Chapter Twelve · Closing the Doors the Code Left Open
Securing the Build
The intruder got in through Sam's code and the pipeline that shipped it. This chapter closes those doors — secure coding, the dependencies Meridian pulls in, secrets in the CI/CD system, and the tooling that catches flaws before release. It stays at the "shift security left" level and hands the full pipeline depth to a future DevSecOps course.
5 topics
The cheapest vulnerability to fix is the one that never ships. This chapter moves security earlier — into the code Sam writes, the dependencies Meridian pulls in, the secrets the pipeline holds, and the automated checks that run before release — so the flaws the intruder exploited in Chapter 6 are caught at build time instead of in production. It is the same cost curve from Chapter 1, applied to security: a flaw caught in code costs a fraction of the same flaw caught in a breach.
Five topics: secure coding principles, dependency and supply-chain risk, secrets in code and CI/CD, the SAST/DAST/SCA tooling map, and shifting left. This chapter deliberately stops at the AppSec foundation and hands the full pipeline, infrastructure-as-code, and supply-chain depth to a dedicated DevSecOps course, keeping the scopes distinct.
Security moved left — caught at build, not in the breach