-
Notifications
You must be signed in to change notification settings - Fork 4
Security Guidelines
Security is a fundamental requirement in all projects within the AD Practicum.
This page outlines the core expectations for protecting source code, environment variables, API keys, and external dependencies.
Improper handling of secrets or outdated dependencies can lead to data exposure, broken builds, or compromised systems.
These standards exist to reduce vulnerability risk and teach industry-level security practices.
Use the pages below as reference for secure development.
API Keys & Secrets
Dependency Management
Online Security Best Practices
Overview
Secret data must never be hard-coded into a repository.
This includes:
- API tokens
- Firebase service keys
- OAuth credentials
- Access tokens
- Signing certificates
- Use environment variables, never commit keys
- Store
.envfiles privately and securely - Avoid sharing secrets in screenshots or Slack
- Rotate API keys when team access changes
- Use secret managers when available (GitHub, Firebase, AWS, etc.)
Full guide:
βΆ API Keys & Secrets
Overview
Dependencies must be updated and audited regularly.
Outdated packages are a common source of vulnerabilities.
- Run audits to detect vulnerabilities
- Patch or update flagged packages
- Track releases for major dependencies
- Avoid unmaintained or unknown libraries
- Understanding of vulnerability alerts
- Ability to evaluate severity vs urgency
- Knowing when to upgrade vs replace packages
Full guide:
βΆ Dependency Management
Security risks we prevent
- Credential leaks into public repos
- Unauthorized API usage or billing charges
- Malware through outdated dependencies
- Compromise of client production data
- Team liability during live deployment
Learning to secure software is not optional β it is a required engineering discipline and an expectation for all practicum teams.
Home β’ New Student Onboarding β’ Guides β’ Projects β’ Code of Conduct β’ FAQ
Last updated: 12/7/2025