Cybersecurity Best Practices for Remote Developers (2025)

Oct 25, 2025•

securityremote-workdevsecopszerotrust

•

Appendix AZ — Security controls library by domain

Web Applications

Control: Enforce HTTPS site‑wide with HSTS
Control: Validate inputs server‑side and client‑side
Control: Output encode untrusted data to prevent XSS
Control: Content Security Policy with strict default‑src
Control: Avoid inline scripts; use nonces/hashes
Control: SameSite cookies with Secure and HttpOnly
Control: Session fixation prevention and rotation
Control: Rate limits on auth and sensitive actions
Control: CAPTCHA/turnstile on abuse‑prone endpoints
Control: Lockout with exponential backoff for brute force
Control: File upload validation and AV scanning
Control: Size/time limits for request bodies
Control: Disable directory listing and verbose errors
Control: Parameterized queries for DB access
Control: ORM safe defaults; migrations reviewed
Control: CSRF tokens on state‑changing requests
Control: Access controls enforced server‑side
Control: Multi‑tenant isolation checks
Control: Secrets pulled at runtime, not baked
Control: Feature flags with kill switches
Control: Error redaction; no stack traces to users
Control: 3rd‑party script allowlist and integrity
Control: Subresource integrity for critical assets
Control: Strong cache rules for static and HTML
Control: Logging of auth, privilege changes, failures
Control: Alerting on suspicious auth patterns
Control: Secure password policies and breach checks
Control: Account recovery flows with step‑up MFA
Control: Email verification and change confirmations
Control: Device/session management UI for users
Control: Session revoke on password/MFA changes
Control: Localization free of injection risks
Control: Accessibility maintained for security prompts

APIs

Control: OAuth 2.0/OIDC with scoped tokens
Control: JWT validation with key rotation (JWKS)
Control: mTLS for service‑to‑service where feasible
Control: Idempotency keys for safe retries
Control: Abuse detection and rate limiting at edge
Control: API keys only for low‑risk internal uses
Control: Pagination via cursors, stable ordering
Control: ETags and conditional requests
Control: Consistent error schema (no leaks)
Control: Request/response schema validation
Control: SPIFFE/SPIRE or workload identity
Control: Operation allowlist for GraphQL in prod
Control: Complexity/depth limits for GraphQL
Control: Field‑level authz in resolvers
Control: Data loader batching to avoid N+1
Control: Strict CORS; avoid wildcards
Control: Backpressure and timeouts per hop
Control: Circuit breakers and bulkheads
Control: Canary and blue/green deploys
Control: API usage analytics and quotas
Control: API deprecation policy with telemetry
Control: Secrets outside repo; env injection
Control: Sensitive fields redacted in logs
Control: PII minimization in payloads
Control: Replay protection for webhooks
Control: Signed webhooks with rotation
Control: Audit trails tied to identities
Control: Zero trust between services
Control: Least privilege in service roles
Control: Dedicated service accounts per app
Control: Threat modeling for critical routes
Control: Manual approvals for high‑risk changes
Control: Automated fuzzing for parsers

Mobile

Control: Cert pinning and TLS verification
Control: Keychain/Keystore secure storage
Control: Jailbreak/root detection with signals
Control: Anti‑tamper and code obfuscation
Control: Minimal permissions; runtime prompts
Control: No secrets in app bundle
Control: Secure webviews; no JavaScript bridges unless required
Control: Local data encryption at rest
Control: Biometric auth guarded by server checks
Control: Offline mode with risk controls
Control: Privacy labels and consent flows
Control: Crash logs free of sensitive data
Control: Secure OTA updates and signatures
Control: Transport fallback rules (no HTTP)
Control: API token refresh and revocation
Control: Device revocation from server side
Control: Attestation where available
Control: CDN edge allowlist for domains
Control: Bug bounty scope covering mobile
Control: Secure deep links and intents
Control: Threat analytics for mobile telemetry
Control: Store compliance (App Store/Play)
Control: Feature flags for risk rollback
Control: Remote kill switch for vulnerable builds
Control: Secure clipboard handling
Control: Protect screenshots on sensitive views
Control: Anomaly detection for bot traffic
Control: Secure file storage (scoped)
Control: Safe paste and content providers
Control: GMS/Play Integrity checks
Control: TLS 1.2+ only
Control: Strong server‑side device binding
Control: Token binding where supported

Desktop

Control: Code signing for binaries
Control: Auto‑update with signature validation
Control: Sandboxing and least privilege
Control: Secure IPC between processes
Control: OS keychain for secrets
Control: Self‑defense against tampering
Control: Limited diagnostic info in errors
Control: Crash report redaction
Control: In‑app browser hardened or system default
Control: Config stored securely
Control: Proxy support with auth
Control: System policy detection (AV/EDR)
Control: TLS 1.2+ only
Control: Certificate pinning optional
Control: Minimal local services exposed
Control: Firewall rules for app
Control: Device posture checks
Control: Admin install vs. per‑user clarified
Control: Rollback plan for bad updates
Control: Vulnerability scanning pipeline
Control: Safe handling of plugins/extensions
Control: Strict file associations
Control: Secure removable media handling
Control: UAC prompts minimized
Control: Logs to OS secure store
Control: Privacy preferences respected
Control: DPI/Accessibility safe rendering
Control: Defense against DLL injection
Control: ASLR/DEP enabled
Control: Hardened runtime flags

