12 — Security Roadmap

Deliverable: security roadmap. A phased maturity model mapped to the evolution roadmap, plus the ongoing security program (not just features). Each phase lists the controls and the threats they close.


1. Maturity phases

flowchart LR
    classDef f fill:#bbf7d0,stroke:#15803d,color:#111827;
    classDef h fill:#fde68a,stroke:#b45309,color:#111827;
    classDef a fill:#fed7aa,stroke:#c2410c,color:#111827;
    P1["① Foundation (P0–P2)<br/>non-negotiables"]:::f --> P2["② Hardening (P3–P4)"]:::h --> P3["③ Assurance (P5+)"]:::a

① Foundation (P0–P2) — non-negotiable, ship with the core

② Hardening (P3–P4) — earn enterprise trust

③ Assurance (P5+) — regulated/enterprise grade


2. The security program (controls aren’t enough)

Practice What
Secure SDLC threat model per new trust boundary; security review gate on PRs; dependency mgmt (Renovate + scanning)
Vulnerability mgmt scan gates (trivy/grype), SLA by severity, base-image auto-bumps (platform/01)
Pen testing annual + per-major-feature; remediate-and-retest
Bug bounty public program once hardened
Incident response runbooks, on-call, breach-notification process (GDPR 72h), tabletop exercises
Security training secure-coding, phishing simulations
Vendor/sub-processor review cloud/KMS/IdP due diligence; documented sub-processors
Continuous verification the cross-tenant test, RLS-policy-coverage check, BOLA fuzzing run in CI (01 §8)

3. Metrics (is security actually working?)


4. Responsible disclosure

A published SECURITY.md + a monitored security contact; a safe-harbor policy; triage SLAs; coordinated disclosure; a hall of fame → bug bounty as the program matures (10 docs structure places this at docs/security/disclosure.md).


5. The one-paragraph summary

Ship the Foundation controls with the core product — they are not optional and not deferrable (especially RLS tenant isolation, MFA, deny-by-default authz, encryption at rest, and the cross-tenant test). Earn enterprise trust in Hardening (tamper-evident audit, Cedar/ReBAC, public-sharing hardening, supply chain, SIEM). Reach regulated-grade in Assurance (BYOK/E2E, SOC 2 Type II, bug bounty). At every step, the continuous controls (audit, GitOps history, automated security tests) are what make the security provable, not just present.

References