4 security tips: for developers, by developers
As National Cybersecurity Awareness Month comes to an end, our focus turns to what the developer community can do to stay cyber smart all year long. We’ve already talked about access management, and shared tips on how to protect your personal accounts. Today, we offer tips from the Yubico Developer Team to developers looking to up their security game.
The best way to get started is by securing yourself, then help others. Get a password manager and enable strong two-factor or multi-factor authentication across all your personal and work accounts (read last week’s blog for 10 Steps from Yubico to Protect Your Personal Accounts).
Now, let’s get into some more technical things you can do.
1. Secure your operating and development environments with encryption. You can do this with tools like EgoSecure Data Protection FDE, which provides easy and effective protection for your laptop. The encryption and decryption of data is completely transparent to authorized and authenticated users, which makes the solution simple to use. To enhance security, EgoSecure’s full disk encryption application supports two-factor authentication during pre-boot authentication using the YubiKey.
“We believe hardware-backed multi-factor authentication plays a very important role in cybersecurity because it protects privacy without compromising ease of use.”– Sergej Schlotthauer, Vice President of Security Strategic Alliances, Egosecure (Egosecure is a Matrix42 company
2. Keep your code signing certificates and data safe by using developer tools that support multi-factor authentication. You can even sign code with the YubiKey by securely storing your code signing certificate on the YubiKey itself. We talk a lot about FIDO, but the YubiKey also supports OpenPGP. Our latest firmware update included a number of enhancements to the OpenPGP implementation including ECC support, attestation, and multiple operations per touch. Read about it here.
3. Extend your security discipline to all of your devices, not just those that touch your corporate network. Attacks are often successful because of a weak point made available through a personal account.
“With the rise of bring-your-own-device programs and remote work, the attack surface has shifted from corporate networks to endpoints. Thus, a modern security strategy must consider all endpoints, including mobile devices”– Dr. Dominik Schürmann, CEO, Cotech
Here’s a hot tip if you’re building YubiKey support into your product. Cotech provides ready-to-use animations to assist end-users on how to use security keys, and shows the smartphone-specific sweet-spot where NFC works best. With the Hardware Security SDK, Android developers enable strong, hardware-backed YubiKey security leveraging modern authentication protocols, such as Universal 2nd Factor (U2F).
4. Strong authentication doesn’t have to be hard to implement for yourself or your users. Be sure to leverage modern protocols such as FIDO2 or WebAuthn along with a YubiKey. We are constantly impressed by the different use cases brought to us by companies from all over the world. Take for instance, Gandi. Because a domain name is used for websites, email addresses, SSL certificates, and more, they are valuable assets for individuals, organizations, and businesses. Gandi offers two-factor authentication with the YubiKey to make sure only authorized users can access an account.
“Whether they’re working for profit, the common good, or fun, our customers’ projects are tied to their domains. Our job as service providers is to keep them safe. Staying on the cutting edge of security technology is essential to that mission.”– Andrew Richner, Head of Communication, Gandi US
If you’re also serious about integrating security into the products, services, and applications that you’re building, check out Yubico’s Developer website. Sign up for the Yubico Developer Program mailing list to be notified of new documentation and resources, as well as get early access to SDKs and new products.
Already have a YubiKey? Discover all of the places you can enable it now by visiting our Works with YubiKey catalog. If you don’t have a YubiKey, you can pick one up from our web store or even on Amazon.