Data

Control: Data inventory and mapping
Control: Classification with handling rules
Control: Encryption at rest with KMS/HSM
Control: Key rotation policies
Control: Tokenization for sensitive fields
Control: Row‑level security where needed
Control: Data access approvals and reviews
Control: Least privilege roles in DB
Control: Query redaction for PII in logs
Control: Data retention with legal holds
Control: Secure backups with immutability
Control: Restore testing schedule
Control: DLP scanning for repos/buckets
Control: Secure data sharing via links with expiry
Control: Business purpose logging for access
Control: Differential privacy where applicable
Control: Pseudonymization before analytics
Control: Consent tracking for personal data
Control: Data sovereignty compliance
Control: Egress controls on data lakes
Control: Masking in non‑prod environments
Control: Dataset versioning and lineage
Control: Access anomaly detection
Control: Strong auth for BI tools
Control: Secrets for connectors in managers
Control: Static data signing where needed
Control: Hashing for integrity checks
Control: Secure deletion procedures
Control: DSAR process readiness
Control: Encryption during transport jobs
Control: Secure schema evolution
Control: Audit events tied to datasets

Infrastructure/Cloud

Control: Separate prod/non‑prod accounts/projects
Control: SSO + MFA for console access
Control: IAM least privilege with deny‑by‑default
Control: Service control policies (SCP)
Control: Network segmentation (VPC/VNet)
Control: Private endpoints to managed services
Control: No public S3/Blob objects by default
Control: Security groups/NSGs least open
Control: EBS/PD disk encryption on by default
Control: Image hardening with CIS baselines
Control: Golden AMIs and image pipelines
Control: Managed database auth (IAM/AD)
Control: Resource locks for critical infra
Control: Autoscaling with safe caps
Control: Secrets via cloud managers only
Control: Rotate IAM keys; prefer roles
Control: Detect public exposures
Control: Cloud trail/audit logs centralized
Control: Guardrails for budget caps
Control: Config rules/policies enforced
Control: Drift detection and remediation
Control: Disaster recovery plans tested
Control: KMS key separation and grants
Control: Cross‑account access with roles
Control: Approved regions list
Control: Tagging for ownership/compliance
Control: Vulnerability scans on hosts
Control: Patching cadence defined
Control: Bastion or SSM Session Manager
Control: No SSH keys in AMIs
Control: Backup policies enforced
Control: Object versioning + MFA delete

Identity & Access Management

Control: Central IdP for workforce
Control: RBAC/ABAC roles by job function
Control: FIDO2 MFA as default factor
Control: Passwordless where possible
Control: Lifecycle automation (join/move/leave)
Control: Access reviews quarterly
Control: Privileged Identity Management
Control: Just‑in‑time elevation with approvals
Control: PAM for break‑glass accounts
Control: Conditional access policies
Control: Device compliance gates
Control: Session risk scoring
Control: Least privilege for service principals
Control: App consent governance
Control: SCIM for provisioning
Control: SAML/OIDC standardized
Control: Audit of token lifetimes
Control: Secrets rotation SLAs
Control: Credential hygiene training
Control: Admin perimeter separation
Control: MDM enrollment required
Control: Strong policies for API tokens
Control: Disable legacy auth protocols
Control: SIEM integration for IdP events
Control: Geofencing for sensitive apps
Control: Time‑based restrictions
Control: Shadow IT discovery and controls
Control: Delegated admin least scope
Control: Vendor access time‑boxed

Endpoint

Control: Full‑disk encryption enforced
Control: EDR with tamper protection
Control: MDM with compliance rules
Control: Block unsigned kernel extensions
Control: App allowlisting (WDAC/AppLocker)
Control: Minimal local admin usage
Control: Secure boot required
Control: BIOS/UEFI password policies
Control: USB restrictions/encryption
Control: Auto‑patch OS and apps
Control: Browser hardened profile
Control: VPN/ZTNA client posture
Control: Screen lock policy
Control: Remote wipe capability
Control: Disk health monitoring
Control: Local firewall enabled
Control: AV with cloud protection
Control: Ransomware mitigation policies
Control: Software inventory tracking
Control: Self‑service software portal
Control: Prohibited software blacklist
Control: Sensors for exfil alerts
Control: Secure printing policies
Control: Camera/mic permission prompts
Control: High‑risk users extra controls
Control: Admin tool usage logging
Control: Backup agent for key folders
Control: Developer tools with guardrails

DevSecOps / CI

Control: Pre‑commit hooks for secrets
Control: SAST on every PR
Control: DAST on staging
Control: Dependency scanning (SCA)
Control: License compliance checks
Control: SBOM generation and archiving
Control: Signed commits and tags
Control: Provenance for builds (SLSA)
Control: Isolated runners with OIDC
Control: Short‑lived tokens in CI
Control: Least privilege cloud roles
Control: Artifact signing and verification
Control: Release approvals for prod
Control: Rollback playbooks and feature flags
Control: Canary analysis gates
Control: Infra policy tests (OPA)
Control: Drift detection post‑deploy
Control: Secrets vault broker for CI
Control: No shared long‑lived creds
Control: PR templates with risk section
Control: Code owners for critical paths
Control: Performance budgets in CI

