Security Standard¶
v1.0 — 2026-06-06 — baseline: OWASP Top 10:2025 (supersedes 2021; full list in the appendix below).
Secrets¶
- No secrets in code, config files committed to git, or pipeline YAML. Azure Key Vault via variable groups/service connections; Managed Identity / Workload Identity Federation over PATs and service-principal secrets.
- GitHub Advanced Security for Azure DevOps is the org standard for secret scanning with push protection (plus dependency and code scanning); enable it on every active repo.
- Leaked secret = rotate immediately, then clean history.
Supply chain (A03:2025)¶
- Lock files committed (
packages.lock.json,package-lock.json). - Renovate runs as an Azure DevOps pipeline for automated dependency updates;
dotnet list package --vulnerable/npm auditin CI. - NuGet package source mapping restricts feeds; pin pipeline task versions.
Application security¶
- AuthZ enforced server-side on every resolver/endpoint (
IActorIdentityGuardpattern); never trust client-supplied identity or role claims without validation. - Validate all input (Zod on frontends, model validation/guards on APIs). Parameterized queries only — EF Core/LINQ; no SQL string concatenation.
- Error handling (A10:2025): fail closed; no stack traces or internals in API responses; structured logging without sensitive data.
- HTTPS everywhere; current TLS; security headers on web apps.
Process¶
- Security review required for: auth changes, new external integrations, file upload, payment/PII handling.
- Reference docs for depth: OWASP ASVS 5.0, OWASP Cheat Sheet Series.
Appendix — OWASP Top 10:2025 (the baseline, enumerated)¶
| # | Category | Note vs 2021 |
|---|---|---|
| A01 | Broken Access Control | Still #1; SSRF folded in |
| A02 | Security Misconfiguration | Up from #5 |
| A03 | Software Supply Chain Failures | NEW — broadens "Vulnerable and Outdated Components" to dependencies, build systems, distribution |
| A04 | Cryptographic Failures | Down from #2 |
| A05 | Injection | Down from #3 |
| A06 | Insecure Design | Down from #4 |
| A07 | Authentication Failures | Renamed (was "Identification and Authentication Failures") |
| A08 | Software and Data Integrity Failures | Unchanged position |
| A09 | Security Logging & Alerting Failures | Renamed — emphasis on alerting, not just logging |
| A10 | Mishandling of Exceptional Conditions | NEW — error handling, failing open, logical errors under abnormal conditions |
Sources: OWASP Top 10:2025 · Pipeline secrets · GHAzDO · Renovate on Azure · ASVS