Developer Security Guides
Practical, step-by-step guides for engineering teams that want to ship more secure software without becoming security experts. Every guide ends with how Lumstep automates the hard part.
AI-Generated Code and the Security Review Gap
When a significant portion of your codebase is written by a model, the review process that used to catch security issues organically gets shorter. Here's what changes, and what doesn't.
The Anatomy of a Credential Leak: From Forgotten API Key to Breach
How a hardcoded API key goes from a rushed hotfix commit to an attacker's toolkit — and what the realistic timeline looks like between push and exploitation.
The Axios Supply Chain Attack: A Developer Debrief
On March 31, 2026, axios - npm's most-downloaded HTTP package - was backdoored for 3 hours. Here is how the attack worked and what defenders should have done.
Dependency Confusion: How Attackers Use Your Own Package Names Against You
Dependency confusion attacks turn your internal package names into an attack vector. Here is how the technique works, how it has evolved since Alex Birsan's 2021 research, and how to defend against it.
What the EU Cyber Resilience Act Actually Changes for Your Engineering Team
The CRA isn't just a compliance checkbox — it rewrites what 'secure by design' means for dev teams shipping software in Europe. Here's what changes in practice: SBOMs, 72-hour disclosure, dependency hygiene, and the 2027 enforcement clock.
The Miasma Worm: A Developer's Guide to the Supply Chain Attack Rewriting the Rules
The Miasma supply chain worm: how it spreads through npm install, hides in AI coding tools, uses GitHub as its C2 channel, and what your defenses need to look like.
SBOM Compliance: What to Check and Why It Matters for CRA, NIS2, and SOC2
CRA, NIS2, and SOC2 all require SBOMs. This guide covers what each framework actually mandates and how to build a compliant Software Bill of Materials in 2026.
Transitive Dependencies: The Security Blind Spot Hiding in Plain Sight
You added 5 packages. You got 200. One of them has a CVE. Here's the math behind transitive dependency risk, why most teams miss it entirely, and what good visibility actually looks like.
Skip the manual work. Lumstep automates every scan in these guides on every push to your repo - secrets, dependencies, code vulnerabilities, and SBOM all in one report.
Get early access