Skip to content

Security Guidelines

Jesse edited this page Nov 29, 2025 · 5 revisions

Security is a fundamental requirement in all projects within the AD Practicum.
This page outlines the core expectations for protecting source code, environment variables, API keys, and external dependencies.

Improper handling of secrets or outdated dependencies can lead to data exposure, broken builds, or compromised systems.
These standards exist to reduce vulnerability risk and teach industry-level security practices.

Use the pages below as reference for secure development.


πŸ”Ή Subpages

API Keys & Secrets
Dependency Management


API Keys & Secrets

Overview

Secret data must never be hard-coded into a repository.

This includes:

  • API tokens
  • Firebase service keys
  • OAuth credentials
  • Access tokens
  • Signing certificates

Key Standards

  • Use environment variables, never commit keys
  • Store .env files privately and securely
  • Avoid sharing secrets in screenshots or Slack
  • Rotate API keys when team access changes
  • Use secret managers when available (GitHub, Firebase, AWS, etc.)

Full guide:
β–Ά https://github.com/SeattleColleges/SeattleColleges-AD-Practicum-Wiki/wiki/api-keys-and-secrets


Dependency Management

Overview

Dependencies must be updated and audited regularly.
Outdated packages are a common source of vulnerabilities.

Key Expectations

  • Run audits to detect vulnerabilities
  • Patch or update flagged packages
  • Track releases for major dependencies
  • Avoid unmaintained or unknown libraries

Required Skills

  • Understanding of vulnerability alerts
  • Ability to evaluate severity vs urgency
  • Knowing when to upgrade vs replace packages

Full guide:
β–Ά https://github.com/SeattleColleges/SeattleColleges-AD-Practicum-Wiki/wiki/dependency-management


Why This Matters

Security risks we prevent
  • Credential leaks into public repos
  • Unauthorized API usage or billing charges
  • Malware through outdated dependencies
  • Compromise of client production data
  • Team liability during live deployment

Learning to secure software is not optional β€” it is a required engineering discipline and an expectation for all practicum teams.


Clone this wiki locally