Developer Security — Study Guide

Review these materials before taking the exam. All links open in the Krumware Confluence IO space.

Key Concepts

No hardcoded secrets. Use secrets managers (Vault, KMS, GitHub Secrets, K8s Secrets). Add .env to .gitignore before first commit.
Committed secrets are compromised. Rotate immediately, update secrets management, revoke old key, report to IT.
Input validation: Server-side, at system boundaries, using framework-provided tools. Reject unexpected input.
Database: Use ORMs or parameterized queries. Never concatenate user input into SQL.
No custom crypto. Use established libraries (OpenSSL, NaCl, platform KMS).
Dependabot timelines: Critical = same day, High = 1 week, Medium = 30 days, Low = 90 days.
Containers: Non-root user, minimal base images, pinned versions (no :latest), build through CI/CD, scan before deploy.
Code review: Check for secrets, input validation, parameterized queries, no sensitive data in logs/errors, proper auth, license compatibility.

Document	Relevance
TRN-007 Developer Security Quick Reference	Full reference — secure coding checklists, Dependabot, secret scanning, container security, pre-deployment
POL-012 Secure Development Policy	Governing policy — secure coding, code review, dependency management, container security, CI/CD
POL-005 Vulnerability Management Policy	Vulnerability patching timelines, Dependabot response requirements
STD-002 Encryption Standard	Encryption requirements — TLS, AES-256, key management
POL-003 Secure Configuration & Change Management Policy	Change management, configuration baselines, deployment approvals

Document	Scenario
PLB-003 Credential Compromise Playbook	When a secret is committed to git or credentials are exposed
PLB-002 Data Breach Playbook	When a vulnerability leads to data exposure

Location	OK?
Kubernetes Secrets, Vault, Cloud KMS, GitHub Secrets, env vars (runtime)	Yes
Source code, config files, Dockerfiles, README, Slack, email, comments, .env in git	No