-
Common setup for engineers with
- laptop with encrypted hard drive
- automatic updates (possibly forced, disabling delay)
- password manager
- 2FA everywhere
- dedicated browser for development without extensions except for the ones approved by devsec ops
- VPN to access internal properties
- work (dedicate) GitHub account
- rotate passwords and tokens / keys
-
remote dev machines on premise that can be kept secure and up to date by IT - might reduce chances to compromise engineer machine (accessible only via vpn)
- devs mount the dev folder on their laptop so that they can read/write (need little latency)
-
periodical social engineering penetration testing (by 3rd party contractor)
-
new 3rd party dependencies/packages must go through audit and approval
-
private packages registry (proxy) with a mirror of the used packages
-
use lock files for dependencies
-
research for ways to proxy requests made to 3rd party by node scripts and the browser – block everything by default and asks to allow origins explicitly (this list could be centralized). For the browser this could be an extension that intercepts requests
-
firewall
-
disable post install scripts eg.
npm install --ignore-scripts
-
CI should run
npm audit
and make sure that it is all good (no deps with security advisories → process exits with 0) - GitHub security scanner should find vuln deps already so this might be redundant -
Consider GitHub Code scanning https://github.blog/2020-09-30-code-scanning-is-now-available
-
Commit signing https://resources.github.com/downloads/GitHub-Whitepaper-Yubico-081021.pdf
-
define policies for adopting 3rd party services (SaaS and so on) – ideally services go through a process of audit and approval.
- Cypress Dashboard example https://www.cypress.io/security
- Request a report, evaluate and approve it
- Design document for integration approved by devsec ops
- Actual integration PRs approved by devsec ops
-
Secrets/Credential management in CI (todo find reference material)
Last active
September 30, 2021 15:30
-
-
Save giuseppeg/f781502b36b2b59cee969d40ede32a3c to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment