Data tiers. Default-deny between segments. In Kubernetes, use NetworkPolicies to enforce pod-to-pod restrictions.

🏛️ Context: SAST in CI is a baseline requirement. Semgrep offers fast, customisable rule writing. CodeQL (GitHub) provides deep semantic analysis. Tune rules to reduce false positives — noisy tools get ignored.

🏛️ Context: SCA is essential — dependency vulnerabilities (Log4Shell, etc.) are the most exploited attack vector. Automate with Dependabot/Renovate for update PRs. Pin dependency versions. Use private registries to control what enters your codebase.

🏛️ Context: Run DAST against staging environments in CI/CD. OWASP ZAP is the open-source standard. For API security, combine DAST with API-specific tools. Annual penetration testing supplements automated DAST.

🏛️ Context: Scan on build AND continuously (new CVEs against existing images). Generate SBOMs for every image (SPDX or CycloneDX format). Enforce image signing in Kubernetes admission policies. Use minimal base images.

🏛️ Context: SBOMs are increasingly mandated by regulation (US Executive Order 14028, EU CRA). SLSA Level 2+ ensures builds are reproducible and tamper-evident. Integrate SBOM generation into CI/CD as a standard artifact alongside the image.

🏛️ Context: Map compliance requirements to architecture early — they're constraints, not afterthoughts. Automate evidence collection for audits. Continuous compliance (Vanta, Drata) replaces annual audit scrambles. Understand which frameworks apply to which systems.

🏛️ Context: SIEM is essential at enterprise scale. Cloud-native (Sentinel, Chronicle) reduces operational burden. Focus on detection rules that matter — too many alerts cause fatigue. Integrate with SOAR for automated incident response.

🏛️ Context: Threat modelling during architecture review is far cheaper than fixing vulnerabilities post-deployment. Make it a standard phase in design. STRIDE for application threats; MITRE ATT&CK for infrastructure threats. Document and revisit as the system evolves.

🏛️ Context: Log everything meaningful, retain based on compliance requirements (7 years for some financial regulations). Ensure logs are tamper-evident (write-once storage). Centralise audit logs separately from application logs for integrity.