Security woven into SDLC: threat model at design, secure code guidelines, SAST/DAST in CI, review checklist before release.
Activities
- Threat modeling on new features
- Security user stories ("as attacker, I cannot…")
- Code review security checklist
- Staging pen test before major launches
Shift left
Fixing bugs in production costs 10–100× design-time fixes—catch early.
Important interview questions and answers
- Q: SAST?
A: Static analysis on source without running app. - Q: DAST?
A: Dynamic testing against running app (ZAP, Burp).
Self-check
- What is threat modeling?
- Shift left meaning?
Tip: 30-minute threat model in sprint planning saves weekend incidents.
Interview prep
- Shift left?
Find security issues earlier in SDLC.