Here are few hints and requirements regarding the security in La Suite's projects.
- Commit signing is mandatory, preferably using an external component (e.g., Yubikey);
- As a repository administrator, you must enforce 2FA for all members with repository rights;
- As a non-administrator repository user, you must enable 2FA on your account;
- Deploy manually to production: do not perform automatic deployments to production from the code repository (GitHub);
- Use a password manager for all secrets, do not write your passwords in plain text (on paper, or even in a file); If this is not possible, you must split the information across multiple channels.
- Choose long passwords (at least 20 characters), complex and unique for each service;
- Create one account per person and avoid sharing accounts;
- Encrypt your storage devices;
- Use non-versioned environment variables, different between local, staging, and production;
- Develop in a containerized environment to protect the development machine from malicious dependencies;