The Security Posture Assessment.

Test every endpoint for horizontal and vertical access control bypass, including object IDs, API parameters, and JWT claims. Broken access control is A01 in the OWASP Top 10:2025 with 40 mapped CWEs, and one missed check can expose every record in the table.

Verify SSRF defenses inside the access control review, with outbound request allowlists and blocked cloud metadata endpoints. OWASP folded SSRF into A01 in 2025, and an app that can be steered into metadata endpoints hands attackers your cloud credentials.

Verify authentication flows against ASVS 5.0: session lifetime, MFA enforcement, credential storage, and account recovery paths. ASVS is the verification standard OWASP itself points to; the Top 10 alone is an awareness document, not a test plan.

Audit cryptography choices: TLS configuration, encryption at rest, key management, and no homegrown algorithms. Cryptographic failures hold A04 in the 2025 list, and weak crypto turns any other compromise into a data exposure event.

Test exception and error paths for fail-open behavior, including degraded dependencies and timeout handling. Mishandling of exceptional conditions is a new category at A10:2025, and a handler that fails open turns an outage into an authorization bypass.

Test injection across every interpreter the application touches: SQL, NoSQL, OS commands, and template engines. Injection still holds A05 in 2025, and it remains the shortest route from user input to full database disclosure.

Map every finding to both an OWASP Top 10 category and a specific CWE. The 2025 list maps 248 CWEs across ten categories, and CWE-level findings are what separate a real assessment from a commodity scan.

Run the application review white-box, with code, configs, and architecture documents in scope. ASVS guidance is blunt that testing without access to documentation and source is not effective assurance, and scan-only audits quietly skip the categories that are not testable.

Score every production OS image, cloud account, and Kubernetes cluster against the matching CIS Benchmark. Benchmark compliance is machine-checkable and produces a percentage, which is the difference between evidence and assertion in a vendor review.

Close all 56 IG1 safeguards from CIS Controls v8.1 before debating advanced tooling. CIS defines IG1 as essential cyber hygiene for every organization, so an IG1 gap undercuts every other security claim you make.

Patch edge devices and VPNs on an exploit-aware SLA measured in days, not monthly cycles. Verizon's 2025 DBIR found edge devices and VPNs grew from 3 percent to 22 percent of vulnerability-exploitation breaches in one year, and for critical edge flaws the median time from disclosure to mass exploitation was zero days.

Hunt for the toxic trilogy: any workload that is publicly exposed, critically vulnerable, and highly privileged at once. Tenable found 29 percent of organizations run at least one such workload, and it is the shortest path from the internet to crown jewels.

Enforce least-privilege cloud IAM with no standing wildcard admin for humans or workloads. Over-privileged identities are what convert a single compromised box into a full account takeover.

Monitor configuration drift continuously instead of rescanning at audit time. A benchmark scan is a point-in-time snapshot, and configurations decay quietly between annual audits.

Inventory public exposure: every bucket, endpoint, and service reachable from the internet, each with a named owner. Tenable found sensitive data in 9 percent of publicly accessible cloud storage, and unowned exposure is the kind nobody patches.

Write identity verification procedures for help desk password and MFA resets, and test them with social engineering drills. A ten-minute vishing call to the help desk gave attackers administrator access to MGM's Okta, past every technical control.

Centralize secrets in a purpose-built store and authenticate to it with machine identities, not a bootstrap static credential. The OWASP Secrets Management Cheat Sheet treats vault plus machine identity as the baseline, and a static bootstrap key just relocates the problem.

Scan full git history on every repository, not just the current commit. Deleted commits, forks, and caches keep a leaked key alive, which is how credentials from years ago still open production doors.

Extend secret scanning to Slack, Jira, wikis, and ticketing systems. GitGuardian found roughly 28 percent of secret incidents now originate entirely outside repositories, in collaboration tools.

Measure median time from leak detection to revocation, and assign an owner to that number. GitGuardian found about 70 percent of secrets leaked in 2022 were still valid two years later, because teams treat a deleted commit as remediation.

Replace long-lived CI credentials with OIDC-issued short-lived tokens. The CircleCI breach forced every customer to rotate everything they had ever stored in the platform, and short-lived tokens shrink that blast radius to minutes.

Rotate machine credentials automatically, and rotate human passwords on evidence of compromise rather than a calendar. Automated rotation is what makes revocation cheap, and NIST-aligned password policy stops rotation theater from masquerading as control.

Keep a tested rotate-everything runbook with a known time to completion. When a vendor holding your secrets is breached, you inherit their incident on their timeline, and an untested runbook is a guess.

Treat privileged-user endpoints, including home machines that can reach crown-jewel systems, as part of the secret perimeter. LastPass was unraveled through a DevOps engineer's home media server while every vault-side control worked as designed.

