Here are few hints and requirements regarding the security in La Suite's projects.
Commit signing is mandatory, preferably using an external component (e.g., Yubikey);
As a repository administrator, you must enforce 2FA for all members with repository rights;
As a non-administrator repository user, you must enable 2FA on your account;
Deploy manually to production: do not perform automatic deployments to production from the code repository (GitHub);
Use a password manager for all secrets, do not write your passwords in plain text (on paper, or even in a file); If this is not possible, you must split the information across multiple channels.
Choose long passwords (at least 20 characters), complex and unique for each service;
Create one account per person and avoid sharing accounts;
Encrypt your storage devices;
Use non-versioned environment variables, different between local, staging, and production;
Develop in a containerized environment to protect the development machine from malicious dependencies;
Last updated 14 days ago