I.
Identity at every boundary.
Every service, every request, every operator action carries a verifiable identity. Default deny. Nothing trusts location alone.
Security
Compliance is engineering.
Posture Zero trust Least privilege Encrypted by default
Compliance lives in the architecture, from the first line of code. Zero-trust by default. Encrypted in flight and at rest. Supply chain receipts that hold up under scrutiny.
Principles
Zero trust isn't a slogan.
It's the build order.
II.
Least privilege, always.
Permissions scope to the smallest set that lets the work happen. Standing access becomes time-bound elevation. Service accounts get exactly one job.
III.
Encrypted by default.
AES-256 at rest. TLS 1.3 in flight. Customer-managed keys when the threat model demands it. Encryption is a defaulted choice, not a checkbox at the end.
IV.
Audit everything. Retain nothing extra.
Every privileged action lands in an append-only log. Logs are signed, immutable for the retention window, then purged on schedule. The audit trail outlasts the engineer who wrote the change.
V.
Secrets live in vaults.
Vaulted, scoped, and rotated. Rotation is automated where the secret allows it. Compromise triggers rotation in minutes. Secrets never live in env files, code, chat, or screenshots.
Compliance posture by domain
Built for the stacks
where compliance starts.
The lab works in regulated environments. Compliance shapes the architecture before the first line of code, not after the first external audit.
Healthcare
HIPAA-aligned engineering
PHI handled with BAA-aware infrastructure choices. Access scoped by role. Audit trails for every PHI read and write. Encryption defaults that survive a forensic review. Patterns built to pass the Security Rule on the merits.
HIPAA HITECH BAA-aware
Finance
SOX, GLBA, PCI patterns
Separation of duties at the code level. Immutable audit logs for material transactions. Tokenization and encryption for cardholder data. Patterns that hold up under external audit because they were built that way from the first commit.
SOX GLBA PCI-DSS
Defense / Gov
FedRAMP-aligned posture
FIPS 140-3 validated cryptography. STIG-hardened baselines. Continuous monitoring patterns aligned with FedRAMP Moderate and High. Authority to operate is an engineering outcome earned through the build.
FedRAMP FISMA FIPS 140-3
Across domains
Horizontal trust frameworks.
SOC 2 Type II ISO 27001 ISO 27017 ISO 27018 NIST CSF GDPR
Access controls, change management, incident response, vendor risk. Mapped to the controls auditors actually test, regardless of which framework the engagement is built against.
Supply chain integrity
The package is
the perimeter.
The agency loop now writes code that pulls dependencies. Every coding agent shares roughly the same training cache: the same popular packages, the same install bases, the same blast radius. A single compromised module becomes a coordinated launching pad. The lab treats supply chain as a first-class engineering surface.
Posture entry · dependency
LAB · LEDGER
Dependency express@4.21.2
Posture vetted-frozen
Rationale
All signals clean. Long-tenured maintainership. Build provenance
verified end to end. Pinned at 4.21.2 in the lockfile.
Signals
· maintainer tenure 11 yrs
· commit signing enabled
· publication binding trusted
· CVE status clean
Reviewed
2026-04-22 · @lab-eng
Explicit posture per dependency.
Every package that enters a client codebase carries a recorded posture: vetted-frozen, trusted-for-now, or rejected. Decisions live alongside their rationale in version control, not in someone's head.
Signals over CVE lists.
Harder-to-forge evidence comes first: maintainer tenure, organizational affiliation, commit signing, publication metadata, install-base context. CVE lookups are the floor of the analysis, never the ceiling.
SBOM as a deliverable.
Every engagement ships with a software bill of materials. CycloneDX format. Versioned with the release. Signed. Delivered alongside the build, not assembled after a question lands.
Signed artifacts.
Commits, releases, container images. cosign or sigstore on the way out. The signature travels with the artifact and is part of the deliverable. Verification is a one-line operation downstream.
Burn ledger.
When a package or maintainer identity is compromised, we burn it. The decision is recorded in the lab's ledger, the lockfile is patched, and every downstream engagement picks up the same posture without anyone asking twice.
Engineering practices
How the lab works,
day to day.
01
Isolated coding agents.
AI coding agents run inside Podman rootless containers within Incus boundaries. No agent has direct access to the host, the host's secrets, or anything outside the engagement workspace.
02
Pre-merge review by humans.
Every change is reviewed by a human engineer before it lands on main. Branch protection enforced. CI signs the artifact; the developer's laptop does not.
03
Spec-driven development.
Non-trivial changes start with a versioned spec in git. The spec is the source of truth. The implementation is the proof. Both are reviewable, both are auditable.
04
Credentials revoked at handoff.
Production credentials, API keys, and service tokens issued for an engagement are revoked the day the engagement ends. The lab keeps nothing past the handoff.
What the lab won't touch
Integrity is stating
the limits.
The lab keeps a deliberate set of exclusions. They are easier to state than they are to hold to. We hold to them.
- Client data on lab infrastructure past handoff.
- Production credentials sitting in lab repos, chat history, or local notebooks.
- Telemetry that ships client data to a third party we don't control.
- Dependencies without verifiable provenance or a credible maintainer surface.
- Engagements where the security posture is treated as something to figure out later.
Disclosure
Found something?
Tell us directly.
Security disclosures land with the engineers, not a ticketing queue. Send the report to the address below and we'll take it from there.
security@standardapplied.comAcknowledge
Within 24 hours
Triage
Five business days
Credit
In the changelog, on request