A method and system are described. The method includes determining, in a development phase of a software service, whether the software service complies with a first policy in response to a request. The method also monitors, in at least one of a testing phase or a production phase of the software service, whether operation of the software service complies with a second policy. Based on the determining and the monitoring, an indication of a service vulnerability is generated in response to the software service failing to comply with the first policy in the development phase or failing to comply with the second policy in the at least one of the testing phase or the production phase.