Observability

Control: Centralized logs with retention
Control: PII redaction at source
Control: Structured logging conventions
Control: Tracing with service maps
Control: Metrics with SLOs and alerts
Control: Synthetic tests on key journeys
Control: RUM for web and mobile
Control: Alert fatigue reduction policies
Control: On‑call rotations and runbooks
Control: Post‑incident reviews stored
Control: Cost dashboards for telemetry
Control: Secure access to observability tools
Control: Immutable logs for critical events
Control: Evidence collection automation
Control: Threat hunting playbooks

Governance & Compliance

Control: Policy library versioned
Control: Risk register with owners
Control: Control mapping to standards
Control: Vendor reviews and SLAs
Control: Data processing agreements
Control: DPIAs where required
Control: Training completion tracking
Control: Audit trails for changes
Control: Periodic internal audits
Control: External audits scheduled
Control: Exception handling workflow
Control: Documented SoA (Statement of Applicability)
Control: Management review cadence
Control: Business continuity testing
Control: Incident communications plan
Control: Regulatory horizon scanning

Appendix O — Browser security hardening

General

Keep browsers auto‑updated; enable safe browsing features
Isolate work and personal profiles; separate containers or profiles
Disable third‑party cookies except for required apps
Limit extensions; review permissions regularly; auto‑update extensions
Prefer privacy settings: block pop‑ups, disable auto‑downloads

Chrome/Edge policies (enterprise)

Force Safe Browsing/SmartScreen
Enforce HTTPS‑Only mode
Block legacy TLS (<1.2) and weak cipher suites
Control extension install allowlist; disable external sources
Force password manager policies and leak alerts

Firefox hardening tips

Enable HTTPS‑Only Mode and Enhanced Tracking Protection (Strict)
privacy.resistFingerprinting = true (be mindful of breakage)
Disable WebRTC leaks or restrict

Appendix P — Email security & phishing resilience

Technical controls

SPF/DKIM/DMARC enforced with reject policy
Security awareness banners on external emails
Attachment sandboxing for risky types
Quarantine rules for suspicious senders/domains

User practices

Verify sender domain and linked URLs before clicking
Never approve unexpected MFA prompts
Report suspected phishing via mail add‑ins or SOC channel

Phishing simulation program

Quarterly campaigns; track click rate and report rate
Just‑in‑time micro‑training for users who click

Appendix Q — Endpoint detection & response (EDR) and telemetry

Baseline requirements

Real‑time protection; cloud analytics; tamper protection
Automated isolation/quarantine
Script blocking and behavior analytics
Centralized alerting and triage workflows

Telemetry to collect

Process start/stop, parent/child relationships
Network connections (dest IP, port, process)
File modifications in sensitive paths
Registry changes (Windows), LaunchAgents (macOS), systemd (Linux)

Appendix R — MDM policy catalog (quick reference)

Disk encryption mandatory; escrow keys
Screen lock < 5 minutes; password on wake
Admin elevation via approval workflow; deny persistent admin
Block unsigned kernel/system extensions
Restrict removable storage; require encryption
Enforce OS/browser auto‑updates; deferral windows minimal

Appendix S — YARA primer (malware patterning)

rule Suspicious_Encoded_Powershell
{
  meta:
    description = "Detects base64 encoded PowerShell in scripts"
  strings:
    $ps = /powershell\s*-enc[ode]*\s+[A-Za-z0-9+/=]{40,}/ nocase
  condition:
    $ps
}

Appendix T — osquery starter pack

Example queries

Startup items (persistence)
Listening ports and owning process
USB device insertions

SELECT name, path FROM startup_items;
SELECT pid, address, port, protocol FROM listening_ports;
SELECT time, vendor, model FROM usb_devices;

Appendix U — Nginx hardened reverse proxy (example)

server {
  listen 443 ssl http2;
  server_name app.example.com;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
  ssl_prefer_server_ciphers on;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options DENY;
  add_header Referrer-Policy no-referrer-when-downgrade;

  location / {
    proxy_pass http://app_backend;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

Appendix V — Terraform policy checks (OPA/Conftest examples)

package terraform.security

deny[msg] {
  input.resource.type == "aws_security_group"
  input.resource.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
  msg := sprintf("SG %s allows 0.0.0.0/0", [input.resource.name])
}

Appendix W — Kubernetes security quick wins

Use NetworkPolicies to limit pod egress/ingress
Run as non‑root; drop capabilities
Read‑only root filesystem; mount secrets as tmpfs
Limit hostPath volumes; avoid privileged pods
Enable audit logging and admission controllers (PSP replacement policies)

apiVersion: v1
kind: Pod
metadata:
  name: safe
spec:
  securityContext:
    runAsNonRoot: true
    readOnlyRootFilesystem: true

Appendix X — SBOM & SLSA

Generate SBOMs (CycloneDX/SPDX) in CI
Verify signatures and provenance (SLSA level targets)
Store SBOMs with artifacts; diff on updates

