Based on the 5y questionnaire:

• Define a threat model
• Security for users (as in who can modify data/read data)
• Make sure to inform that oom charts are to be deployed as part of that environment – policy docker/helm standalone are for tests and if used for production, manage the security at their own risk
• identify and document the process for upgrading security threats in code (VA issues or Sonar reports)