Hook
The best time to fix a vuln is before it ships.
Problem
Security reviews often happen late, when fixes are expensive and timelines are tight. This creates risky tradeoffs and rushed decisions.
Why it matters
Early security checks catch issues when they are cheaper to fix and easier to understand. Security becomes a shared responsibility instead of a gate.
Signals you are here
- Security review is a last-minute step
- Critical findings show up after release freeze
- Teams treat security as a separate function
- Security defects repeat across teams
Anti-patterns
- Security as a final approval gate
- No security testing in CI
- Threat modeling only after incidents
- Relying on manual review for every change
Try this
- Run SAST and dependency scans in CI
- Add secret scanning in pre-commit hooks
- Use secure defaults in templates
- Include threat modeling in planning
- Make security findings visible and actionable
Example
A team added dependency scanning to CI and caught a critical vulnerability before release, avoiding a rushed patch later.
Reflection prompt
Which security check is missing from your CI pipeline? Add the simplest one first.
More like this
Heuristic
Fail Closed, Log Everything, Recover Gracefully
Safe failure beats quiet failure.
Heuristic
Know What You Have
Inventory before security.
Heuristic
Secrets Decay Faster Than Code
Secrets should expire.
Heuristic
Trust Is Earned, Not Assumed
Trust must be proven.
Heuristic
Every Output Is Someone Else's Input
Handoff quality sets the pace of flow.
Heuristic
Short Feedback Loops
Fast feedback beats perfect plans.