ID: D202606181032
Tags:
2026-06-18
- Criterion 1: Security Audit
- Analysis grounded in sources / norm text
- Post-implementation re-evaluation of gaps
- Criterion 2: Secure Pipelines
- Environments separated (OTAP)
- Separated configuration and secrets
- Documentation justifies security choices
- Non-traceable data per environment (for Goed)
- Criterion 3: Advies Updates
- Concrete implementation recommendations (for Goed)gisteren
- Criterion 4: Security Code Review & Kwetsbaarheden
- Risks of not solving described from valid sources
- NEN-7510 control references in SAST doc
- Sprint 1 Deliverables
- GitHub Environments (test + production)
- Developer onboarding README.md
- Sprint 2 Deliverables
- CI/CD risk evaluation
- Penetration test plan (and hopefully an execution if we can actually use the app)
- Vulnerability mitigations linked to NEN-7510 controls
- Risk Assessment Report (formal standalone doc)
- Cost estimation for mitigations
- Sprint 3 Deliverables
- Attack Surface Mapping
- Updated threat model (post-ASM)
- Code coverage configured
- Code coverage report as CI artefact
- Coverage target % justified in writing
- Sprint 4 Deliverables
- Traceability Matrix (≥3 NEN controls)
- Appendix: Traceability Matrix
- Appendix: CRA-mapping