How To Keep Your Project Secure When Hiring a New Remote Developer
As someone who has hired probably around 50 developers, I’d like to think that I have a good handle on the do’s and dont’s. Sometimes things go great and sometimes they don’t. There is a mountain of advice I could give like hire slow and fire fast or good communication is just as important as technical skill, etc. This post is more technical and for the people who are nervous about bringing someone onto an existing project.
For this post to make sense I am assuming that you know how to use Git or some other version control system.
My first piece of advice: Do not worry. Almost nobody is interested in stealing your precious project.
Have a contract. The cost of actually pursuing a broken contract against a person overseas is almost always greater than the benefit but sometimes it will make your RD (remote developer) think twice about their actions. Same with a NDA. Almost always not worth the headache unless they live in the same country as you.
Remove all secrets and hardcoded links. Anything that you need should be changed to an environment variable.
Reset your Git commits or create a new repo (Optional) - I have been guilty of hardcoding things when I start a new project so getting rid of all commits or just moving the project into a new one and starting a new git is an easy fix
Have staging. Ideally you should have a test staging environment and a production environment. RD should not have access to production environment and all their commits and pushes should go to the testing stage. Don’t have a staging environment? At the minimum you should make it so that RD can’t push to production.
Segregate your work if possible. I’ve started to use multiple Github repositories for different aspects of the same project. One for frontend and associated logic and one for backend. This works great for micro-service type architecture. Hiring a frontend RD? Only give them access to the frontend repository.
Define Permissions. You can both set permissions on a repository and on certain branches! Use this to your advantage.