Practice good development operational security in [#security]

Operational security (also called procedural security) is the process of identifying risks and private information, and then taking steps to mitigate such risks or prevent the exposure of such private information to unauthorized parties.

As a remote-first organization, we primarily communicate and collaborate on projects over the Internet. Although working over the Internet simplifies our workflow, it also exposes multiple points of failure where human error can expose confidential data or lead to attacks on our systems. Computer users, especially developers at LinkORB can greatly mitigate such security incidents by practising good operational security.

As a LinkORB developer, your day-to-day tasks require access to private resources like our commercial code on GitHub, Packagist repositories, and similar platforms such as hosting services. For this reason, it is paramount that you ensure the secure storage and use of your credentials, our code, and our customers’ information, by maintaining healthy security hygiene across development platforms and your digital devices.

Purpose

This guide recommends best practices for ensuring good operational security in your day-to-day tasks as a LinkORB developer. While this guide focuses on developers, team members in Ops may also find it useful. Specifically, It directs developers to:

Use a password manager

Use a password manager to generate strong passwords that are not easy to guess. Using a strong and different password for each account, service, or application greatly reduces the success rate of threat actors attempting brute-force attacks on your online accounts.

Apart from generating and storing unique and strong passwords, password managers like Bitwarden, KeePass, and KeePassXC, can auto-fill login credentials on a web page. Using autofill (also called auto-type) instead of manually typing your passwords mitigates shoulder surfing by nosy passersby, corporate espionage agents, and other threat actors. Autofill technology also mitigates phishing because it usually only works on the correct URL (not a spoofed one).

Please treat other secret data such as tokens and API keys as passwords by saving them in password managers. A browser’s built-in password manager is not the most secure. Avoid it at all costs.

Treat unexpected prompts to input your master password as suspicious behaviour and possible evidence of an attack in progress. It can mean, for example, that an attacker is trying to export your password vault to clear text and steal it. Such prompts can come in the form of a password vault export request which you are sure you did not initiate.

Such unexpected prompts do NOT include prompts to enter your master password when you try to access your password manager after it’s auto-lock feature times out.

Use multi-factor authentication

Enable multi-factor authentication on work-related accounts where multi-factor authentication is supported. When using multi-factor authentication, prefer authenticator applications such as GitHub Mobile (only for GitHub) or Authy over SMS-based authentication.

When using multi-factor authentication, ensure the authentication application is running on a different device than the device being used to log in. This separation is important because it prevents attackers from gaining access to your accounts if they compromise only one of your devices. Multi-factor authentication provides little to no additional security if the authenticator application and password manager are installed on the same (compromised) device.

Encrypt sensitive messages and files

We strongly discourage the sharing of confidential information such as keys, passwords, host secrets, or tokens over the Internet, especially through third-party channels. However, if it becomes necessary to transmit such information over the Internet, please encrypt such communication using WebCrypt.

WebCrypt generates a public/private key for encrypting and decrypting messages sent over social media, email, and other platforms. Consider using an encrypted VeraCrypt virtual volume for an additional layer of protection when transferring confidential files.

Adopt least privilege access

Grant applications and contributors only the privileges they require to operate. For example, if an operation only requires read access to your GitHub repository, do not generate a token that has write access for it.

Prefer SSH over HTTPS for Git operations

Some Git and GitHub operations done over HTTPS connections require your GitHub password or a token each time. This can increase the success rate of a shoulder surfer. To reduce the number of times you have to type your GitHub password/token, set up SSH-based authentication instead. Once configured, SSH authentication uses a different password only associated with the SSH private key.

Don’t hard-code secrets

Avoid hard-coding secrets such as database login credentials and API keys when prototyping or developing applications. You do not want to risk forgetting to delete the hard-coded secrets before pushing the code to GitHub. Consider using an .env file with an appropriate package during development or use Docker secrets when using containers.

Don’t leave your work computer unattended

Any number of bad things can happen if an attacker gains access to private code repositories, login credentials, or private communication saved on your work computer. Leaving your computer unlocked and unattended can expose you to attacks ranging from one-time data/credential theft to evil maid attacks that do more damage.

To mitigate the chances of such attacks, do not leave your computer unattended even for short periods of time. Lock your computer before stepping away from it or take it with you.

Use a trustworthy VPN when connecting through untrusted (public) Wi-Fi

Avoid public Wi-Fi when working on projects or communicating sensitive information. If you must use an untrusted or public Wi-Fi, please use a trusted VPN such as WireGuard.

See using Wireguard VPN to access select LinkORB resources for Wiregard setup and usage instructions.

Automate processes to reduce errors

Automate security checks such as code reviews and multi-factor authentication requirements to reduce the possibility of human errors. When automating security measures, please ensure the secure storage of keys/secrets used by such automation tools.

Avoid phishing

To mitigate phishing attacks through email or social media:

  • Do not use your LinkORB email for personal messages or social media.
  • Don’t click suspicious links in emails and other messages. Instead:
    • Always navigate to the website through your own bookmarks or by typing the URL into the address bar.
    • Use your password manager to auto-fill your credentials if a link from an email or message takes you to a login page. The auto-fill will usually fail if you’ve been tricked into visiting a phishing or fake site.
  • Use different email/username and password combinations for different accounts, applications, or services. This security measure prevents attackers from gaining access to your other accounts if one account is compromised.
  • Change your password if you think it may have been seen by someone else.
  • Report suspicious links to the security officer or the related service’s support.

Minimize browser plugin/extension usage

Browser plugins and extensions can be attack vectors for threat actors looking to steal login credentials or perform other malicious actions. Please minimize the installation/use of browser plugins/extensions on your work computer.

Avoid browser plugins/extensions that are new or suddenly popular until they are well-known and have been around for a long time.

Keep software updated

Software and operating system updates fix bugs and sometimes, critical vulnerabilities. Use your computer’s automatic software update feature to ensure you’re always running up-to-date software

Use Antivirus software on Windows

Windows operating system is a common target of malware, spyware, and ransomware attacks. Please keep the built-in Windows Defender antivirus activated and updated at all times.

Prefer temporary tokens and API keys

Old, forgotten, but unexpired tokens and API keys are common attack vectors. If exposed, such tokens will grant threat actors access to private, and sensitive data. To mitigate such attacks, please create temporary tokens which only last as long as you or an application will need access to a given resource. For example, GitHub personal access tokens have a 30-day lifespan by default. Please revoke such GitHub tokens if you no longer require them before they expire.

Please revoke the access of all SSH keys, GitHub tokens, API keys, and other credentials stored on lost, stolen, or decommissioned digital devices.

What to do if you expose a secret

In case you indeliberately expose a secret, please do one or more of the following:

  • Revoke the access of exposed tokens, API keys, or SSH keys, and replace them with new ones immediately.
  • Change exposed passwords immediately and inform appropriate team members (e.g. your Team Lead or the Chief Security Officer) of the incident.

Next steps

About Security
  • Name: Security (#security)