Like any other company, we have a lot of sensitive information that we need to protect: internal records, credentials, client data, etc.
As an engineering-focused company, we have to go beyond the conventional and often low-level security practices.
This guide details the security measures that we put in place to safeguard any sensitive and critical piece of information that comes into our hands.
Passwords and Secrets
Passwords are the most common type of sensitive information that any company owns. It’s also a piece of information which, if leaked or hacked, can lead to catastrophic results for the company and its clients.
To prevent an apocalyptic scenario caused by the leakage of authentication credentials, we use 1Password.
1Password is a highly secure password management tool. All of the data stored in 1Password is encrypted, and access is tightly controlled via fine-tuned policies.
Code Version Control
For every product that we work on, be it an internal project or a client project, we always use code version control.
The Version Control Systems (VCS for short) that we use, like many other tools, require authentication before anything can be accessed or changed.
Authentication must happen every time a developer updates the code on the VCS, and every time an automated build/deployment is being triggered.
For authentication, we rely on SSH keys, which are far more secure than a standard username-password pair. SSH keys are long and complex, far more than any password could be. Unlike passwords, SSH keys aren’t transferred to the remote system which removes all risks of interception too.
For an additional level of security, the SSH keys that we use are unique to each developer and to each service that requires access to the code repository (for automatic deployment for instance).