Generate an SBOM in CI for every release, in CycloneDX or SPDX, and match it against vulnerability feeds continuously. An SBOM produced by hand or never consumed is shelfware, and enterprise questionnaires now ask for both the artifact and the process behind it.

Rank vulnerabilities with CISA KEV and EPSS layered on CVSS, never CVSS alone. VulnCheck found 28.96 percent of known exploited vulnerabilities in 2025 were attacked on or before CVE publication day, so raw CVSS triage is a 2018-era audit.

Apply reachability analysis before assigning remediation work. Endor Labs reports reachability analysis cuts alert noise by up to 95 percent compared with SCA tools that flag every CVE, and teams drowning in noise eventually ignore the tool entirely.

Disable or restrict package lifecycle scripts in CI and cut outbound network access from build systems. The Shai-Hulud worm spread through npm install scripts and stolen tokens, and version pinning alone would not have stopped it.

Treat registry publish tokens and CI credentials as production secrets protected by phishing-resistant MFA. Shai-Hulud authenticated as each compromised maintainer and republished malicious versions of that maintainer's own packages, no exploit required.

Score critical dependencies with OpenSSF Scorecard and review maintainer health, not just CVE counts. The xz backdoor was invisible to every scanner and was caught only by accident, because upstream social risk never appears in vulnerability feeds.

Reach SLSA Build L2 with signed provenance from a hosted build platform, and write down the path to L3. SLSA levels give an auditor a defensible answer to where you stand and what comes next, instead of a shrug.

Pin dependencies with lockfiles and verify integrity hashes in CI. Unpinned dependencies mean every build silently trusts whatever the registry serves that day.

Align the IR plan to NIST SP 800-61r3 and the CSF 2.0 functions, not the withdrawn four-phase lifecycle. NIST retired the old lifecycle in April 2025, and a plan citing a withdrawn standard is itself a findable gap in any serious review.

Run tabletop exercises at least twice a year, log the gaps, and verify they close. An organization that cannot say when the last tabletop ran, who attended, and which gaps closed has a paper plan, not a capability.

Verify log retention covers identity provider, CI/CD, and cloud audit logs, and that they are queryable under pressure. Mandiant could not determine the initial infection vector in 34 percent of 2024 intrusions, a gap that points to logging and detection deficiencies, not attacker brilliance.

Measure alert-to-action time for high-severity detections, not alert coverage. Target's FireEye tooling flagged the 2013 breach twice and nobody acted, which is what an unmeasured alert pipeline does at scale.

Define severity tiers, named roles, and communication paths including legal and executive escalation. Sygnia's CISO survey found stakeholder coordination, limited executive involvement, and legal delays were the biggest readiness gaps even where plans existed.

Automate first-line containment for high-confidence detections. Mandiant's M-Trends 2026 puts the median time from initial compromise to hand-off to follow-on attackers at 22 seconds, which no human ticket queue can match.

Isolate and test recovery infrastructure: offline backups, separated credential vaults, and restricted hypervisor access. M-Trends 2026 documents attackers compromising backup management servers, draining credential vaults, and wiping millions of backup objects, so untested recovery is a ransom negotiation strategy.

Track mean time to detect and contain against the published 241-day global benchmark, and engineer for internal detection. IBM found internally detected breaches cost about 900,000 dollars less than attacker-disclosed ones, so detection speed is a line item.

Score the security program against OWASP SAMM and turn the result into a dated improvement roadmap. SAMM is prescriptive and open, and its output is a maturity roadmap, which reads far stronger in diligence than a pass-fail badge.

Express your SDLC controls in the vocabulary of NIST SP 800-218 (SSDF). SSDF is the language of enterprise and federal vendor risk reviews, and mapping to it once saves every future questionnaire.

Maintain a pre-filled CSA CAIQ answer library and keep it current. The CAIQ's 261 questions are what procurement actually sends, and slow answers stall deals more often than bad ones.

Scope SOC 2 deliberately and pursue it when customers demand it, knowing it audits the company rather than the product. As fly.io's Thomas Ptacek put it, SOC 2 is about the security of the company, not the company's products, so product security needs separate evidence.

Require a named methodology, defined scope, and tester qualifications in every penetration test report. Enterprise reviewers read the methodology section before a single finding, and an unnamed methodology reads as an unqualified test.

Separate awareness-level risk categories from verifiable controls in audit reports, and state which standard each check maps to. Commodity audits titled OWASP Top 10 assessments quietly skip the categories OWASP itself says are not testable.

Inventory AI usage and put access controls on models, agents, and the data they touch. IBM found 97 percent of organizations with AI-related breaches lacked AI access controls, and shadow AI added 670,000 dollars to average breach cost.

Retire controls that produce evidence of activity but no measurable security outcome. Kelly Shortridge calls this security obstructionism, and screenshot-generating controls push engineers into the workarounds that cause real incidents.