Very good list, I would say that around half of them are not the Developer's responsibility (in a team with sys admins), never the less, the rules must be applied and the developers has to know them.
I'm reading the OWSAP and AWS guidelines, I know most of the items from this list but
As a suggestion, when you make starter lists like this try to keep them at minimum, as a newcomer to security this list scares me, I would rather say "I don't even know where to start, it will take me a long time so maybe I would do it later ..which means never".
You raise two interesting points. The first: non a devs responsibility ... as we move more toward a DevOps world, these roles are becoming combined and at the very least, devs need a strong appreciate and understand of all the issues if they are not directly responsible for them.
The second: a long list. I hear you. We've got lots of suggestions to add, but we have tried to only add the very important to the list. The idea of the list is not to be prescriptive of what you MUST do, but rather, for you to read the list at various points of your dev lifecycle to prompt your thinking to what items could be relevant at that point.
Thank you for reading and commenting.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.