Indie Dev Security Stack 2026: 5 Tools to Protect Your Product Without a Security Team

Stack Overview

DevSecOps died for you. The traditional approach — hiring a dedicated security engineer or security team — was the only way to cover OWASP Top 10 risks. That’s expensive and slow. This stack replaces the security engineer with automation: automated vulnerability scanning, code analysis, secret rotation, audit logging, and DDoS protection. Each tool handles one thing well, integrates natively with GitHub and AWS, and costs under $30/month per developer.

This stack handles dependency vulnerabilities, code-level flaws, credential exposure, infrastructure visibility, and basic DDoS protection — the five real threats that hit indie builders. It’s built for solo founders and small teams (2-5 people) who ship code but don’t have a dedicated security engineer.

Stack Components

• Dependabot — Automated dependency updates + vulnerability scanning
• GitHub Code Security — Static code analysis (SAST) to catch injection, broken access control before merge
• AWS Secrets Manager — Centralized secret storage instead of .env files or CI/CD variables
• AWS CloudTrail — Audit log for all AWS infrastructure changes
• Cloudflare Free Plan — DDoS protection + rate limiting for your public endpoints

The combination solves a problem individual tools don’t: you get a coherent response to the OWASP Top 10 (94% of apps have broken access control, injection flaws affect all of them) without hiring a security team or running compliance theater. Each tool is free or costs <$30/month per developer.

---

Components

Dependabot (GitHub Native)

Dependabot continuously monitors your package.json for known vulnerabilities and opens pull requests when updates are available or critical issues found. It’s free for public repos and included in GitHub Team+ plans.

Why in this stack:

• Catches 60-70% of supply chain attacks automatically
• Free for everyone if you use GitHub
• Opens PRs instead of just alerting — reduces friction to actually merging security updates

Tool	Difference	Switch if
npm audit	Local CLI only, high false-positive rate, doesn’t auto-update	You want local-first scanning with no GitHub dependency
Snyk	More precise vulnerability prioritization but costs $25/dev/month minimum	You manage >50 dependencies across many projects
Renovate	Open-source, more configurable than Dependabot, but self-hosted overhead	You need to control update grouping/scheduling in detail

GitHub Code Security ($30/committer/month)

Scans your code during CI/CD runs using CodeQL (GitHub’s SAST engine). Detects injection flaws, broken access control, cryptographic failures — the top 3 OWASP vulnerabilities. Free for public repos; costs per committer for private repos.

Why in this stack:

• Catches code-level flaws before merge, not after production incidents
• Integrates natively with GitHub (no extra CI/CD yaml)
• CodeQL is industry-standard, battle-tested

Tool	Difference	Switch if
Semgrep (free tier)	Free, customizable rules, but limited rulesets vs. CodeQL	You want zero licensing friction and don’t need enterprise rule coverage
GitLab SAST	Included in GitLab Premium ($99/month) but only if using GitLab	Your team is on GitLab instead of GitHub
OWASP Dependency-Check	Free, focuses on dependencies NOT code flaws, lightweight	You only care about vulnerable libraries, not code injection

AWS Secrets Manager ($0.40/secret/month + $0.05 per 10k API calls)

Centralized secret storage for API keys, database passwords, OAuth tokens. New AWS accounts created after July 15, 2025 get a 6-month free tier; older accounts pay from day one.

Why in this stack:

• Secrets in .env files and code repositories are how 94% of breaches start
• Secrets Manager auto-rotates credentials if you hook up Lambda (optional)
• Integrates with GitHub Actions, Terraform, Kubernetes — doesn’t require AWS-only architecture

Tool	Difference	Switch if
1Password Secrets Automation	$7.99/user/month, excellent UX, team-friendly audit logging	You have a team of 2+ and value the polish of 1Password
GitHub Actions Secrets	Free, GitHub-native, but no rotation/audit logging	You have <5 secrets and never rotate them (not recommended)
HashiCorp Vault (open-source)	Free self-hosted, powerful, but 2-4 week learning curve	You run your own infrastructure and have the time to self-host

AWS CloudTrail (Free baseline + $0.10/100k data events)

Logs every API call made to your AWS account (who accessed what, when, from where). Free tier gives you 90-day history in the AWS console. Enable for all production accounts.

Why in this stack:

• Detects unauthorized access attempts, deleted resources, permission changes
• Required for breach investigation — without logs, you have no evidence
• Minimal setup: enable in AWS Console, optional: export logs to S3 for long-term retention

Tool	Difference	Switch if
AWS Config	Compliance/drift detection, more expensive, overkill for solo dev initially	You manage >20 AWS resources and need continuous compliance monitoring
Wiz Cloud Security	Unified cloud risk platform but costs $5k-50k+/year	Your infrastructure is $100k+/month spend and requires advanced threat detection

Cloudflare Free Plan (Free)

DDoS protection + WAF + rate limiting for your domain. Free tier blocks attacks up to 300+ Gbps unmetered. Rate limiting is severely restricted on free plan but still prevents basic bot abuse.

