There are many reasons why more and more development teams are going fully remote: the increasingly mature and expansive capabilities of cloud tools and development environments and team flexibility. In addition, the pandemic has impacted the safety of in-house work, something we don’t see going back to a pre-COVID normal.
This might entail handling offsite employees, as well as moving part or all of your tech stack to the cloud, both of which open up new security issues you might not have dealt with before.
When we talk about remote development, we’re including both in-house teams working remotely, as well as working with third party developers (like us).
At Unstoppable Software, our development team has been fully remote for over fifteen years. We develop and maintain complex software for our clients on their servers and our own virtual development ecosystems. We’ve learned a lot about keeping our own and our client’s assets safe while working remotely.
In this article, you’ll find policies we recommend to safeguard against common security issues. We’ve also included a list of cybersecurity resources, training programs and certification programs for developers and IT teams.
Policies Around Devices and Home Environments
- Require team members to install security updates as soon as they become available.
- Require Wifi networks to be encrypted.
- Require that modem has a firewall installed or that user has a firewall installed on their machine.
- Don’t use the same computer for activities known to have security issues, like cryptomining, MMOs, or apps that require Adobe Flash, etc.
- Limit file downloads whenever possible.
Similarly, you can use the cloud or network servers for some apps so not everything needs to be installed locally. That way, if there’s a problem, it’s easier to reformat/replace your computer. -Advice from Senior Developer, Nathan Stuller
Team Management Policies
- Use encrypted tools whenever possible, especially for email and chat services.
- Require 2-factor authentications for all services. For example, here’s how to turn on two-factor authentication for Slack.
- Use password management apps.
- Never ask users for their passwords, even when troubleshooting.
- Require the use of several passwords.
I’ve noticed a lot of clients over the years who end up storing certain passwords in plain text in databases, logs, source code. By using different passwords, this limits exposure even if one is compromised.-Advice from Senior Developer, Nathan Stuller.
- Document the steps on how to revoke a compromised credential for external services.
- Maintain a cybersecurity insurance policy.
- Maintain a remote workforce policy agreement for all team members.
Our own policy includes time tracking, source code management, project management and communication, expectations around core work hours, equipment and workspace, device security, and how to responsibly handle client materials.
- When working with third parties, use a hardware VPN from a reputable vendor.
- Don’t give outsourced developers admin credentials to your network and servers.
While not having admin credentials can be a pain for outsourcing teams like ours, we don’t think it’s a good idea. We’d rather be inconvenienced than have our customers susceptible to security breaches. –Unstoppable Software founder, Sam Schutte.
Code Management Policies
Code repositories and APIs are vulnerable to security breaches. Here’s what we recommend.
- Never store passwords or credentials in the source code. See Github’s recommendations for where/how to store sensitive data.
- Use tools like GitGuardians Internal Repository Monitoring to scan your git history for security issues.
- Require consistent backups of all cloud data
- Maintain secure code standards for all development projects.
Training & Other Resources
Our own security practices are always evolving because cybersecurity will always be in a state of flux. There are consistently new issues and new solutions. We recommend staying on top of this through training programs and security news sources.
Trainings & Community Support
- Open Web Application Security Project (OWASP)
- SANS Web Application Security Awareness Training for Developers
- Cybrary.it Cybersecurity Professional Development Platform
- GIAC Security Certification Programs
- EC-Council Certified Encryption Specialist (ECES) Certification Program
Security Organizations and Publications that Maintain E-Newsletters