Defend before attackers find the gaps - OWASP, STRIDE, and Microsoft SFI
Defend before attackers find the gaps.
Security practices evolve with new threats, vulnerabilities, and industry standards.
Refresh triggers:
Last validated: February 2026
Check current state: Microsoft SFI, OWASP, CVE Database
Security is not a feature—it's a property. Review code with adversarial thinking.
Microsoft's approach to security-first development:
| Principle | Focus |
|---|---|
| Secure by Design | Security comes first when designing any product or service |
| Secure by Default | Protections enabled/enforced by default, require no extra effort, not optional |
| Secure Operations | Security controls and monitoring continuously improved for current/future threats |
Satya's Mandate (May 2024): "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security."
Four foundations that underpin successful security operations:
| Foundation | Description |
|---|---|
| Security-first Culture | Daily behaviors reinforced through regular meetings between engineering and SFI leaders |
| Security Governance | Framework led by CISO, partnering with engineering teams to oversee SFI and manage risks |
| Continuous Improvement | Growth mindset integrating feedback and learnings from incidents into standards |
| Paved Paths & Standards | Best practices that optimize productivity, compliance, and security at scale |
| Pillar | Focus |
|---|---|
| Protect Identities & Secrets | Best-in-class standards for identity/secrets infrastructure, phishing-resistant MFA |
| Protect Tenants & Isolate Systems | Tenant isolation and production system protection |
| Protect Networks | Network security and segmentation |
| Protect Engineering Systems | Secure development infrastructure and CI/CD |
| Monitor & Detect Cyberthreats | Continuous threat monitoring and detection |
| Accelerate Response & Remediation | Fast incident response and recovery |
Before coding:
// Bad: Optional security
createServer({ https: false, cors: '*' });
// Good: Secure by default
createServer({
https: true,
cors: ['https://trusted.com'],
helmet: true
});
Principle of Least Privilege:
// Bad: Admin access by default
const user = { role: 'admin', permissions: ['*'] };
// Good: Minimum permissions
const user = { role: 'viewer', permissions: ['read:own'] };
Input Validation:
// Validate and sanitize ALL input
function processInput(input: unknown) {
const validated = schema.parse(input); // Zod, Joi, etc.
const sanitized = sanitize(validated);
return sanitized;
}
| # | Vulnerability | What to Check | Prevention |
|---|---|---|---|
| 1 | Broken Access Control | Check permissions on every request | Authorization on all routes |
| 2 | Cryptographic Failures | Use strong, modern crypto | TLS 1.2+, proper key management |
| 3 | Injection | SQL, NoSQL, LDAP, OS commands | Parameterized queries, no string concat |
| 4 | Insecure Design | Threat modeling, secure patterns | STRIDE analysis pre-implementation |
| 5 | Security Misconfiguration | Secure defaults, remove unused features | Hardened configs, no default passwords |
| 6 | Vulnerable Components | Dependency scanning, updates | npm audit, regular updates |
| 7 | Auth Failures | MFA, secure session management | Strong passwords, session timeout |
| 8 | Data Integrity | Signatures, checksums | Tamper detection |
| 9 | Logging Failures | Comprehensive audit logging | Monitor security events |
| 10 | SSRF | Allowlist URLs, validate requests | Input validation, URL allowlisting |
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can attacker impersonate? | Strong authentication, phishing-resistant MFA |
| Tampering | Can data be modified? | Integrity checks, signatures, checksums |
| Repudiation | Can actions be denied? | Audit logging, non-repudiation mechanisms |
| Information Disclosure | Can secrets leak? | Encryption at rest/transit, access control |
| Denial of Service | Can system be overwhelmed? | Rate limiting, quotas, redundancy |
| Elevation of Privilege | Can attacker gain access? | Least privilege, authorization checks |
□ Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
□ No hardcoded credentials
□ Session tokens are random, rotated, and expire
□ Failed login attempts are rate-limited
□ MFA supported where appropriate
□ Every endpoint has explicit access control
□ No security through obscurity (hidden URLs)
□ Resource ownership verified before access
□ Admin functions require elevated auth
□ Deny by default, allow explicitly
□ All input validated on server (not just client)
□ Allowlist validation preferred over blocklist
□ File uploads restricted by type and size
□ URL redirects validated against allowlist
□ JSON/XML parsing has size limits
□ Sensitive data encrypted at rest
□ TLS 1.2+ for data in transit
□ API keys/secrets in env vars, not code
□ PII minimized and retention limited
□ Logs don't contain passwords/tokens/PII
□ npm audit / pip audit / cargo audit clean
□ No deprecated or unmaintained packages
□ Dependabot or Renovate enabled
□ Lock files committed
□ Known CVE check before release
// NEVER
const apiKey = 'sk-1234567890abcdef';
// ALWAYS
const apiKey = process.env.API_KEY;
// Or: Azure Key Vault, AWS Secrets Manager, etc.
| Credential Type | Rotation Period |
|---|---|
| API Keys | 90 days |
| Service Passwords | 90 days |
| Certificates | 1 year |
| User Passwords | User discretion + breach response |
If secrets accidentally committed:
git filter-branch or BFG# npm
npm audit
npm audit fix
# Check for outdated
npm outdated
| Severity | Response Time |
|---|---|
| Critical | 24-48 hours |
| High | 1 week |
| Medium | 2 weeks |
| Low | Next release |
🚩 eval(), exec(), dangerouslySetInnerHTML
🚩 String concatenation in queries
🚩 Disabled security features
🚩 Overly permissive CORS
🚩 Secrets in code or config files
🚩 Missing rate limiting
🚩 Verbose error messages
| Language | Watch For |
|---|---|
| JavaScript | Prototype pollution, eval(), innerHTML |
| TypeScript | Type assertions bypassing validation |
| Python | pickle deserialization, format strings |
| SQL | String concatenation in queries |
| Shell | Command injection, unquoted variables |
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 0 (deprecated, use CSP)
Before shipping, ask:
When vulnerability found:
See incident-response for full IR workflow.
See synapses.json for connections.
Consolidated: 2026-02-19 Sources: security-review (2026-02-01) + microsoft-sfi