Appendix Y — Extended Semgrep rules

rules:
  - id: no-eval
    pattern: eval(...)
    message: Avoid eval
    languages: [javascript, typescript]
    severity: ERROR
  - id: fetch-without-timeout
    pattern: fetch($URL)
    message: Set a timeout/AbortController
    languages: [javascript, typescript]
    severity: WARNING

Appendix Z — Pre-commit hook examples

repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.5.0
    hooks:
      - id: check-yaml
      - id: end-of-file-fixer
      - id: trailing-whitespace

Appendix AA — Git threats and mitigations

Protect main/release with branch protection rules
Require reviews, signed commits, and status checks
Enforce linear history or squash merges to reduce noise

Appendix AB — Secret rotation runbook

Identify secret + consumers
Rotate in manager; update apps with new version
Deploy with zero‑downtime strategy
Revoke old secret; verify no usage via logs

Appendix AC — DLP regex starters (use cautiously)

AWS Access Key: AKIA[0-9A-Z]{16}
Generic Secret: (?i)(secret|token|apikey|password)[\s:=]{0,5}[A-Za-z0-9_\-]{16,}
Email: [A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}

Appendix AD — Logging schemas (JSON examples)

{
  "timestamp": "2025-10-25T12:00:00Z",
  "level": "INFO",
  "service": "api",
  "route": "/orders",
  "user_id": "u_123",
  "request_id": "req_abc",
  "latency_ms": 123
}

Appendix AE — Alert playbooks (mini)

High CPU on API

Validate traffic spike vs. loop
Scale out (HPA) or roll back recent deploy
Add caching and rate limits

Secret leaked in repo

Revoke immediately; rotate; invalidate sessions
Search for usage; notify affected services
Post‑mortem and training

Appendix AF — Risk register template

Risk	Likelihood	Impact	Owner	Mitigation	Status
Phishing compromise	Medium	High	SecOps	FIDO2 MFA; training	Active

Appendix AG — Vendor security checklist (lite)

SOC 2/ISO 27001 certifications and audit window
Data residency and encryption guarantees
Breach notification SLAs
Subprocessor transparency

Appendix AH — Business continuity & disaster recovery

Define RTO/RPO per service
Quarterly restore tests; document results
Runbooks stored offline and in multiple regions

Appendix AI — Policy library (snippets)

Acceptable Use

No personal data storage on unmanaged devices
No use of unauthorized cloud services for company data

BYOD

Enrollment in MDM; encryption; remote wipe consent

Encryption

Data at rest: AES‑256; in transit: TLS 1.2+

Appendix AJ — Data classification playbooks

Map systems to classes; apply DLP accordingly
Label documents; auto‑classify where feasible

Appendix AK — Access review SOP

Export users/roles from IdP and key apps
Managers certify access; remove excess
Document exceptions; re‑review in 30 days

Appendix AL — Evidence collection (for audits)

Access reviews, training records, vulnerability scans, incident reports
Change management: PRs, approvals, deployments, CI logs

Appendix AM — Security metrics (KPIs/KRIs)

Mean time to detect/respond (MTTD/MTTR)
Patch latency (critical updates)
Phishing report rate vs. click rate
Secret leakage incidents over time

Appendix AN — Training curriculum (engineers)

Secure coding (OWASP), cloud security basics, identity & auth
Hands‑on labs: SSRF, SQLi, XSS, secrets handling

Appendix AO — Red/blue tabletop scenarios

Stolen laptop with cached tokens
Supply chain compromise via dependency
Credential stuffing against legacy endpoint

Appendix AP — Threat intel feeds (examples)

CISA, CERT, vendor advisories
CVE feeds; GitHub security advisories; NVD

Appendix AQ — Secure remote desktop practices

Prefer SSH/RDP over VPN with per‑app access
Enforce clipboard/drive redirection policies where needed

Appendix AR — Password policy (when passwords exist)

Min length 14; passphrases preferred
No rotation without compromise; check against breach corpuses

Appendix AS — Home network segmentation patterns

Router with VLAN support; separate SSIDs
Block lateral movement between segments

Appendix AT — Container image security

Use minimal base images; sign images (cosign)
Scan images in CI; fix critical vulns before deploy
Run with non‑root user; read‑only root FS

Appendix AU — Supply chain attestation

Provenance statements for builds; verify in deploy pipeline
Require signed commits/tags; protected builders

Appendix AV — Security questionnaire response tips

Maintain a central, versioned answer bank
Provide concise, evidence‑backed answers; link to policies

Appendix AW — Extended glossary

ASR: Attack Surface Reduction rules (Microsoft Defender)
EDR: Endpoint Detection & Response
OIDC: OpenID Connect (identity layer on OAuth 2.0)
RPO/RTO: Recovery Point/Time Objective

Appendix AX — Master security checklist (roll‑up)

Device hardened and encrypted
Network segmented; VPN/ZTNA
Identity with FIDO2 MFA; least privilege
Secrets in manager; rotated
Code scans; signed commits
Cloud with SSO/MFA; audit logs
Data classified; backups tested
IR playbooks drilled

Appendix AY — Templates index

Policy templates (AUP, BYOD, Encryption)
Runbooks (Secret rotation, Incident triage)
Config examples (Nginx, CI workflows)
Checklists (Daily/Weekly/Monthly)

Remote development expands your attack surface: home networks, personal devices, multiple SaaS tools, and cloud consoles. This guide provides a concise, practical checklist to reduce risk without slowing teams down.

