Guides

Guides de sécurité pour développeurs

Des guides pratiques étape par étape pour les équipes engineering qui veulent livrer des logiciels plus sécurisés sans devenir des experts en sécurité. Chaque guide se termine par comment Lumstep automatise la partie difficile.

intermediate6 min

AI-Generated Code and the Security Review Gap

When a significant portion of your codebase is written by a model, the review process that used to catch security issues organically gets shorter. Here's what changes, and what doesn't.

beginner6 min

The Anatomy of a Credential Leak: From Forgotten API Key to Breach

How a hardcoded API key goes from a rushed hotfix commit to an attacker's toolkit — and what the realistic timeline looks like between push and exploitation.

intermediate6 min

The Axios Supply Chain Attack: A Developer Debrief

On March 31, 2026, axios - npm's most-downloaded HTTP package - was backdoored for 3 hours. Here is how the attack worked and what defenders should have done.

intermediate6 min

Dependency Confusion: How Attackers Use Your Own Package Names Against You

Dependency confusion attacks turn your internal package names into an attack vector. Here is how the technique works, how it has evolved since Alex Birsan's 2021 research, and how to defend against it.

intermediate6 min

What the EU Cyber Resilience Act Actually Changes for Your Engineering Team

The CRA isn't just a compliance checkbox — it rewrites what 'secure by design' means for dev teams shipping software in Europe. Here's what changes in practice: SBOMs, 72-hour disclosure, dependency hygiene, and the 2027 enforcement clock.

advanced7 min

The Miasma Worm: A Developer's Guide to the Supply Chain Attack Rewriting the Rules

The Miasma supply chain worm: how it spreads through npm install, hides in AI coding tools, uses GitHub as its C2 channel, and what your defenses need to look like.

intermediate6 min

SBOM Compliance: What to Check and Why It Matters for CRA, NIS2, and SOC2

CRA, NIS2, and SOC2 all require SBOMs. This guide covers what each framework actually mandates and how to build a compliant Software Bill of Materials in 2026.

intermediate6 min

Transitive Dependencies: The Security Blind Spot Hiding in Plain Sight

You added 5 packages. You got 200. One of them has a CVE. Here's the math behind transitive dependency risk, why most teams miss it entirely, and what good visibility actually looks like.

Évitez le travail manuel. Lumstep automatise chaque scan de ces guides à chaque push sur votre repo - secrets, dépendances, vulnérabilités de code et SBOM dans un seul rapport.

Accès anticipé