Security should not be an afterthought but continuously be part of all the phases of the Software Development Lifecycle (SDLC).
Security practices, e.g., Threat modelling, Secure design, Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software composition analysis (SCA), and scanning for hard coded secrets in code, should be performed continuously. All findings should be evaluated, and action should be taken accordingly to service specific risk appetite.
Cloud resources must be protected and audited for security issues. Cloud security posture management (CSPM) and container security scanners must be in place.
