-
Notifications
You must be signed in to change notification settings - Fork 4
Online Security Best Practices
This page provides personal and professional security guidelines for practicum students, engineers, and PMs.
Unlike the API Keys & Secrets and Dependency Management pages, this document focuses on human-focused security behavior, workstation safety, identity protection, and safe collaboration habits.
These expectations apply to anyone contributing to repositories, project docs, or shared infrastructure.
View Password & Account Guidelines
- Use strong, unique passwords for every account (no reuse)
- Store passwords in a password manager
- Enable MFA with an authentication app, not SMS
- Password Managers
1Password | Bitwarden | LastPass - Password Strength Tool
https://www.security.org/how-secure-is-my-password/ - Breach Check
https://haveibeenpwned.com/
See MFA Best Practices
- MFA is required wherever available
- Use Authy or Okta Verify instead of SMS
Reasoning:
SMS can be intercepted or spoofed β authentication apps are safer.
Expand Security While Browsing
- Check for https:// + lock icon before logging in
- Avoid unknown links or email attachments
- Verify sender identity if a message feels urgent or suspicious
- Brave
- Firefox
| Activity | Allowed? |
|---|---|
| Logging into GitHub / Firebase | β No |
| Reading documentation | β Yes |
| Sensitive work | β Only with VPN |
If public network must be used β connect through NordVPN or ProtonVPN
Recognizing Attacks Before You Click
- Be skeptical of urgent messages requesting account access or payment
- Confirm sender identity separately (Slack/Discord message works!)
- Never reveal passwords, 2FA codes, or private information via email
The most successful attacks are confidence-based, not technical.
Protect Your Personal Development Machine
- Keep operating system updated
- Enable firewall & auto-patching
- Install antivirus (Bitdefender or Malwarebytes recommended)
- Use screen lock when away from your workstation
- Do not store
.envor secrets in shared drive folders - Avoid downloading dev tools from unverifiable websites
- Remove unused software or plugins
Expand Developer Behavior Standards
- Follow OWASP Top 10 security patterns
- Validate and sanitize all external input
- Use parameterized queries to prevent SQL injection
- Prevent XSS by encoding/escaping user-provided content
- Hash sensitive values (bcrypt/Argon2) β never store plain text
Reference: https://owasp.org/www-project-top-ten/
Expand Version Control Security
- Use SSH keys for secure Git authentication
- Sign commits with GPG when possible (especially PM/LE roles)
- Run secret scanning tools before PR submission (See API page for secret handling)
GPG Setup Guides:
Mac β https://alexnorell.com/post/set-up-gpg/
Linux β https://www.linuxbabe.com/security/a-practical-guide-to-gpg-part-1-generate-your-keypair
Windows β https://www.git-tower.com/blog/setting-up-gpg-windows/
View PM Security Responsibilities
- Give minimum required permissions β least privilege
- Remove access when a student leaves
- Audit access quarterly or at new term start
| Allowed | Not Allowed |
|---|---|
| Wiki pages, diagrams, onboarding docs |
.env, tokens, passwords |
| Feature docs & schedules | User credentials or private financial info |
Encrypted Communication = Signal / Slack w/ MFA / ProtonMail
Security Tools You May Need
- Brave | Firefox
- NordVPN | ProtonVPN
- Bitdefender
- Malwarebytes
- Cybrary β https://cybrary.it
- Udemy Security Courses β https://udemy.com
- NIST Cybersecurity Framework β https://nist.gov/cyberframework
| Term | Meaning |
|---|---|
| MFA | Multi-Factor Authentication |
| VPN | Virtual Private Network |
| GPG | Commit signing encryption |
| OWASP | Open Web App Security Project |
| RBAC | Role-Based Access Control |
| DLP | Data Loss Prevention (handled elsewhere) |
Home β’ New Student Onboarding β’ Guides β’ Projects β’ Code of Conduct β’ FAQ
Last updated: 12/7/2025