Playbook

Keeping Code Secure

We use GitHub, GitLab, and BitBucket to manage version control and source code, depending on our client's preferred platform. When using platforms like GitHub it is mandatory that we follow best practices to ensure consistent security for all of the repositories and code we work with.

Never store credentials as code/config

When committing code we ensure that no credentials are stored as code/config. We use git-secrets on all devices used for development. Git-secrets analyses our commits via git hooks and rejects any code pushed that may include passwords or sensitive information. Git-secrets is also used in our CI/CD services to ensure no build is pushed containing any sensitive information in the code or config files.

Restrict Access and Maintain Security

We ensure that we are the only ones with access to our repositories, and this single access is secured against any malicious attacks. We do this by:

• Always having 2-factor-authentication turned on for our accounts.
• Update our passwords as outlined by our IT Securities policies.
• Never write down or share your password or 2-factor-authentication backup codes.
• Properly secure all devices used to access our code.

Validate our GitHub Applications

If we are required to use any application from the GitHub marketplace we follow these strict guidelines:

• Restrict access rights and do not allow applications more access rights than required.
• Review the required access rights requested by any application and do not use any third-party application that requires access rights that may potentially lead to a security breach.
• Ensure that any application used is developed by a credible third-party.
• Monitor and audit any applications and their contributors for as long as we require the application to have access.
• Remove the application if it is no longer required.

Refresh SSH keys and Personal Access Tokens

We refresh our keys and tokens periodically, mitigating any damage caused by keys that have leaked out.

Create new projects with security in mind

When we set up a new project we ensure that security is our priority from the beginning, even if we feel that in the early stages of the project there may not be any sensitive information. We ensure that all of our projects are fully secure and keep the threat of leakage always in mind.

Audit any code we import into GitHub

If we are importing any code into our GitHub we must ensure that the code is audited before we import it into our repository.

Never store company or client code in our personal GitHub

Any code committed for the company and our client is never stored in our personal GitHub. All client work is committed to the client's secured GitHub repository.