TL;DR Checklist

Device: Full‑disk encryption, OS auto‑updates, minimal admin rights
Network: WPA3 router, isolated SSID for work, VPN/ZTNA
Identity: Strong MFA (FIDO2 keys), least‑privilege roles
Secrets: Never in code; use secret managers; rotate regularly
Code: Signed commits, pre‑commit hooks, SAST/DAST in CI
Cloud: Just‑in‑time access; IP allowlists; audit logs on
Data: Classify, encrypt at rest/in transit, least sharing

1) Secure your workstation

OS & firmware

Enable full‑disk encryption (BitLocker/FileVault/Linux LUKS)
Auto‑update OS, firmware, browsers, and dev tools
Disable unsigned kernel extensions; restrict kernel drivers

Hardening

Separate work and personal profiles
Use a standard user account; elevate via prompt only
Screen lock < 5 minutes; require password on wake
Disable USB autorun; prefer encrypted USB if needed

2) Network hygiene

Router firmware up‑to‑date; change default admin creds
WPA3 and strong Wi‑Fi passphrase (>=16 chars)
Separate SSID for work devices or guest VLAN
Prefer wired Ethernet for stability and speed
Use corporate VPN or Zero Trust Network Access (ZTNA)

3) Identity & access

Enforce MFA with FIDO2 (security keys) over SMS
Use SSO (e.g., Entra ID/Okta) with conditional access
Apply least‑privilege roles; time‑boxed elevation (PIM)
Review dormant accounts quarterly; revoke promptly

4) Secrets management

Never commit secrets; add validators (e.g., git‑secrets)
Use Secret Manager/Key Vault/Parameter Store
Rotate credentials regularly; prefer short‑lived tokens
Use .env locally but never commit .env

# .gitignore essentials
.env
.env.*
*.pem
*.key
id_*

5) Secure coding hygiene

Adopt a secure coding standard (OWASP ASVS)
Validate inputs/outputs; centralize authn/z
Parameterize queries; avoid concatenated SQL
Canonicalize paths; never trust user file names
Use safe JSON parsing; limit payload sizes

// Example: Express rate limiting + helmet
import helmet from "helmet";
import rateLimit from "express-rate-limit";

app.use(helmet());
app.use(rateLimit({ windowMs: 60_000, max: 120 }));

6) API authentication: OAuth 2.0 & JWT

Prefer OAuth/OIDC with short‑lived access tokens
Use Proof Key for Code Exchange (PKCE) for SPAs
Store refresh tokens securely; rotate on use
Validate JWT audience, issuer, signature, and expiry

// JWT verification
import jwt from "jsonwebtoken";

export function verifyJwt(token: string) {
  const publicKey = process.env.JWT_PUBLIC_KEY!;
  const payload = jwt.verify(token, publicKey, {
    algorithms: ["RS256"],
    audience: "api",
    issuer: "elysiate",
  });
  return payload;
}

7) Supply chain & CI/CD

Pin dependencies; use npm audit/yarn dlx osv‑scanner
Require signed commits; protect main with reviews
SAST/DAST/Secrets scanning in CI (Snyk/GitHub Advanced Sec)
Least privilege CI tokens; short‑lived OIDC federated creds

# Example: GitHub OIDC to cloud (no long‑lived keys)
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Configure cloud credentials via OIDC
        uses: cloud/setup@v1

8) Cloud console access

Enforce SSO + MFA; disable local users where possible
Separate prod/non‑prod accounts; org‑level guardrails
Log everything (Audit/Activity logs); alert on anomalies
Use IP allowlists or device compliance checks

9) Data protection

Classify data (public/internal/confidential/restricted)
Encrypt at rest (KMS) and in transit (TLS 1.2+) -,Avoid sharing links without expiry; prefer groups over public
Backups with tested restores; define RPO/RTO targets

10) Incident readiness

Run tabletop exercises; define on‑call rotations
Clear escalation paths; pre‑approved comms templates
Post‑incident reviews with actionable follow‑ups

Developer quick wins (today)

Turn on OS auto‑update and full‑disk encryption
Add FIDO2 key to your accounts; remove SMS fallback
Install a secret scanner pre‑commit hook
Enable 2‑review rule and signed commits on main
Migrate long‑lived cloud keys to OIDC‑based auth

FAQ

Is a VPN enough?
Use VPN or ZTNA plus MFA, device posture checks, and least privilege. VPN alone is insufficient.

Where do I store secrets for local dev?
Use .env locally (ignored by git) and load from Secret Manager/Key Vault in cloud.

How do I secure a SPA?
Use OIDC with PKCE, short‑lived tokens, secure storage patterns, and a backend for sensitive operations.

Security is a practice, not a product. Start with the quick wins, then iterate with policies, automation, and audits.

