12 — Security Roadmap
Deliverable: security roadmap. A phased maturity model mapped to the evolution roadmap, plus the ongoing security program (not just features). Each phase lists the controls and the threats they close.
1. Maturity phases
flowchart LR
classDef f fill:#bbf7d0,stroke:#15803d,color:#111827;
classDef h fill:#fde68a,stroke:#b45309,color:#111827;
classDef a fill:#fed7aa,stroke:#c2410c,color:#111827;
P1["① Foundation (P0–P2)<br/>non-negotiables"]:::f --> P2["② Hardening (P3–P4)"]:::h --> P3["③ Assurance (P5+)"]:::a
① Foundation (P0–P2) — non-negotiable, ship with the core
- TLS 1.3 + mTLS, hardened images/PodSecurity (platform/).
- AuthN: OIDC + password (argon2id) + MFA; OAuth 2.1 token model (03).
- Tenant isolation: RLS + request-scoped context + tenant-prefixed cache/storage, and the cross-tenant CI test (05) — the #1 control.
- AuthZ: deny-by-default RBAC, object-level checks (BOLA) (04).
- Secrets via ESO/KMS; API keys hashed (08).
- Encryption at rest (envelope, per-tenant) (10).
- Rate limiting + quotas; basic audit log (07, 09).
- Closes: cross-tenant leak, BOLA, broken authN, resource exhaustion, plaintext secrets.
② Hardening (P3–P4) — earn enterprise trust
- Cedar + ReBAC authz + policy simulation (04, product/07).
- Tamper-evident audit log + SIEM + anomaly alerting (07).
- Public-sharing hardening (sandboxed serving, SSRF egress controls, abuse scanning) (06).
- WAF/DDoS, DPoP sender-constrained tokens, passkeys (03).
- Supply-chain (signing/SBOM/SLSA/admission verify) (ADR-0032).
- SCIM deprovisioning, break-glass procedures, pen test #1.
- Closes: repudiation, public-sharing abuse, SSRF, token theft, supply-chain, orphaned access.
③ Assurance (P5+) — regulated/enterprise grade
- BYOK/HYOK (product/02 E1), E2E Private Vaults (product/01 §4).
- SOC 2 Type II audit; HIPAA/ISO 27001 as customers require (11).
- Bug bounty, continuous pen testing, threat detection/UEBA, DLP (product/02 E3).
- Closes: insider/operator trust, advanced exfiltration, regulatory gaps.
2. The security program (controls aren’t enough)
| Practice | What |
|---|---|
| Secure SDLC | threat model per new trust boundary; security review gate on PRs; dependency mgmt (Renovate + scanning) |
| Vulnerability mgmt | scan gates (trivy/grype), SLA by severity, base-image auto-bumps (platform/01) |
| Pen testing | annual + per-major-feature; remediate-and-retest |
| Bug bounty | public program once hardened |
| Incident response | runbooks, on-call, breach-notification process (GDPR 72h), tabletop exercises |
| Security training | secure-coding, phishing simulations |
| Vendor/sub-processor review | cloud/KMS/IdP due diligence; documented sub-processors |
| Continuous verification | the cross-tenant test, RLS-policy-coverage check, BOLA fuzzing run in CI (01 §8) |
3. Metrics (is security actually working?)
- Cross-tenant test: must pass every build (binary gate).
- MFA adoption %, passkey adoption %.
- Mean access-token TTL, refresh-reuse-detection events.
- Audit coverage (% of sensitive actions logged), alert MTTR.
- Vuln remediation SLA adherence; secrets-scanning catch rate.
- Pen-test findings trend (count/severity over time).
4. Responsible disclosure
A published SECURITY.md + a monitored security contact; a safe-harbor policy; triage
SLAs; coordinated disclosure; a hall of fame → bug bounty as the program matures
(10 docs structure places this at
docs/security/disclosure.md).
5. The one-paragraph summary
Ship the Foundation controls with the core product — they are not optional and not deferrable (especially RLS tenant isolation, MFA, deny-by-default authz, encryption at rest, and the cross-tenant test). Earn enterprise trust in Hardening (tamper-evident audit, Cedar/ReBAC, public-sharing hardening, supply chain, SIEM). Reach regulated-grade in Assurance (BYOK/E2E, SOC 2 Type II, bug bounty). At every step, the continuous controls (audit, GitOps history, automated security tests) are what make the security provable, not just present.
References
- OWASP SAMM (maturity model): https://owaspsamm.org/
- NIST SSDF (secure SDLC): https://csrc.nist.gov/projects/ssdf
- OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/