Product Security Scorecards: Coupling Security Issues with Preventative Controls to Drive Security Maturity

Postman's application security team leveraged embedded security engineers to create a custom product security scorecard that teams and management can use to quickly surface security issues and their fixes across projects. The scorecards pair detected security issues with preventive controls, such as repo scanning, and can also incorporate more free-form “security asks” from Jira tickets. The security scorecard allowed teams to roll PR blocking out to their repos and use commit pre-checks to block noncompliant commits.