Appendix A — Device hardening deep dive (Windows, macOS, Linux)

Windows 11 Pro/Enterprise

Enable BitLocker with TPM + PIN; escrow recovery keys in your directory
Turn on Core Isolation (Memory Integrity) and Secure Boot in UEFI
Windows Update for Business: automatic quality and security updates
Microsoft Defender Antivirus + SmartScreen + Controlled Folder Access
Disable PowerShell v2; enable Constrained Language Mode for untrusted contexts
Applocker or WDAC (Device Guard) for application allowlisting

# Verify BitLocker status
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus, EncryptionMethod

# Enable BitLocker on C: with TPM
Enable-BitLocker -MountPoint 'C:' -EncryptionMethod XtsAes256 -TpmProtector

# Require PIN on startup (TPM+PIN)
Add-BitLockerKeyProtector -MountPoint 'C:' -TPMandPinProtector

# Turn on Memory Integrity (requires reboot)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 1 /f

# Enable SmartScreen (reputation-based protection)
Set-MpPreference -PUAProtection Enabled

# Disable PowerShell v2
Disable-WindowsOptionalFeature -Online -FeatureName "MicrosoftWindowsPowerShellV2Root"

Group Policy highlights (for MDM/Intune equivalents):

Require password complexity and rotation for local accounts (or better, no local admins)
Disable LM/NTLMv1; enforce NTLMv2 only
Disable SMBv1; require SMB signing and encryption where possible
Block macros from the internet; enforce ASR (Attack Surface Reduction) rules

macOS (Ventura/Sequoia)

FileVault full‑disk encryption; escrow keys to MDM
Gatekeeper + XProtect + MRT enabled; App Store or notarized apps only
Enable Firewall + Stealth Mode; block all incoming by default
Automatic updates for macOS and XProtect definitions
Create a standard user; keep admin separate, require Touch ID or strong password

# Check FileVault
fdesetup status

# Enable firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

# Require password on screensaver
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0

MDM/Configuration profile tips:

Enforce FileVault on first login; escrow key
Restrict kernel/system extensions; allowlist approved vendors
Disable screen sharing/remote Apple events; require management agent

Linux (Ubuntu/Fedora/Debian)

LUKS full‑disk encryption; strong passphrase and recovery plan
Keep kernel and packages updated; enable unattended‑upgrades
Minimal services; disable SSH password login; use SSH keys + Fail2ban/UFW
Enable AppArmor/SELinux in enforcing mode

# Ubuntu: enable firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw enable

# SSH hardening
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl restart sshd

# Automatic security updates (Ubuntu)
sudo apt-get install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Appendix B — Network security for home/remote offices

Router/Wi‑Fi

Change default admin credentials and disable remote administration
WPA3‑Personal with a long passphrase; isolate work devices on a separate SSID/VLAN
Disable WPS; reduce transmit power if in dense buildings
Prefer DNS over HTTPS with a reputable provider; consider DNS filtering for malware

Example: Unifi/UDM Pro suggestions

Create network Work (VLAN 20), SSID Work‑WiFi, WPA3 only
Client isolation enabled; restrict mDNS where possible
Set DHCP reservation for dev machine; apply firewall rules

DNS filtering (optional)

Quad9, Cloudflare Gateway, or NextDNS for malware/phishing blocklists

Appendix C — VPN and Zero Trust Network Access (ZTNA)

Principles:

Prefer device posture checks (OS version, encryption, MDM) before granting access
Grant least privilege to apps, not networks; avoid broad flat VPNs
Short‑lived credentials; continuous re‑evaluation of session

Generic ZTNA policy outline:

Identity: SSO (OIDC/SAML) with MFA (FIDO2)
Device: Managed, encrypted, compliant
Context: Risk score, geolocation, time of day
Resource: Per‑app allow rules with audit logging

Appendix D — Identity: SSO, MFA, and conditional access

MFA hierarchy

FIDO2 security keys (phishing‑resistant)
Platform authenticators (Touch ID/Windows Hello)
TOTP apps (Authy, 1Password)
SMS (avoid if possible)

Conditional Access examples

Require MFA on risky sign‑ins; block legacy protocols
Allow only managed devices to access admin portals
Step‑up MFA for sensitive scopes (billing, production access)

Appendix E — Secrets management in practice

AWS Secrets Manager

aws secretsmanager create-secret \
  --name app/prod/db \
  --secret-string '{"host":"db.prod","user":"app","password":"..."}'

aws secretsmanager get-secret-value --secret-id app/prod/db

Node.js retrieval (IAM role based):

import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";

const client = new SecretsManagerClient({});
export async function getDbSecret() {
  const res = await client.send(new GetSecretValueCommand({ SecretId: "app/prod/db" }));
  return JSON.parse(res.SecretString || "{}");
}

Azure Key Vault

az keyvault secret set --vault-name kv-prod --name db-conn --value '...'
az keyvault secret show --vault-name kv-prod --name db-conn

