Chapter Twelve · Closing the Doors the Code Left Open

Securing the Build

The intruder got in through Sam's code and the pipeline that shipped it. This chapter closes those doors — secure coding, the dependencies Meridian pulls in, secrets in the CI/CD system, and the tooling that catches flaws before release. It stays at the "shift security left" level and hands the full pipeline depth to a future DevSecOps course.

5 topics

The cheapest vulnerability to fix is the one that never ships. This chapter moves security earlier — into the code Sam writes, the dependencies Meridian pulls in, the secrets the pipeline holds, and the automated checks that run before release — so the flaws the intruder exploited in Chapter 6 are caught at build time instead of in production. It is the same cost curve from Chapter 1, applied to security: a flaw caught in code costs a fraction of the same flaw caught in a breach.

Five topics: secure coding principles, dependency and supply-chain risk, secrets in code and CI/CD, the SAST/DAST/SCA tooling map, and shifting left. This chapter deliberately stops at the AppSec foundation and hands the full pipeline, infrastructure-as-code, and supply-chain depth to a dedicated DevSecOps course, keeping the scopes distinct.

Security moved left — caught at build, not in the breach
1
Write it safe
secure coding
2
Manage inputs
dependencies · secrets
3
Check it
SAST · DAST · SCA
4
Shift left
→ DevSecOps

Topics in This Chapter