Mature Product Security Workflows, Stage Gates, and Operating Loops
Why this page exists: many teams collect controls but do not show how the work is supposed to flow when the company becomes more mature. This page provides the target-state workflow pictures and the short commentary needed to make them teachable.
1) Mature secure SDLC workflow
What good looks like: intake decides the depth of security work; design review captures ownership; build and verify produce usable evidence; release sign-off is explicit; and runtime lessons feed back into the next planning cycle.
2) Threat modeling workflow in a mature company
What good looks like: threat modeling is triggered by material change, prepared with real architecture input, run with the right owners in the room, and converted into tracked decisions instead of static diagrams that no one follows.
3) Commit-to-production CI/CD security workflow
What good looks like: repository trust, build isolation, artifact signing/provenance, and promotion controls all produce a release record that can be defended in audit or post-incident review.
4) Kubernetes runtime and cloud operations workflow
What good looks like: baseline controls are present before the incident, runtime visibility exists before the breach, and containment paths are tested before anyone needs them under pressure.
Commentary by stage
| Workflow | Most common anti-pattern | What mature teams do instead |
|---|---|---|
| Secure SDLC | Security review starts only near release. | Classify changes early and pull security work left based on change risk. |
| Threat modeling | Session produces notes but no accountable actions. | Convert outputs into backlog items, approvals, and re-review triggers. |
| CI/CD | Pipeline โgreenโ is treated as equivalent to secure release readiness. | Treat pipelines as one evidence source inside a larger release-decision framework. |
| K8s runtime / cloud ops | Teams buy tooling but do not define containment ownership. | Predefine who can isolate traffic, revoke access, freeze rollout, and approve recovery. |
Suggested operating artefacts
- release decision record;
- threat-model decision log;
- platform baseline and exception register;
- runtime investigation worksheet;
- quarterly metrics pack linked to these workflows.
Team planning workbook
For a companion staffing / ownership workbook, see:
- Product Security Team Staffing, Capacity, and RASI Workbook
- Excel asset: product-security-team-staffing-and-rasi-v6.4.xlsx
External references
- NIST SSDF: https://csrc.nist.gov/pubs/sp/800/218/final
- OWASP SAMM: https://owasp.org/www-project-samm/
- OWASP Threat Modeling Process: https://owasp.org/www-community/Threat_Modeling_Process
- SLSA: https://slsa.dev/