TypeScript with Managed Identity:

import { DefaultAzureCredential } from "@azure/identity";
import { SecretClient } from "@azure/keyvault-secrets";

const credential = new DefaultAzureCredential();
const client = new SecretClient(`https://kv-prod.vault.azure.net/`, credential);
export async function getDbConn() {
  const s = await client.getSecret("db-conn");
  return s.value;
}

GCP Secret Manager

gcloud secrets create db-conn --replication-policy="automatic"
echo -n "..." | gcloud secrets versions add db-conn --data-file=-
gcloud secrets versions access latest --secret=db-conn

Appendix F — Secure coding by example (Node, Python, React)

Preventing SQL injection (Node + parameterized queries)

const q = `SELECT * FROM users WHERE email = ? AND status = ?`;
const rows = await db.query(q, [email, "active"]);

Preventing XSS (React)

// Avoid dangerouslySetInnerHTML; if needed, sanitize first
import DOMPurify from "dompurify";
const safe = { __html: DOMPurify.sanitize(userBio) };
return <div dangerouslySetInnerHTML={safe} />;

CSRF protection (SameSite + CSRF tokens)

res.cookie("session", token, { httpOnly: true, sameSite: "lax", secure: true });

SSRF mitigation

// Allowlist outbound hosts; block link‑local/metadata
import isPrivateIp from "private-ip";
function assertSafeUrl(u: string) {
  const url = new URL(u);
  if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error("blocked");
}

Appendix G — OAuth 2.0/OIDC flows (PKCE, Device Code)

PKCE SPA flow (high‑level)

Create code_verifier and code_challenge
Redirect to /authorize with code_challenge
Receive code; exchange at /token with code_verifier
Receive access + refresh tokens; store securely; rotate refresh

// Skeleton PKCE util
async function sha256(v: string) {
  const enc = new TextEncoder().encode(v);
  const buf = await crypto.subtle.digest("SHA-256", enc);
  return btoa(String.fromCharCode(...new Uint8Array(buf))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
}

Appendix H — CI/CD templates (GitHub, GitLab, Azure DevOps)

GitHub Actions (security gates)

name: security
on: [pull_request]
jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: javascript
      - uses: github/codeql-action/analyze@v3
  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: trufflesecurity/trufflehog@main

GitLab CI

stages: [test, security]
semgrep:
  stage: security
  image: returntocorp/semgrep
  script:
    - semgrep --config p/owasp-top-ten --error

Azure Pipelines

trigger: [ main ]
pool: { vmImage: ubuntu-latest }
steps:
  - checkout: self
  - task: CmdLine@2
    inputs:
      script: |
        npm ci
        npm run build

Appendix I — SAST/DAST/Secrets scanner configs

Semgrep (example)

rules:
  - id: no-raw-sql-concat
    pattern: db.query("SELECT*" + ... )
    message: Use parameterized queries
    languages: [javascript, typescript]
    severity: ERROR

detect-secrets (baseline)

detect-secrets scan > .secrets.baseline
pre-commit install

Pre-commit config

repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0
    hooks:
      - id: detect-secrets
        args: ["--baseline", ".secrets.baseline"]

Appendix J — Cloud console access controls (AWS/Azure/GCP)

AWS minimal admin session

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["iam:CreateServiceLinkedRole", "sts:AssumeRole"],
      "Resource": "*",
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}

Azure role assignment (example)

az role assignment create --assignee <user> --role "Reader" --scope /subscriptions/<sub>/resourceGroups/<rg>

GCP IAM binding

gcloud projects add-iam-policy-binding <project> \
  --member=user:dev@example.com --role=roles/viewer

Appendix K — Data protection & DLP

Classification template:

Public
Internal
Confidential (PII, secrets)
Restricted (regulated data)

Controls by class:

Confidential/Restricted: encryption at rest/in transit, DLP scanning, limited sharing, access reviews

Appendix L — Incident response playbooks

Compromised credentials

Revoke sessions; rotate tokens/keys
Review audit logs and high‑risk actions
Force password reset + step‑up MFA
Post‑mortem and controls to prevent recurrence

Suspected malware

Isolate device from network (EDR/MDM)
Acquire triage artifacts; run EDR scans
Reimage if uncertain; restore from clean backups
Review user access and recent activity

Appendix M — Comprehensive checklists

Daily

Lock screen when away
Use VPN/ZTNA for sensitive apps
No secrets in terminals/screenshares

Weekly

Update OS/apps; review pending restarts
Scan repo for secrets; review PR security comments

Monthly

Review access; remove unused tokens
Test restores from backups

Appendix N — Extended FAQ

Q: Can I use password managers safely?
Yes. Use a reputable manager with strong master password and MFA. Prefer sharing via item sharing, not plaintext.

Q: How do I secure local Docker?
Use rootless Docker where possible; minimize mounted secrets; rotate credentials; keep images up‑to‑date.

Q: Are browser extensions risky?
Limit to essential, verified extensions; review permissions; disable on sensitive sites.

Q: What about public Wi‑Fi?
Use VPN/ZTNA; prefer personal hotspot; avoid admin portals on public networks.

Q: How to validate supply chain integrity?
Pin deps, use checksums/signatures, and SBOMs; enable dependabot/renovate with CI tests.

Q: Should I disable USB ports?
For high‑risk roles, yes via MDM policies; otherwise restrict autorun and require device approvals.

