Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
My suggestion would be to follow the OWASP guides or present them to management since they are an industry standard. Furthermore in preparation for pentesting you can instruct your QAs to run through the ASVS controls and run OWASP ZAP to mitigate existing issues. Security and best-practice checks could also be enforced on pull request reviews (there's a ton of software like snyk or blackduck which can be automated per branch/pr etc)
I am on mobile, so I will probably not explain it well enough here. I highly recommend reading my writeup for a Web CTF challenge that I made earlier this year about XSLeaks and REST APIs.