Tools to Get Started

Each of the four principles we discussed today has two widely adopted and tested tools that speed up the secure path by automating guardrails, removing human error, and integrating cleanly into modern CI/CD workflows.

1. Threat modeling:

• GitHub Secret Scanning: Automatically detects committed API keys, tokens, and credentials in code and CI before they leak.

• AWS Secrets Manager: Centralized, encrypted store for API keys, DB passwords, and tokens; integrates with IAM and KMS.

2. AuthN, AuthZ, and least privilege:

• Auth0: Full-featured identity provider supporting OAuth2/OIDC, SSO, MFA, and role-based access.

• Open Policy Agent (OPA): Policy-as-code engine (Rego language) for centralized access control decisions across microservices.

3. Secure code and supply chain:

• Semgrep: Lightweight static analysis that scans source code for CI security issues (e.g., injections, unsafe patterns).

• Dependabot: Automatically scans dependencies for known CVEs and raises update PRs.

4. Privacy and PII:

• Google Tink: Open-source encryption library with safe, opinionated APIs for encrypting data at rest and in transit.

• OpenTelemetry: Unified framework for traces, logs, and metrics; includes trace_id correlation across services.