Developer Security Best Practices

This page is meant to provide some best practice guidelines and documentation for developers to use to improve the security of their process. These are not intended to be considered required process, as with the variety of members with their own security rules, its likely impossible to have a single security process, but hopefully will be informative and will make developers aware of the potential threats they face, and some best practice solutions utilized by the opensource community to consider.

Be aware of the threats

Linux is used quite widely, and Linaro is a major contributor to the kernel and other opensource projects. There are many who would like to introduce security flaws into those projects, so we should be aware that our work is a target, and do our best to avoid behavior that would make it easy for someone to compromise our development flow.

Web Passwords

  • Strongly recommend using a password manager.
    • Doesn't only manage passwords, but helps you remember where you have accounts.
    • Lastpass is a good one

  • Use random generated passwords, 16 chars or more (ideally as long as website allows)
  • Avoid using password manager to manage personal email account, since no one will help you reset it if you lose your master password. Use two-factor authentication and a strong, but memorable, password instead there.

Two-factor authentication

General suggestions

  • Run a current distro, and keep your system up-to date
  • Enable disk encryption on laptops
  • Enable your local firewall, and block all incoming ports
    • gufw is helpful GUI on Ubuntu
    • This includes disabling sshd on your development systems!
  • Be intentional with the applications you run
    • If possible, try to limit use to well supported web-browser and terminal
    • Avoid flash, java, IM apps, video players, etc.
    • Anything that takes data from the internet as an input is a risk
  • Avoid sketchy sites, don't run things you find in help forums, etc.

Web based alternatives to running applications locally

  • Web based applications aren't always the best solution, given that they may involve extra third parties, but for some uses they do leverage the fact that web browsers are well audited and quickly updated, where as native networking clients (like IRC or IM applications) usually are not so well managed. So consider things like using google talk/hangouts from gmail web interface instead of via pidgin or native IM clients. Other useful links:
  • Freenode irc web-interface: https://webchat.freenode.net/

  • OFTC irc web-interface: https://webchat.oftc.net/

Be conscious of how you use insecure communication and storage

When handling confidential or private information, avoid transmitting or storing it with insecure methods:

  • Unencrypted Email
  • IRC
  • Hangouts/Google Talk*
  • Google Drive / Docs / Sheets*
  • 3rd party personal services: dropbox/skype/etc

(*Though note that Google services are paid and probably just as trustworthy as any IT sysadmins. Though in some cases extra precaution should be taken.)

SSH keys

  • Always use SSH keys instead of passwords
  • Make sure SSH keys are always encrypted
  • Only keep keys on physical devices you use (ie: machines that have keyboards you type on)
  • Only ssh out from your physical devices (end to end secure connections)!
    • Avoid ssh-agent forwarding
  • Extra precautions:
    • I recommend per-device keys
    • Keep track of which machines you can access with which keys
    • Rotate your keys regularly

GPG/PGP encryption and secure email

Process/DevSecurityBestPractices (last modified 2015-02-20 23:52:16)