A single compromised laptop or reused password can expose an entire codebase. These 14 rules form the minimum security baseline for any development team.
Device security
1. Encrypt your hard drives. FileVault (macOS), BitLocker (Windows), or LUKS (Linux). Encryption only protects data when the machine is fully powered off.
2. Turn off your computer when traveling. Sleep and hibernate leave encryption keys in memory. Full shutdown is the only safe state during transit.
3. Lock your screen immediately. Set auto-lock to the shortest tolerable interval. Lock manually every time you step away.
4. Keep all software updated. OS, browser, IDE, dependencies. Old versions carry known exploits.
5. Use antivirus and keep it current. Do not delay updates. Signature-based detection only works with fresh definitions.
Authentication and access
6. Enable two-factor authentication everywhere. Use 2FA on every service that supports it. Prefer hardware keys or authenticator apps over SMS.
7. Secure your phone. Your phone is a 2FA device. Use a strong passcode, biometric lock, and remote wipe capability.
8. Use a password manager. Apple Keychain, 1Password, Bitwarden, or similar. Generate unique passwords per service, never reuse.
9. Generate strong passwords. When SSO is not available, let the password manager generate a random credential. You should not need to remember it.
Data handling
10. Use only work accounts for work. Never use personal Google, Dropbox, or email for company data. Workspace security policies differ between personal and business tiers.
11. Encrypt external drives. Any removable media containing company data must be encrypted and password-protected.
12. Treat all company data as sensitive. Even seemingly harmless data (names, org charts, internal URLs) can fuel phishing and social engineering attacks.
13. Use a VPN on public networks. Public Wi-Fi is trivially interceptable. A VPN protects your traffic from eavesdropping.
14. Never use production databases locally. Loading production data into your local environment exposes real user data to an uncontrolled machine with no audit trail.
Practical Implementation: The USEO Approach
We enforce these rules as onboarding requirements, not suggestions. New team members complete a security setup checklist on day one: disk encryption verified, 2FA enabled on all company services, password manager installed with a generated master password. We verify completion before granting access to any repository or deployment system.
For rule 14, we maintain a seed data generator that creates realistic but synthetic datasets matching production schema shapes. Developers never need real data for local work. The generator runs as part of bin/setup, so a fresh environment is one command away.
We also run quarterly access audits. Every service token, SSH key, and third-party integration gets reviewed. Unused credentials are revoked immediately. This catches orphaned access from departed team members or abandoned tools before they become attack vectors.