Skip to content

Online Security Best Practices

Jesse edited this page Nov 30, 2025 · 2 revisions

This page provides personal and professional security guidelines for practicum students, engineers, and PMs.
Unlike the API Keys & Secrets and Dependency Management pages, this document focuses on human-focused security behavior, workstation safety, identity protection, and safe collaboration habits.

These expectations apply to anyone contributing to repositories, project docs, or shared infrastructure.


πŸ” Password Security & Identity Protection

View Password & Account Guidelines

Requirements

  • Use strong, unique passwords for every account (no reuse)
  • Store passwords in a password manager
  • Enable MFA with an authentication app, not SMS

Recommended Resources


πŸ“² Multi-Factor Authentication (MFA)

See MFA Best Practices
  • MFA is required wherever available
  • Use Authy or Okta Verify instead of SMS

Reasoning:
SMS can be intercepted or spoofed β€” authentication apps are safer.


πŸ“Ά Safe Browsing & Internet Usage

Expand Security While Browsing

Online Safety

  • Check for https:// + lock icon before logging in
  • Avoid unknown links or email attachments
  • Verify sender identity if a message feels urgent or suspicious

Safer Browsers

  • Brave
  • Firefox

Public Wi-Fi Rules

Activity Allowed?
Logging into GitHub / Firebase ❌ No
Reading documentation βœ” Yes
Sensitive work ⚠ Only with VPN

If public network must be used β†’ connect through NordVPN or ProtonVPN


πŸ›‘ Phishing, Scam & Social Engineering Awareness

Recognizing Attacks Before You Click
  • Be skeptical of urgent messages requesting account access or payment
  • Confirm sender identity separately (Slack/Discord message works!)
  • Never reveal passwords, 2FA codes, or private information via email

The most successful attacks are confidence-based, not technical.


🧰 Device & Workstation Security

Protect Your Personal Development Machine

Machine Requirements

  • Keep operating system updated
  • Enable firewall & auto-patching
  • Install antivirus (Bitdefender or Malwarebytes recommended)
  • Use screen lock when away from your workstation

Storage/Credential Safety

  • Do not store .env or secrets in shared drive folders
  • Avoid downloading dev tools from unverifiable websites
  • Remove unused software or plugins

πŸ’» Secure Software Development Behavior

πŸ”‘ Secure Coding Practices

Expand Developer Behavior Standards
  • Follow OWASP Top 10 security patterns
  • Validate and sanitize all external input
  • Use parameterized queries to prevent SQL injection
  • Prevent XSS by encoding/escaping user-provided content
  • Hash sensitive values (bcrypt/Argon2) β€” never store plain text

Reference: https://owasp.org/www-project-top-ten/


πŸ”’ Repository Hygiene

Expand Version Control Security
  • Use SSH keys for secure Git authentication
  • Sign commits with GPG when possible (especially PM/LE roles)
  • Run secret scanning tools before PR submission (See API page for secret handling)

GPG Setup Guides:
Mac β€” https://alexnorell.com/post/set-up-gpg/
Linux β€” https://www.linuxbabe.com/security/a-practical-guide-to-gpg-part-1-generate-your-keypair
Windows β€” https://www.git-tower.com/blog/setting-up-gpg-windows/


πŸ”­ Security for Project Managers / Leads

View PM Security Responsibilities

RBAC / Access Expectations

  • Give minimum required permissions β€” least privilege
  • Remove access when a student leaves
  • Audit access quarterly or at new term start

Secure Collaboration

Allowed Not Allowed
Wiki pages, diagrams, onboarding docs .env, tokens, passwords
Feature docs & schedules User credentials or private financial info

Encrypted Communication = Signal / Slack w/ MFA / ProtonMail


πŸ”§ Tools & Resources

Security Tools You May Need

Browsers & VPNs

  • Brave | Firefox
  • NordVPN | ProtonVPN

Antivirus

  • Bitdefender
  • Malwarebytes

Security Training


πŸ“œ Acronym Reference

Term Meaning
MFA Multi-Factor Authentication
VPN Virtual Private Network
GPG Commit signing encryption
OWASP Open Web App Security Project
RBAC Role-Based Access Control
DLP Data Loss Prevention (handled elsewhere)

Clone this wiki locally