Security

Hero image for Security

Like any other company, we have a lot of sensitive information that we need to protect: internal records, credentials, client data, etc.

As an engineering-focused company, we have to go beyond the conventional and often low-level security practices.

This guide details the security measures that we put in place to safeguard any sensitive and critical piece of information that comes into our hands.

Passwords and Secrets

Passwords are the most common type of sensitive information that any company owns. It’s also a piece of information which, if leaked or hacked, can lead to catastrophic results for the company and its clients.

To prevent an apocalyptic scenario caused by the leakage of authentication credentials, we use 1Password.

1Password is a highly secure password management tool. All of the data stored in 1Password is encrypted, and access is tightly controlled via fine-tuned policies.

Introduction to and usage of 1Password

When in need to send credentials that cannot be stored on 1Password – for instance, personal credentials i.e. not shared team credentials – use Keybase to have end-to-end encrypted communication.

Do NOT ever use email or Slack for that purpose 😱

Code Version Control

For every product that we work on, be it an internal project or a client project, we always use code version control.

The Version Control Systems (VCS for short) that we use, like many other tools, require authentication before anything can be accessed or changed.

Authentication must happen every time a developer updates the code on the VCS, and every time an automated build/deployment is being triggered.

For authentication, we rely on SSH keys, which are far more secure than a standard username-password pair. SSH keys are long and complex, far more than any password could be. Unlike passwords, SSH keys aren’t transferred to the remote system which removes all risks of interception too.

For an additional level of security, the SSH keys that we use are unique to each developer and to each service that requires access to the code repository (for automatic deployment for instance).