Like any other company, Nimble has a lot of sensitive information that need to protect: internal records, credentials, client data, etc.
As an engineering-focused company, Nimble has to go beyond conventional and often low-level security practices.
This guide details the security measures that the team puts in place to safeguard any sensitive and critical piece of information that comes into their hands.
Passwords and Secrets
Passwords are the most common type of sensitive information that any company owns. It’s also a piece of information that, if leaked or hacked, can lead to catastrophic results for the company and its clients.
To prevent an apocalyptic scenario caused by the leakage of authentication credentials, the team uses 1Password.
1Password is a highly secure password management tool. All of the data stored in 1Password is encrypted, and access is tightly controlled via fine-tuned policies.
Code Version Control
For every product that the team works on, be it an internal project or a client project, they always use code version control.
The Version Control Systems (VCS for short), like many other tools, require authentication before anything can be accessed or changed.
Authentication must happen every time a developer updates the code on the VCS and every time an automated build/deployment is triggered.
For authentication, the team relies on SSH keys, which are far more secure than a standard username-password pair. SSH keys are long and complex, far more than any password could be. Unlike passwords, SSH keys aren’t transferred to the remote system, which removes all risks of interception too.
For an additional level of security, the SSH keys are unique to each developer and to each service that requires access to the code repository (for automatic deployment, for instance).