Skip to content

Instantly share code, notes, and snippets.

@giuseppeg

giuseppeg/basic-security.md

Last active September 30, 2021 15:30
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save giuseppeg/f781502b36b2b59cee969d40ede32a3c to your computer and use it in GitHub Desktop.
Save giuseppeg/f781502b36b2b59cee969d40ede32a3c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
basic-security.md

  • Common setup for engineers with

    • laptop with encrypted hard drive
    • automatic updates (possibly forced, disabling delay)
    • password manager
    • 2FA everywhere
    • dedicated browser for development without extensions except for the ones approved by devsec ops
    • VPN to access internal properties
    • work (dedicate) GitHub account
    • rotate passwords and tokens / keys

  • remote dev machines on premise that can be kept secure and up to date by IT - might reduce chances to compromise engineer machine (accessible only via vpn)

    • devs mount the dev folder on their laptop so that they can read/write (need little latency)

  • periodical social engineering penetration testing (by 3rd party contractor)

  • new 3rd party dependencies/packages must go through audit and approval

  • private packages registry (proxy) with a mirror of the used packages

  • use lock files for dependencies

  • use npm with auth tokens

  • research for ways to proxy requests made to 3rd party by node scripts and the browser – block everything by default and asks to allow origins explicitly (this list could be centralized). For the browser this could be an extension that intercepts requests

  • firewall

  • disable post install scripts eg. npm install --ignore-scripts

  • CI should run npm audit and make sure that it is all good (no deps with security advisories → process exits with 0) - GitHub security scanner should find vuln deps already so this might be redundant

  • Consider GitHub Code scanning https://github.blog/2020-09-30-code-scanning-is-now-available

    https://github.com/features/security

  • Commit signing https://resources.github.com/downloads/GitHub-Whitepaper-Yubico-081021.pdf

  • define policies for adopting 3rd party services (SaaS and so on) – ideally services go through a process of audit and approval.

    • Cypress Dashboard example https://www.cypress.io/security
    • Request a report, evaluate and approve it
    • Design document for integration approved by devsec ops
    • Actual integration PRs approved by devsec ops

  • Secrets/Credential management in CI (todo find reference material)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment