# SDLC Control Drafter (ISO 27001 A.8.28) > Draft and maintain ISO 27001-aligned Secure Development Lifecycle (SDLC) policy: Security by Design, Security by Default, and security gates (SAST/DAST, peer review, threat modeling). Includes OWASP Top 10 alignment check for web and API risks. Tags: ISO 27001, ISMS, SDLC, Secure development, OWASP, Security by Design, Compliance ## Example Prompts - Draft an SDLC policy for our product engineering team aligned to ISO 27001 Control 8.28 - Add security gates (SAST, DAST, peer review, threat modeling) to our secure development policy - Run an OWASP alignment check on our SDLC policy to find gaps - Update our SDLC policy to address OWASP API Security Top 10 2023 URL: https://rakenne.app/skills/sdlc-control-drafter/index.md Try this skill: https://rakenne.app/a/?skill=sdlc-control-drafter ## Overview Draft and maintain ISO 27001-aligned Secure Development Lifecycle (SDLC) policy: Security by Design, Security by Default, and security gates (SAST/DAST, peer review, threat modeling). Includes OWASP Top 10 alignment check for web and API risks. ## Example Conversation > **You:** We need an SDLC policy for our engineering team aligned to ISO 27001 Control 8.28. We want Security by Design, security gates (SAST, DAST, peer review, threat modeling), and evidence we can show auditors. > **Agent:** I'll structure the policy around the Annex A SDLC cluster (A.8.25–A.8.29): secure development life cycle, application security requirements, secure architecture, secure coding, and security testing. I'll add sections for Security by Design (threat modeling, design review) and Security by Default (secure defaults, dependency management), then define the gates with pass/fail and evidence (scan reports, review records). I'll add evidence placeholders so it reads as a living document. > **You:** First draft looks good. Run the OWASP check on it to see if we're covering modern web and API risks. > **Agent:** Running `owasp_alignment_check` on the SDLC policy... > **Agent:** OWASP Top 10 Alignment Report — Addressed: 14, Partial: 4, Missing: 2. Missing: API4 Unrestricted Resource Consumption, API9 Improper Inventory Management. I'll add a short subsection on API rate limiting and quotas for API4, and a requirement for API inventory and deprecation for API9. Re-run the check after the edit? > **You:** Yes. Then we're done. > **Agent:** Re-ran `owasp_alignment_check`. RESULT: All OWASP Top 10 categories addressed. The policy is ready for review. ## What the Tools Validate The skill includes one extension tool: **`owasp_alignment_check`** cross-references an SDLC or application security policy against OWASP Top 10 so the policy addresses modern web and API vulnerabilities: - **Scope**: OWASP Top 10:2021 (web applications) and OWASP API Security Top 10:2023 — 20 categories in total - **Logic**: Scans the policy text for keyword patterns that indicate each risk category is addressed (e.g. "threat model", "injection", "rate limit", "API inventory"). Each category is reported as **addressed** (strong keyword match), **partial** (weak match), or **missing** - **Output**: A summary (addressed / partial / missing counts), a per-category list with ✓ / ~ / ✗, and a "Missing" and "Partial" section so you can add or strengthen policy language - **When to run**: After drafting or after material changes to the policy; re-run after edits until missing categories are covered Run it on the policy document path (e.g. `sdlc-policy.md`) so certification and internal auditors see alignment with current OWASP guidance. ## Output Excerpt A condensed excerpt from a generated SDLC policy (security gates and OWASP-related requirements): ```markdown ## 4. Security gates | Gate | When | Pass/fail criteria | Evidence | |-------------------|-------------------|---------------------------------------|----------| | Threat modeling | Before design freeze | Threat model doc; high risks mitigated | Design repo / wiki | | Peer review | Before merge | At least one approver; security checklist completed | MR/PR + checklist | | SAST | CI pipeline | No Critical/High unresolved | Scan report in CI | | DAST / security test | Pre-release | Critical/High remediated or accepted | Test report + risk acceptance | ## 5. Security by Design and by Default - **Security by Design**: Security requirements and abuse cases in design; secure architecture and design review (A.8.27). Threat modeling for new features or major changes. - **Security by Default**: Secure defaults (least privilege, safe config); dependency and component management (SBOM, vulnerability scanning); no default credentials in code or config. ## 6. Application security and OWASP alignment Security requirements and testing shall address OWASP Top 10 (web and API) as applicable: access control and authorization (incl. object-level for APIs), authentication and session handling, injection prevention, secure design and threat modeling, misconfiguration and hardening, vulnerable components and supply chain, data integrity and logging, SSRF prevention, API rate limiting and inventory. ``` After editing, run `owasp_alignment_check` on the policy to confirm all OWASP categories are addressed before submission. ## Getting Started Add your source materials (e.g. existing security or development docs) to the project workspace, then activate the *SDLC Control Drafter (ISO 27001 A.8.28)* skill. The agent will guide you through scoping Annex A controls, structuring the policy around Security by Design, Security by Default, and security gates, and validating OWASP alignment. --- Back to [Skill Library](https://rakenne.app/skills/index.md)