Developer pillar · Module 5 of 6

Secure coding

Security isn’t someone else’s job. Every line of code you write can introduce vulnerabilities—or prevent them. Here are the essentials.

← Back to Developer Fundamentals Training

Controls stack visual kit

Reusable icons and a telemetry-to-audit diagram aligned to our fundamentals and operational guides.

Governance evidence

Use for control statements that cite ISO/IEC 42001 clause 6.3 change management, EU AI Act Articles 62–75, and SOC 2 trust service criteria.

Secure supply chain

Pair with SBOM, provenance, and intake guidance that references SPDX or CycloneDX formats, SLSA Level 3 attestations, and NIST SSDF tasks PS.3/PO.4.

Telemetry & evaluations

Highlight logging of prompts, responses, refusal rates, and safety filters alongside adversarial evaluation suites from NIST AI RMF playbooks or UK AISI guidance.

Assurance & resilience

Use for incident response and assurance artefacts that must meet OMB M-24-10 24-hour notifications, CIRCIA’s 72-hour clocks, and serious-incident duties under the EU AI Act.

Signals Controls Evidence Audit

Signals: prompt traces, supplier advisories, and safety filter activations streamed into monitoring.
Controls: guardrails, change review, SBOM validation, and access enforcement tied to AI lifecycle gates.
Evidence: runbooks that capture artefacts for ISO/IEC 42001 management reviews and SOC 2 narratives.
Audit: regulator-facing packets that satisfy EU AI Act post-market monitoring, OMB M-24-10, and CIRCIA timelines.

The vulnerabilities to know

Injection attacks. SQL injection, command injection. Never trust user input. Use parameterised queries, validate and sanitise everything.
Cross-site scripting (XSS). Attackers inject scripts into web pages. Escape output, use Content Security Policy, don’t build HTML from strings.
Authentication failures. Weak passwords, credential stuffing, session hijacking. Use established auth libraries. Never roll your own crypto.
Insecure dependencies. Third-party libraries have vulnerabilities too. Keep dependencies updated. Use tools like Dependabot.
Secrets in code. Never commit API keys, passwords, or tokens to Git. Use environment variables or secret management tools.

Secure by default

Use HTTPS everywhere
Validate all input, server-side
Apply least privilege
Log security events

Keep dependencies updated
Use security linters
Review code for security
Learn from OWASP Top 10

Free resources

Essential: OWASP Top 10 — The most critical web vulnerabilities
Hands-on: OWASP Training — Free secure coding labs
Practice: PortSwigger Web Security Academy — Free, hands-on web security training

Related training modules

Cybersecurity Fundamentals — Threat modeling, vulnerability management, and security operations
Compliance Fundamentals — Third-party risk management and software supply chain security

← Previous: Writing better code Next: Growing your career →