Over the years of working in the web development industry we've collected a number of rules that we believe are essential to keep the company and all its products secure. These are a bare minimum and must-have norms that every software development team should apply to meet some level of security while working on a software product.
Encrypt your hard drives
FileVault is a solution for Apple hardware, but there are tons of other applications that make data on a computer's drive that is turned off very difficult to decrypt.
Turn off your computer when you are on the move
Disk encryption only works when the computer is completely turned off (not just closing the lid or hibernating). Remember this especially during traveling when there is - even a small - risk of losing / theft of equipment.
Set up two-factor authentication (2FA) whenever you can
At USEO, we use Google Workspace with built-in 2FA. We have this rule that we log in with a Google account whenever the external service allows it. If there is no such option - it is best to set a unique password and turn on 2FA immediately after logging in.
Update your antivirus program
It's kind of obvious. Never delay your software updates.
Lock your screen(s)
Set your computer to ask for a password every time your screen goes dark. Best of all, lock it down yourself as soon as you leave your computer.
Secure your phone
Your phone is a 2FA component, so it must be well protected - use a long password, facial recognition or fingerprint.
Use only a work account
Do not use private cloud solutions for your work, even if it's also Google. This also applies to documents, e-mail, calendar, etc. Google Workspace has a different security policy for private and work accounts.
Secure external drives
All external drives where we store company’s data should be encrypted and password protected.
Use a password manager
It could be an Apple Keychain, 1password, or any other solution that allows you to store your passwords securely. Thanks to this, we have individual passwords for everything and we do not have to remember them.
Generate secure passwords
If you can't log in somewhere using your Google account, generate a password in the password manager - it will be difficult, unique, but you won't have to remember it.
Use a VPN
Whenever you use public wi-fi, use a VPN to protect your connection. We have some experience with ExpressVPN and NordVPN - both are ok, but there are tons of other options.
Be careful with company’s data
Even if it seems that the data seems not important or sensitive it can still be used for various types of attacks (e.g.: phishing or spoofing).
Update the software
All your software, also the operating system. Do it regularly. Old versions often have bugs that can be easily exploited.
If you are a software developer - never use a production database in your local environment
It may seem easier and faster to load a production database for local development, but it generates a lot of threats.