- Security is everyone's responsibility. (see Security Practices)
- Do better than "industry standard".
- Commit often. (Git good. 😉)
Check out one of these more specific guides after you've read the general information in this one.
- Front-end guide
- API guide
- Backend - TODO
You need accounts for
- Keybase - Our primary communications and file-sharing platform because it's end-to-end encrypted and free. (We may re-evaluate since Zoom bought Keybase.)
- Github - It's convenient that the tools we use are also based on GitHub (mainly NativeScript).
- Azure DevOps - Includes all our CI/CD including builds, automated testing, and deployments.
You'll want VSCode. First off, you can use it to render this Markdown document.
It's got an abundance of cool features like workspaces, which allow you to peruse multiple repos at once.
VSCode offers tasks which can be configured to run when a workspace folder is open (see Run behavior). See a specific dev guide for more info.
Nothing is secure. There's always a way in, whether it's cryptanalysis or social engineering. (A basic understanding of those terms is strongly recommended.)
It is your job, regardless of your position, to be vigilant and minimize risk to the company and consumers. Ask questions. Raise concerns. Learn from other companies' mistakes and do better than
Other notes
- Do not attempt security through obscurity.
- It is not safe to assume that the Azure services we use cannot be compromised.
- TLS/SSL is good, but it's a weak guarantee of data privacy and/or security. If the data is at all sensitive, another layer of encryption should be used. We want to add general encryption for customer data for security and privacy sooner than later.
Why aren't we using Slack?
This article summarizes it.
Is our code really safe on GitHub?
Hard to say. Our current setup is not preferable, though, since at the least our code is being transferred with only TLS encryption. (This is an example where relying on TLS is a bad idea).
What about Keybase encrypted git repos?
Well, they're awesome, but
- It helps to have a GUI interface for diffs and PRs. (This could be done through GitHub Desktop.)
- We need Azure DevOps integration. (Keybase bot maybe?)
As soon as we can meet those criteria (maybe with something customizable like GitLab), we can make the switch.