A secure SDLC for a US local government’s in-house dev team
We reviewed a US local government’s in-house development practices and helped them stand up a secure software development lifecycle, so the team writing their public-facing applications builds security in from the first requirement rather than bolting it on later.
A US local government runs an in-house development team that builds the applications its residents actually touch, the public-facing services where a security slip is not a private embarrassment but a public one. The team was capable, but there was no formal software development lifecycle holding the work together, and security tended to be considered late, if at all. For code that sits in front of the public and handles residents’ information, that is a real exposure: vulnerabilities slipping into production, inconsistent practice between developers, and no repeatable way to catch problems before release. They wanted to put a proper, secure SDLC in place and lift the whole team’s secure-coding practice.
02
The approach
We came in on the strategy and process side rather than to write their code for them. We started by reviewing how the team actually worked, from how requirements were captured through to how code was built, tested and released, and measured that against recognised secure-development and secure-coding best practice. From there we designed a software development lifecycle that fit their team and their stack, with security built into each stage rather than tacked on at the end: threat-aware requirements and design, secure-coding standards for their day-to-day work in .NET, React and Xamarin, security checks and dependency scanning wired into their DevOps build pipelines, and test and review gates that have to pass before anything ships. We set it up to run inside the tools they already used, including Jira for tracking the work, so the new process felt like a sharpening of how they worked rather than a foreign imposition.
03
The outcome
The team came away with a defined, repeatable secure SDLC and a clearly raised baseline for how secure their code has to be before it reaches the public. Security is now considered from the first requirement instead of discovered after release, the practice is consistent across developers rather than down to individual habit, and the build pipeline catches a class of problems automatically that used to slip through. For a public-facing government team, that means less risk sitting in production and a process they can keep applying to every new piece of work.
Summary & benefits
A defined, repeatable secure software development lifecycle for an in-house government dev team.
Secure-development and secure-coding best practice embedded across requirements, design, code, build, test and release.
Security checks and dependency scanning wired into the team’s DevOps pipelines.
A consistently higher security baseline for public-facing code, built in from the first requirement.
Similar work in Public Sector & Society
More customer stories like this one.
A long-horizon digital transformation strategy for Transnet
First Digital took Transnet from an honest read of its digital maturity to an executive-aligned transformation roadmap, then helped embed it with targeted skills and change programmes.
Our First Campus Zero to AI Copilot Hero programme, run with Microsoft, took public sector teams from AI fundamentals to confidently using Copilot Chat, Microsoft 365 Copilot and their own agents, with a managed-service follow-up so the adoption stuck.