aisecurity.llc

Secure SDLC

How security is integrated into our consulting delivery lifecycle and buyer-ready service delivery

aisecurity.llc applies security throughout the consulting delivery lifecycle — not just as a final gate before release. This page describes the controls and practices we apply when building and operating our services, client deliverables, and assessment workflows. Our SDLC is aligned to OWASP ASVS and NIST SSDF principles, and it is designed to make our engagements easier to review by procurement, security, and compliance teams.

Design & Architecture

Threat modeling for new features and significant changes — we identify what could go wrong before writing code
Security requirements documented alongside functional requirements
Architecture review for components handling sensitive data or authentication
AI-specific threat modeling for any features that use LLM APIs (prompt injection, data exfiltration paths, adversarial input handling)

Development

Secure coding practices followed by all contributors
Secrets are stored in environment variables or secrets managers — never in code or version control
Input validation at system boundaries (API endpoints, form submissions, file uploads)
Parameterized queries to prevent SQL injection
Output encoding to prevent XSS in rendered content
Dependencies pinned and reviewed before adoption

Code Review

All production code changes require peer review before merge
Reviewers check for: authentication/authorization issues, injection risks, logic flaws, sensitive data exposure
Security-focused review for changes to authentication, authorization, data handling, and AI integration code
Automated secrets scanning runs on all pull requests

CI/CD Pipeline

Automated dependency vulnerability scanning (Dependabot) on every commit
Static analysis (SAST) integrated into build pipeline
Secrets scanning prevents credential commits from merging
Build artifacts are signed and integrity-verified before deployment
Deployment to production requires additional authorization beyond standard CI

Deployment & Operations

Deployment follows least-privilege access — CI/CD systems have minimal required permissions
Production configuration (secrets, environment variables) managed separately from code
Infrastructure changes are reviewed and applied through controlled processes
Database migrations are reviewed for data integrity and rollback viability before deployment

Vulnerability Management

Critical and high severity dependency vulnerabilities addressed within 7 days of disclosure
Medium severity vulnerabilities assessed and remediated within 30 days
Responsible disclosure policy allows external researchers to report issues (security@aisecurity.llc)
Post-incident reviews following security events to identify and implement improvements

AI-Specific Development Controls

Features that integrate AI model APIs receive additional security review covering:

Prompt injection risk assessment for LLM-integrated features
Data minimization review before content is submitted to AI APIs
Output validation — AI responses are treated as untrusted input and sanitized before rendering
Rate limiting and abuse monitoring on AI-assisted endpoints
Logging of AI API calls for security audit and incident investigation
Human review gates on AI outputs used in security-relevant decisions

Tools We Use

GitHub / GitHub Actions

Source control, CI/CD pipeline

Dependabot

Automated dependency vulnerability scanning

ESLint / TypeScript

Static analysis and type safety

Vercel

Secure deployment and edge security

Cloudflare

WAF, DDoS protection, CDN

Supabase RLS

Row-level security for data access control

Security Practices Vulnerability Disclosure AI Usage Policy Responsible AI Principles Trust Center

Secure SDLC · aisecurity.llc · Last updated May 19, 2026

← Back to Trust Center