Skip to main content

Track M: Security Operations

Priority: MEDIUM-HIGH — Security posture for regulated customers Agent: incident-response-specialist, security-automation-specialist Sprint Range: S6-S9 Reference: docs/operations/64-security-architecture.md (STRIDE model, 24 vectors, 7 gaps)

Status Summary

Progress: 0% (0/18 tasks)

SectionTitleStatusTasks
M.1Application Security PipelinePending0/4
M.2Vulnerability ManagementPending0/4
M.3Security Incident ResponsePending0/4
M.4Secrets & Key ManagementPending0/3
M.5Security Monitoring & DetectionPending0/3

M.1: Application Security Pipeline

Sprint: S6 | Priority: P1 | Depends On: E.1 Goal: SAST, DAST, and SCA integrated into CI with finding management

  • M.1.1: Integrate SAST (Static Analysis) into CI
    • Tool: Semgrep or CodeQL
    • Rules: OWASP Top 10, CWE-25, QMS-specific (e.g., audit trail bypass)
    • Gate: block merge on critical/high findings
  • M.1.2: Integrate DAST (Dynamic Analysis)
    • Tool: OWASP ZAP or Burp Suite
    • Target: scan staging environment after each deployment
    • Scope: authentication-aware scanning (test all roles)
  • M.1.3: Implement SCA (Software Composition Analysis)
    • Tool: Snyk or GitHub Advanced Security
    • License: compliance checking (no AGPL in dependencies)
    • Gate: known vulnerability blocking in CI
  • M.1.4: Build security finding management
    • Tracker: centralized finding tracker (deduplicated across SAST/DAST/SCA)
    • SLA: Critical 24hr, High 7 days, Medium 30 days, Low 90 days
    • Exceptions: accepted risk process

M.2: Vulnerability Management

Sprint: S9 | Priority: P1 | Depends On: M.1 Goal: Scanning cadence, prioritization, patch SLA tracking, and pentest program

  • M.2.1: Establish vulnerability scanning cadence
    • Infrastructure: weekly (Nessus or Qualys)
    • Container images: every build (Trivy)
    • Cloud config: daily (Cloud Security Command Center)
  • M.2.2: Build vulnerability prioritization system
    • Scoring: CVSS score + exploitability + business impact = priority
    • Weighting: asset criticality (audit trail > marketing page)
    • Escalation: auto-escalation for actively exploited CVEs
  • M.2.3: Implement patch SLA tracking
    • Dashboard: open vulnerabilities by severity and age
    • Compliance: SLA compliance reporting
    • Trending: vulnerability introduction rate vs. remediation rate
  • M.2.4: Conduct penetration testing program
    • External: annual third-party pentest (OWASP methodology)
    • Internal: quarterly red team exercises
    • Bug bounty: consideration for Phase 5

M.3: Security Incident Response

Sprint: S7-S8 | Priority: P1 | Depends On: M.1, E.3 Goal: Incident response plan, SIEM integration, forensics, and breach notification

  • M.3.1: Build security incident response plan
    • Classification: confidentiality, integrity, availability, compliance
    • Team: Security Lead + Engineering + Legal + Compliance
    • Templates: communication per severity and audience
  • M.3.2: Implement SIEM integration
    • Aggregation: Cloud Security Command Center or Splunk
    • Rules: brute force, privilege escalation, data exfiltration
    • Taxonomy: 10 security event types per doc 64
  • M.3.3: Create forensic investigation toolkit
    • Preservation: log preservation procedures (immutable snapshots)
    • Chain of custody: evidence handling
    • Reconstruction: timeline reconstruction tools
  • M.3.4: Build breach notification workflow
    • HIPAA: 60-day notification requirement
    • GDPR: 72-hour notification requirement
    • State laws: varying requirements (California, New York, etc.)
    • Tracking: automated timeline with deadline alerting

M.4: Secrets & Key Management

Sprint: S6 | Priority: P0 | Depends On: D.1, E.2 Goal: Centralized secrets management with rotation and audit trails

  • M.4.1: Implement centralized secrets management
    • Tool: GCP Secret Manager or HashiCorp Vault
    • Rotation: DB creds 90d, AI keys 90d, JWT annually (per doc 64)
    • References: vault:// URI replacing env vars (Gap G01)
  • M.4.2: Build key lifecycle management
    • E-signature keys: Cloud KMS/HSM, versioned, never rotated
    • TLS certificates: automated renewal (Let's Encrypt or managed certs)
    • Agent tokens: ephemeral, WO-scoped, in-memory only
  • M.4.3: Create secrets audit trail
    • Logging: who accessed what secret, when
    • Compliance: rotation compliance reporting
    • Cleanup: orphaned secret detection

M.5: Security Monitoring & Detection

Sprint: S10 | Priority: P1 | Depends On: M.2, M.3 Goal: Threat detection rules, automated response playbooks, and security metrics

  • M.5.1: Build threat detection rules
    • Login anomalies: geo-impossible travel, new device
    • Cross-tenant: access attempts
    • SOD violations: Separation of Duties breach attempts
    • Integrity: hash chain integrity failures
  • M.5.2: Implement automated response playbooks
    • Brute force: account lockout
    • Compromise: auto-revoke on credential compromise indicator
    • Security events: P0/P1 → auto-generate incident WO (per doc 64)
  • M.5.3: Create security metrics dashboard
    • MTTD/MTTR: for security incidents
    • False positive rate: for detection rules
    • Posture score: security posture trending

Updated: 2026-02-14 Compliance: CODITECT Track Nomenclature Standard (ADR-054)