Why in this stack:

• Only layer between your origin and the internet for most indie builders
• Free tier is genuinely useful — not a crippled demo
• Handles both volumetric (network-level) and application-level attacks

Tool	Difference	Switch if
AWS Shield Standard	Free but only basic DDoS, no WAF or rate limiting	You’re already heavily on AWS and Shield Advanced isn’t an option ($3000/month)
Cloudflare Pro ($20/month)	Better rate limiting rules, 5 security events history	You need advanced rules (e.g., block by IP range, challenge on suspicious patterns)
AWS WAF	$5/month per WAF + per-rule cost + per-request cost, steeper learning curve	Your application is heavy AWS (Lambda, CloudFront) and you need integrated security

---

Setup Walkthrough

Follow these steps in order. Each is a standalone operation — no dependencies between steps (except authentication to your AWS account and GitHub account, which are prerequisites).

Step 1: Enable Dependabot on Your Repository

Dependabot is enabled by default on all GitHub repositories. Verify it’s active and configure the update schedule.

# File: .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "03:00"
    open-pull-requests-limit: 5
    reviewers:
      - "your-github-username"

This config tells Dependabot to check npm dependencies weekly on Monday mornings and open up to 5 PRs per week. You’ll get a PR in your inbox; review and merge it like any other code change. No other action needed — Dependabot starts scanning immediately after commit.

Step 2: Create a GitHub Team Plan to Access Code Security

GitHub Code Security requires at least a Team plan ($4/month per user). If you’re still on a free personal account, upgrade to Team.

# No CLI command here — visit https://github.com/settings/billing/summary
# Click "Upgrade to Team" and select $4/month billing
# Takes 2 minutes, automatic renewal

After upgrade, Code Security is available in your private repos. For public repos, it’s free automatically.

Step 3: Enable GitHub Code Security in Your Repository Settings

Navigate to your repo Settings > Code Security & Analysis, then enable Code Scanning with CodeQL (GitHub’s default).

# CodeQL setup creates this workflow automatically:
# File: .github/workflows/codeql.yml
# (GitHub generates this for you, no manual editing needed)

# Verify it's enabled by checking GitHub repo:
# Settings > Code Security & Analysis > Code Scanning > Enable CodeQL

The first scan runs on your next commit. Results appear in the Security tab of your repo. No additional configuration required for the basic ruleset.

Step 4: Create an AWS Secrets Manager Secret for Your First Credential

Log in to AWS Console and create a secret for your most-used credential (e.g., Stripe API key, database password).

aws secretsmanager create-secret \
  --name stripe/api-key \
  --description "Stripe live mode API key" \
  --secret-string '{"api_key":"sk_live_YOUR_KEY_HERE"}'

Note the ARN returned (e.g., arn:aws:secretsmanager:us-east-1:123456789:secret:stripe/api-key). This is how you’ll reference it in code. Cost: $0.40/month for one secret.

Step 5: Create an IAM Role for Your Application to Access Secrets

Applications can’t authenticate to Secrets Manager as “root.” Create an IAM role with minimal permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:us-east-1:123456789:secret:stripe/api-key"
      ]
    }
  ]
}

Save this as an inline policy on the IAM role your Lambda/ECS task/EC2 instance assumes. You can now restrict which applications access which secrets — instead of giving all code access to all credentials.

Step 6: Fetch a Secret from Your Application Code

In your Node.js application, fetch secrets from Secrets Manager at runtime instead of reading .env.

const { SecretsManagerClient, GetSecretValueCommand } = require("@aws-sdk/client-secrets-manager");

const client = new SecretsManagerClient({ region: "us-east-1" });

async function getSecret(secretName) {
  try {
    const command = new GetSecretValueCommand({ SecretId: secretName });
    const data = await client.send(command);
    return JSON.parse(data.SecretString);
  } catch (error) {
    console.error("Failed to fetch secret:", error);
    throw error;
  }
}

const stripeConfig = await getSecret("stripe/api-key");
console.log("Stripe key loaded from Secrets Manager");

No secrets stored in code or environment variables. Each call to Secrets Manager is logged in CloudTrail.

Step 7: Enable CloudTrail for Your AWS Account

CloudTrail logs all API calls across your AWS account. Enable it for all regions and export logs to an S3 bucket.

aws cloudtrail create-trail \
  --name production-audit \
  --s3-bucket-name my-audit-logs \
  --is-multi-region-trail \
  --enable-log-file-validation

aws cloudtrail start-logging \
  --trail-name production-audit

First 90 days of logs are visible in the AWS Console for free. Logs older than 90 days are available in your S3 bucket (storage costs ~$0.03/GB/month). Enable on your production account immediately.

Step 8: Create an S3 Bucket Policy for CloudTrail Log Delivery

CloudTrail needs permission to write logs to your S3 bucket. Create a bucket policy that restricts access to CloudTrail only.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AWSCloudTrailAclCheck",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::my-audit-logs"
    },
    {
      "Sid": "AWSCloudTrailWrite",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-audit-logs/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}

Attach this to your audit logs bucket. CloudTrail can now write new logs continuously without intervention.

