Development environment security 101
Corporate security is an area dominated by food chain laws. Creatures having great nutrition value and low defense become an easy prey. Same with companies. When you grow you amass various assets of value. The more value your products have the more often you get into crosshair of malicious actors like hackers or aggressive competitors.
So how much security measures do you need? Ideally you need just enough security not to be an easy picket. The complexity of attack on your company should always outweigh the benefits. This is a toolbox of the most efficient practices and processes that make an attack harder.
- Safe space for password exchange.
Corporate password manager. Consider all passwords transferred outside of password manager to be compromised.
- Encrypted workstations with latest security updates. Best case scenario - using linux based OS whenever possible. Keep your Macs up to date.
- Information access. A trackable system of access management to corporate JIRA, Confluence, Github, stages and prods. Access to information is granted only to people who need it and removed as soon as they don’t need it anymore. A well managed information access makes it trivially easy to identify a leak source if one occurs. Also well managed information access is very good at preventing leaks because employees know that every leak is easy to track.
- Databases with passwords must be encrypted. Transfer access keys only in a corporate password manager.
- Penetration testing and bug bounties. If you deal with a sensitive information like payments then outsourced penetration audition is a must. Also keeping generous bug bounties on post-production is a security must have.
- Security monitoring. If you are a small company then have at least one guy whose main job is reading security and hacker forums in darknet, watching DEFCON videos on youtube and staying on top of every vulnerability discovered in every technology your company works with. If a scale of your company allows then keep a department of these guys.
- DO NOT save on security of your remote servers and VPN’s that connect your corporate network to the testing and production environments.
- Physical safety of your development office. Do the red teaming drills.
- Make sure that all of your employees (especially from the not technically savvy departments) know and follow personal cybersecurity guidelines.
You don’t have to do everything at once. But if your company has its own payment systems then you probably should. Also this won’t protect you against a very smart attacker. Luckily those are rare.