I was last week in a session about "Security during the build", where the presenter talked about enforcing checks for security issues during the build phase (preferably nightly CI run) One of the interesting tools is https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project which is a web client that can run attacks against web applications to try things like * sql injection * cross site forgery * just parameter fuzzing and much more. While this is a bit hard to set up with pure REST-APIs (if they don't follow HATEOAS), it seems worth doing anyway to make sure that the obvious things don't hit. And before someone mentions that this does not apply to us because we use Cassandra and not a SQL data store: it is possible to generate profiles and e.g. switch off the sql injection attack vector.