Step 9: Point Your Domain to Cloudflare Nameservers

Cloudflare intercepts all traffic to your domain. Update your domain’s nameservers at your registrar to Cloudflare’s.

# Your registrar (GoDaddy, Namecheap, etc.) shows two Cloudflare nameservers
# Example:
# ns1.cloudflare.com
# ns2.cloudflare.com

# Update your domain registrar settings to use these nameservers
# Takes 5-15 minutes to propagate, check with:
dig example.com NS

After nameserver switch, all traffic flows through Cloudflare’s network. DDoS protection is automatic on the free plan.

Step 10: Create a Cloudflare Rate Limiting Rule

Add a basic rate limit rule to prevent brute-force login attempts or API abuse.

Cloudflare Dashboard > Security > Rate limiting > Create rule

Rule:
  Matching requests: Path contains /api/login
  Threshold: 5 requests per minute from a single IP
  Action: Challenge (CAPTCHA)

Also:
  Path contains /api/auth
  Threshold: 10 requests per hour from a single IP
  Action: Block for 1 hour

No code changes needed. Cloudflare applies this at the edge, before requests reach your origin. This prevents automated login attacks and API scraping.

---

Pricing

Component	License	Free Tier	Paid from	Note
Dependabot	GitHub Native	Yes (public repos)	Included in GitHub Team ($4/user/mo)	Free tier covers unlimited public repos, all private repos on Team+
GitHub Code Security	Proprietary	Yes (public repos)	$30/committer/month (private repos, included in Team plan)	Requires GitHub Team ($4/user/mo minimum)
AWS Secrets Manager	Proprietary	$200 credit x 6 months (new accounts only)	$0.40/secret/month + $0.05 per 10k API calls	Accounts created before July 15, 2025: no free tier
CloudTrail	AWS Native	Yes (90-day history, management events)	$0.10 per 100k data events (optional)	Free tier is enough for production; S3 storage for long-term retention is ~$0.03/GB/month
Cloudflare	Freemium	Yes (DDoS, basic rate limiting)	$20/month (Pro plan, better rate limiting)	Free tier is production-ready for 95% of indie projects

Total cost for a solo dev: $0-40/month (GitHub Team + CloudTrail + AWS Secrets Manager), $0 if using GitHub personal free account + Cloudflare free.

Total cost for a small team (3 people): ~$100-150/month (3x GitHub Team $4 + 3x Code Security $30 + Secrets Manager $5 + CloudTrail $5 + Cloudflare free).

---

When to Use This Stack

• Your API receives production traffic but has no dedicated security engineer. This stack catches the most common attack vectors (broken access control, SQL injection, credential theft) automatically.
• You ship code frequently (weekly deploys or more) and need confidence that vulnerabilities don’t sneak through. Dependabot + Code Security block 70-80% of supply chain + code flaws before merge.
• You’re handling user data (authentication, payments, PII) and need an audit trail if something goes wrong. CloudTrail + Secrets Manager ensure you have forensics and compliance evidence.
• You care about shipping, not compliance theater. This stack is about real threat reduction, not CYA documentation.
• You’re on a tight budget and AWS ecosystem. Total cost <$200/month even for a growing small team.

---

When This Stack Is NOT Enough

• You handle medical data (HIPAA), payment cards (PCI-DSS), or regulated financial data. This stack provides tooling, not compliance. You still need professional security audits, penetration testing, and incident response playbooks.
• Your infrastructure spans multiple cloud providers (AWS + GCP + Azure). CloudTrail only covers AWS. You’d need equivalent tools per cloud (Wiz, Lacework, etc.).
• You’re under active attack or suspect you’ve been breached. Incident response and forensics require SIEM, threat hunting, and security expertise this stack doesn’t provide.
• You have >50 engineers committing code. Per-committer billing ($30 x 50 = $1500/month) becomes expensive. Consider Snyk or GitLab at scale.
• You need advanced secrets (multi-cloud, dynamic credentials, short-lived tokens). HashiCorp Vault or managed options (HCP Vault Dedicated) are better for complex rotation.

---

Key Decisions Inside This Stack

GitHub vs. GitLab? This stack assumes GitHub because Dependabot and Code Security are GitHub-native and free/cheap. GitLab has native alternatives (SAST included in Premium) but you lose GitHub’s ecosystem (Actions, Copilot, etc.).

AWS Secrets Manager vs. 1Password? If you’re solo or AWS-based, Secrets Manager is cheapest. If you have a 2-3 person team and value UX/audit logging, 1Password Secrets Automation ($7.99/user/month) is easier and cheaper than the setup time for Secrets Manager.

Cloudflare free vs. paid? The free plan handles DDoS + basic rate limiting. Upgrade to Pro ($20/month) only if you need custom WAF rules (e.g., block by country, challenge on suspicious headers). Most indie projects stay on free forever.

When to add more tools? Add Snyk ($25/dev/month) when you’re managing >100 dependencies across 5+ projects. Add Incident.io ($19/user/month) when your team hits 3-4 people and incidents require coordination. Add Wiz when you have 50+ AWS resources and need automated compliance scanning.