Browse Skills

SDLC Control Drafter (ISO 27001 A.8.28)

    ISO 27001 ISMS SDLC Secure development OWASP Security by Design Compliance
    Get Started with This Skill

    Overview

    Draft and maintain ISO 27001-aligned Secure Development Lifecycle (SDLC) policy: Security by Design, Security by Default, and security gates (SAST/DAST, peer review, threat modeling). Includes OWASP Top 10 alignment check for web and API risks.

    Example Conversation

    You: We need an SDLC policy for our engineering team aligned to ISO 27001 Control 8.28. We want Security by Design, security gates (SAST, DAST, peer review, threat modeling), and evidence we can show auditors.

    Agent: I’ll structure the policy around the Annex A SDLC cluster (A.8.25–A.8.29): secure development life cycle, application security requirements, secure architecture, secure coding, and security testing. I’ll add sections for Security by Design (threat modeling, design review) and Security by Default (secure defaults, dependency management), then define the gates with pass/fail and evidence (scan reports, review records). I’ll add evidence placeholders so it reads as a living document.

    You: First draft looks good. Run the OWASP check on it to see if we’re covering modern web and API risks.

    Agent: Running owasp_alignment_check on the SDLC policy…

    Agent: OWASP Top 10 Alignment Report — Addressed: 14, Partial: 4, Missing: 2. Missing: API4 Unrestricted Resource Consumption, API9 Improper Inventory Management. I’ll add a short subsection on API rate limiting and quotas for API4, and a requirement for API inventory and deprecation for API9. Re-run the check after the edit?

    You: Yes. Then we’re done.

    Agent: Re-ran owasp_alignment_check. RESULT: All OWASP Top 10 categories addressed. The policy is ready for review.

    What the Tools Validate

    The skill includes one extension tool:

    owasp_alignment_check cross-references an SDLC or application security policy against OWASP Top 10 so the policy addresses modern web and API vulnerabilities:

    • Scope: OWASP Top 10:2021 (web applications) and OWASP API Security Top 10:2023 — 20 categories in total
    • Logic: Scans the policy text for keyword patterns that indicate each risk category is addressed (e.g. “threat model”, “injection”, “rate limit”, “API inventory”). Each category is reported as addressed (strong keyword match), partial (weak match), or missing
    • Output: A summary (addressed / partial / missing counts), a per-category list with ✓ / ~ / ✗, and a “Missing” and “Partial” section so you can add or strengthen policy language
    • When to run: After drafting or after material changes to the policy; re-run after edits until missing categories are covered

    Run it on the policy document path (e.g. sdlc-policy.md) so certification and internal auditors see alignment with current OWASP guidance.

    Output Excerpt

    A condensed excerpt from a generated SDLC policy (security gates and OWASP-related requirements):

    ## 4. Security gates

| Gate              | When              | Pass/fail criteria                    | Evidence |
|-------------------|-------------------|---------------------------------------|----------|
| Threat modeling   | Before design freeze | Threat model doc; high risks mitigated | Design repo / wiki |
| Peer review       | Before merge      | At least one approver; security checklist completed | MR/PR + checklist |
| SAST              | CI pipeline       | No Critical/High unresolved           | Scan report in CI |
| DAST / security test | Pre-release     | Critical/High remediated or accepted  | Test report + risk acceptance |

## 5. Security by Design and by Default

- **Security by Design**: Security requirements and abuse cases in design; secure architecture and design review (A.8.27). Threat modeling for new features or major changes.
- **Security by Default**: Secure defaults (least privilege, safe config); dependency and component management (SBOM, vulnerability scanning); no default credentials in code or config.

## 6. Application security and OWASP alignment

Security requirements and testing shall address OWASP Top 10 (web and API) as applicable: access control and authorization (incl. object-level for APIs), authentication and session handling, injection prevention, secure design and threat modeling, misconfiguration and hardening, vulnerable components and supply chain, data integrity and logging, SSRF prevention, API rate limiting and inventory.

    After editing, run owasp_alignment_check on the policy to confirm all OWASP categories are addressed before submission.

    Getting Started

    Add your source materials (e.g. existing security or development docs) to the project workspace, then activate the SDLC Control Drafter (ISO 27001 A.8.28) skill. The agent will guide you through scoping Annex A controls, structuring the policy around Security by Design, Security by Default, and security gates, and validating OWASP alignment.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started