As I've mentioned here in the past, we started working on a product in 2018 and we are getting really close to launching it more openly where people other than our initial (friendly) alpha customers can use it. The reaction has been awesome and we're encouraged.
As I looked at our project, I realized we needed to step back and really confirm we had our basics covered. Now mind you, we're all security oriented developers so I'm not saying these things weren't done by our team—but I will say that even I, as a leader and someone who gets on a soapbox a lot about pushing left, had not explicitly emphasized or required these things as first class features yet.
So I thought I'd share a bit of detail about our thinking here. We basically wanted to take the simplest possible approach to something that would work. So I brainstormed a bit on some general items we always care about and added github issues for them.
Note that this not an exhaustive list. We have more detailed requirements about authorization for example in each story. We also have items to check for things like sql and code injection. But I wanted to start simple for this discussion.
Anyway, if you're working on any kind of web application, most of these apply in one shape or form. Reach out to me if you have questions. Happy building!!!