Security at the small-to-mid scale rarely fails because someone skipped the big things. It fails because someone skipped a small thing in a hurry. The following habits are cheap and catch a surprising number of issues.
In the editor
- Validate every input at the trust boundary, with a schema, in one place.
- Treat any string built from user input as untrusted when it crosses
another boundary (HTML, SQL, shell, email headers).
- Never write a secret to a log. Redact at the logger layer so future code
cannot regress.
In the pipeline
- Run a dependency advisory scan on every merge request, not weekly.
- Block on findings above your tolerance threshold, with a documented
waiver mechanism for exceptions.
- Generate a software bill of materials at build time and attach it to
every release.
In production
- Rotate credentials on a calendar, not on a breach.
- Patch base images on a calendar, not when a CVE makes the news.
- Practice a real recovery drill at least once a quarter, with the runbook
you actually intend to use.