As the responsibility for application security moves into the hands of developers, security at work becomes more important. When security is automated and implemented early on, you can support rapid software development and rapid delivery.
These tips will help improve safety early on and throughout the job without interrupting the workflow.
Never store credentials as code/config
Passwords in public code can easily fall into the wrong hands, so it's best not to put credentials in your repository. If some do get through, there are a lot of great tools out there that reject commits. Suppose the tool matches any of the configured regex patterns indicating mishandling of sensitive information. In that case, you may use codebase auditing and scanning to look for sensitive information that might have been infiltrated through pattern matching.
Remove sensitive data from files and history
It's better not to put sensitive data in the repository so others can't see it. But if it does happen, a few things need to be done to fix the situation. First, invalidate the tokens and passwords that have been exposed. Once they become public on the Internet, you must assume that it is in the hands of malicious actors and respond accordingly. Then remove sensitive data from the repository and history.
We often focus on complex attack vectors, but we fall short on some of the simplest ones when it comes to protecting applications. For example, it only takes one developer to leave their password on a piece of paper that hangs on the monitor so that an attacker can gain access. It is essential to ensure that basic settings and practices are followed. Assign your participants the following rules:
- Require two-factor authentication for every account.
- Never allow users to share accounts/passwords.
- Any laptops/devices with access to the source code should be appropriately secured.
- Repository administrators must control the group's access to data. Give participants access just to the information they need to work.
- Accounts can be personal accounts and do not naturally disappear when users leave the company. Make sure you diligently revoke access for users who no longer work with you.
Take Care of Every Little Access
Disclosure Policy: A process users can report security issues, such as whom to contact, where to open a ticket, what information to include in a ticket, and others.
Security Update Policy: Explain how you will share details about new vulnerabilities. This is important for those who use your project to run critical applications.
Security configurations: Provide project users with suggested settings that should be used with code, such as HTTPS, adding an authorization level, and resetting default passwords.
Find vulnerabilities quickly in your workflow
Scan all open pull requests to avoid introducing new open source vulnerabilities.
If a new vulnerability is discovered, fix it.