Appendix BA — References and further reading

Reference: OWASP ASVS 4.0.3 (Application Security Verification Standard)
Reference: OWASP Top 10 (2021) and API Security Top 10 (2023)
Reference: CIS Controls v8 and CIS Benchmarks
Reference: NIST SP 800-53 Rev.5 (Security and Privacy Controls)
Reference: NIST SP 800-63 (Digital Identity Guidelines)
Reference: NIST SP 800-207 (Zero Trust Architecture)
Reference: ISO/IEC 27001/27002 (Information Security Management)
Reference: ENISA Threat Landscape (annual)
Reference: Microsoft Defender for Endpoint documentation
Reference: Apple Platform Security Guide
Reference: Google Android Enterprise security
Reference: Chrome Enterprise security best practices
Reference: Mozilla Firefox enterprise policies
Reference: Kubernetes Hardening Guide (NSA/CISA)
Reference: CNCF Cloud Native Security Whitepaper
Reference: SLSA (Supply-chain Levels for Software Artifacts)
Reference: OpenSSF Scorecard and Best Practices
Reference: OWASP Cheat Sheet Series
Reference: OAuth 2.0 Security Best Current Practice (BCP)
Reference: OpenID Connect Core and Security BCPs
Reference: IETF TLS 1.3 RFC 8446
Reference: IETF HTTP/2 RFC 7540 and HTTP/3 drafts
Reference: PCI DSS 4.0 Guidance (where applicable)
Reference: SOC 2 Trust Services Criteria
Reference: ISO/IEC 27017 (Cloud security)
Reference: ISO/IEC 27018 (PII protection in cloud)
Reference: CSA CCM (Cloud Controls Matrix)
Reference: AWS Well-Architected Security Pillar
Reference: Azure Well-Architected Framework Security
Reference: Google Cloud Security Foundations Blueprint
Reference: HashiCorp Vault best practices
Reference: AWS Secrets Manager and Parameter Store
Reference: Azure Key Vault references
Reference: GCP Secret Manager guides
Reference: GitHub Advanced Security docs
Reference: GitLab Secure Stage docs
Reference: Terraform security and OPA/Conftest
Reference: Semgrep rules and policies
Reference: TruffleHog secret scanning
Reference: Detect-secrets usage and baselines
Reference: YARA rule authoring guides
Reference: osquery schema and deployments
Reference: Sysmon configuration (SwiftOnSecurity)
Reference: Suricata/Zeek IDS operations
Reference: Elastics Common Schema (ECS)
Reference: OpenTelemetry specs (logs, metrics, traces)
Reference: ClickHouse/BigQuery for security data lakes
Reference: SIEM hardening (Elastic, Sentinel, Chronicle)
Reference: SOAR playbooks design
Reference: MITRE ATT&CK and D3FEND mappings
Reference: CAPEC (Common Attack Pattern Enumeration)
Reference: CWE (Common Weakness Enumeration)
Reference: CVE/NVD feeds consumption
Reference: SBOM standards (CycloneDX, SPDX)
Reference: Cosign and Sigstore ecosystem
Reference: in-toto attestations
Reference: Kyverno/OPA Gatekeeper policies
Reference: Falco runtime security
Reference: eBPF-based observability and security
Reference: TUF (The Update Framework)
Reference: BCP 195 (Recommendations for Secure Use of TLS)
Reference: RFC 7525 (TLS recommendations)
Reference: DNSSEC and DANE guidance
Reference: BCP 38 (Network Ingress Filtering)
Reference: BCP 5/14 (Email security)
Reference: SPF/DKIM/DMARC deployment guides
Reference: MTA-STS and TLSRPT
Reference: HSTS preload guidance
Reference: CSP evaluator and policies
Reference: Subresource Integrity (SRI)
Reference: Cookie prefixes (__Host-, __Secure-)
Reference: WebAuthn and FIDO2
Reference: Passkeys adoption roadmaps
Reference: Device posture assessment references
Reference: MDM baseline templates (Intune/Jamf)
Reference: EDR evaluation methodologies (MITRE Engenuity)
Reference: Ransomware playbooks (CISA)
Reference: Incident response guidance (SANS)
Reference: Purple team exercises guides
Reference: Threat modeling (STRIDE, LINDDUN)
Reference: Privacy threat modeling (LINDDUN)
Reference: Data classification references (NIST/ISO)
Reference: Key management best practices (NIST SP 800-57)
Reference: Cryptographic module validation (FIPS 140-3)
Reference: Post-quantum crypto transition (NIST PQC)
Reference: Logging privacy and retention guidance
Reference: Access review procedures (SOX contexts)
Reference: Business continuity templates
Reference: DR patterns for cloud (pilot light, warm standby)
Reference: Blue/green and canary releases
Reference: Feature flags and kill switches
Reference: Secure SDLC frameworks
Reference: Bug bounty program setup
Reference: VDP (Vulnerability Disclosure Policy) templates
Reference: Secure coding standards (CERT)
Reference: Android/iOS secure coding guides
Reference: OWASP MASVS and MASTG (mobile)
Reference: Desktop app security checklists