Back to Overview

Security Guidelines

Disk encryption

We ask of all employees to utilize full disk encryption in order to protect their personal, as well as company data. This can be accomplished pretty easily on macOS and Linux.

Password / Secrets Storage

Passwords should never be easy to guess and should be different for each service and site. We recommend all passwords to be [a-zA-Z0-9]{24}, which means 24+ characters long. In order to save passwords, as well as secrets such as tokens and keys, we strongly encourage the use of password managers like 1Password, LastPass or Bitwarden. Under no circumstances should passwords be saved in your browser.

If passwords or tokens need to be shared, do so only using our corporate LastPass account or our developer bitwarden setup.

In order to minimize the risk if passwords should be exposed anyway, we strongly encourage all employees to utilize two factor authentication and enforce its use for relevant work-place services.

Firewall

A firewall should be installed on any network devise and setup to be active by default and block all incoming connections.

Updates

As part of a weekly security checkup, make sure all software you run is up-to-date to the latest supported version.

SSH keys

SSH keys used for work purposes must be of at least 4096 bit length and be secured with a password. We ask that keys have a comment containing the person's name to which it belongs such that we can identify them easier after having granted access to a person.

For obvious reasons private keys must be stored securely and should never be exposed to anybody else in any fashion. Also do not never send private keys to anyone, including yourself, via the internet.

Server access is only ever granted based on SSH key authentication, never password authentication.

Work Place

When leaving your workspace, we require locking your machine such that nobody else can access it. This also goes just for the case of leaving the developer office or taking short breaks. If the computer is out of sight, it should be locked down. This goes for all machines containing company data or with access to it.

If you leave your laptop at the office over night, shut it down completely.

Working on a server

Passwords, API keys or other credentials should never be leaked into shells history, especially on servers. Passwords should be read from stdin only or be read from files.

Do not leave files on the server that contain confidential and protected information (e.g. no database dumps).

Production data

All production data like database dumps which does not reside on the respective servers must be encrypted. If you want to share a (sub)set of any of our production data with someone for testing purposes, encrypt it using AES-256 and tell the person you want to share it with the password directly.

Do not store production data on your local machine longer than you need it.