Development security process: opportunities for improvement

[smlx]

Hey I just wanted to start a discussion to brainstorm ways to improve the security process in Lagoon development. This is a little vague, but the idea is to consider if there are "DevSecOps" or other development practices that we can incorporate into the Lagoon project.

Some random links I just googled up for further reading:

• https://www.devsecops.org/
• https://www.redhat.com/en/topics/devops/what-is-devsecops

Please throw any ideas into the thread here :)

[smlx]

One idea I came up with is to maybe we should update the PR template to add a note or checkbox to remind Developers and Reviewers to consider the security aspects of code changes?

[AlannaBurke]

Could we come up with a checklist of common/likely issues for each service? For example, if you're working with X part of Lagoon, take a look at this checklist and see if any of your code interacts with or changes these things, and consider any security implications.