Security-First Development¶
Binding Methodology
Security-first is not optional. Every project, every feature, every line of code passes through security consideration before it ships. Victoria blocks dev start until a threat model exists. No exceptions.
Philosophy¶
Security is not a phase in the development lifecycle. It is a property of every line of code, every architecture decision, every deployment configuration, every operational procedure.
The security-first methodology inverts the traditional approach. Traditional: build it, then secure it. GE: secure the design, then build from that secure foundation.
This is not about adding locks to doors after the house is built. It is about building a house where the walls themselves are the locks.
Core Tenets¶
1. Threat Model Before Design¶
No architecture diagram is drawn before attack vectors are mapped. No API is designed before trust boundaries are defined. No data store is provisioned before classification is complete.
Victoria produces the threat model. Development waits for it. This is the single most important gate in the GE pipeline.
2. OWASP by Default¶
The OWASP Top 10:2025 is not a checklist to review before release. It is a set of constraints that shape every implementation decision from the first line of code.
The 2025 edition reflects a shift from symptoms to root causes:
| # | Risk | GE Mitigation |
|---|---|---|
| A01 | Broken Access Control | RBAC enforced at middleware layer, tested by Pol |
| A02 | Security Misconfiguration | Infrastructure as Code, immutable containers |
| A03 | Software Supply Chain Failures | Dependency scanning, lockfile integrity, SBOM |
| A04 | Cryptographic Failures | TLS 1.3 minimum, AES-256-GCM at rest, no custom crypto |
| A05 | Injection | Parameterized queries only, no string concatenation |
| A06 | Insecure Design | Victoria threat model gate |
| A07 | Authentication Failures | WebAuthn preferred, MFA enforced, bcrypt/argon2 |
| A08 | Software/Data Integrity Failures | Signed artifacts, verified deployments |
| A09 | Logging & Alerting Failures | Structured traces at every boundary crossing |
| A10 | Mishandling of Exceptional Conditions | Fail-closed, no data leakage in errors |
3. Defense in Depth¶
No single control is trusted to prevent a breach. Every layer assumes every other layer has already been compromised.
Internet → WAF → Load Balancer → Network Policy → Service Mesh
→ Application Middleware → Business Logic → Data Layer → Encryption at Rest
Each boundary enforces its own authentication, authorization, and validation. If an attacker bypasses the WAF, the application layer still blocks them. If the application layer is compromised, the data layer still encrypts.
4. Principle of Least Privilege¶
Every agent, every service, every user gets the minimum permissions required to perform their function. Nothing more.
- Agents cannot access other agents' workspaces
- Database connections use role-specific credentials
- Kubernetes pods run as non-root with read-only filesystems
- API tokens are scoped to specific operations
- Secrets are injected at runtime, never stored in code
5. Security as Culture¶
Every GE agent is trained to think about security implications. Not just Victoria. Not just Pol. All 60 agents.
When a developer agent writes a function that accepts user input, the agent validates and sanitizes that input — not because Victoria told them to, but because the security-first methodology is part of their operational identity.
Victoria's Role: Security Gatekeeper¶
Victoria is the security architect and gatekeeper. Her authority in the security domain is absolute.
Victoria blocks development start when:
- No threat model exists for the project or feature
- Architecture changes introduce new trust boundaries
- External integrations add new attack surface
- Data classification has not been completed
- Compliance requirements have not been mapped
Victoria approves development start when:
- Threat model is complete and reviewed
- Security requirements are traceable to threats
- Mitigation strategies are defined for all high-risk threats
- Residual risk is documented and accepted by human (Dirk-Jan)
No agent overrides Victoria on security matters. Disagreements go to human escalation, not majority vote.
Security Pipeline Agents¶
| Agent | Role | When |
|---|---|---|
| Victoria | Threat modeling, security architecture, security review | Before dev start, at architecture changes |
| Pol | Penetration testing, vulnerability assessment | After implementation, before deployment |
| Ashley | Chaos engineering, resilience testing | In staging, before production |
| Hugo | Infrastructure security, network policies | At infrastructure changes |
| Piotr | Backend security patterns, secure coding review | During implementation |
Compliance Alignment¶
GE's security-first methodology maps to:
- ISO 27001:2022 — Information Security Management System
- SOC 2 Type II — Trust Services Criteria
- OWASP ASVS — Application Security Verification Standard
- NIST CSF — Cybersecurity Framework
The methodology is not built to pass audits. It is built to be secure. Passing audits is a side effect.
Further Reading¶
- Security in the SDLC — How security maps to every development stage
- Threat Modeling — STRIDE methodology, templates, and process
- Security Pitfalls — Common mistakes and how GE prevents them
- GE Constitution — Principle 3: Enterprise-Grade From Day One