How to Securely Involve Freelancers in the Development of Your Application
When Bruce Lee pronunced the timeless quote ”Be water my friend”, he might not have thought of “being water” as staffing freelancers in your team. However a liquid workforce is what companies use today to become resilient to changes in skill needs and market pressure.
In this article, we explain how to staff a liquid workforce quickly and economically as well as protect your assets.
Develop With Outsiders Without Sharing Your Source Code
If you mention on your LinkedIn profile that you are looking for external developers, chances are that you will now be contacted several times a week with offers from talents from around the world.
If you are looking actively, you might have decided to work with outsourcing services in Poland or other places to get access to entire teams and quickly scale up your skill set.
In both cases, while involving external developers for variable periods of time in your team has clear technical and economic benefits, you might also expose your business to intellectual property losses in the form of source code or customer data leaks.
For young and innovative companies, source code and data can be the crux of their intellectual property. Hence, the failure to keep tight control on who had access to what can impact them when seeking growth capital or might even result in the appearance of copycats in remote regions.
For mature ones, having access to internal or customer-facing applications is a trove for malicious actors looking for code vulnerabilities or opportunities to plug Trojan horses. Once such a flaw can be successfully exploited, the company is one step away from the headlines. Recently Microsoft (through Solarwinds), Twitch, Stormshield, Electronic Arts and others had customer data leaked or their systems breached after their source code was exposed. In addition, it seems that employees are now increasingly mishandling the company’s source code, according to this Financial Times article, also relayed by Business Insider.
Infamous recent source code leaks that led to customer data access and system breaches.
In the article The Trusted Liquid Workforce, we explained the necessity for companies to involve outsiders in their development process in a secure manner, i.e. one that minimizes the chances for their source code or data to be leaked, analyzed, or becoming available on the dark web.
In this article, we'll give a quick recipe to onboard such a trusted workforce economically using our software-as-a-service platform. Note that this is not a user manual. You can find contextual help as tutorials and videos once inside our Strong Network platform. Our goal here is to give you a feel of what the platform can offer.
Create a Strong Network of Coders
Our public SaaS platform, called Strong Workspace, allows you to onboard and manage your liquid workforce in a secure manner.
Here is how you can do it in just three steps,
The first step is to create an account and set up your team composition. You will send invitations to freelancers from this account and make available resources for them so that they can start working quickly.
Step 1: Create your account and send invitations to your team to join the platform
There are three plans for the account to choose from:
A Starter plan lets you provide a secured access, brokered by the platform, to any developer to your code base through a workspace, which is in essence a development IDE with a command line interface (CLI). I’ll delve more on security later, but measures with this plan basically prevent freelancers from downloading your entire code base.
The Advanced plan provides in addition data loss prevention. This will prevent a careless or malicious developer from exfiltrating your code once she has access to it in the workspace. You also get a real-time security log about the activity of all participants in your development process.
Finally, the Professional plan gives you access to dashboards to visualize the performance of your team such as attendance, the type of work done, etc. In addition, you’ll be able to bring on your own software containers to configure workspaces.
With all plans, the platform allows you to involve any number of freelancers on the same public resources as your internal developers, e.g. git repos and data buckets, with the distinction that access to these resources will be brokered for security purposes through the platform, as shown in this figure.
Freelancers get secured access to your resources through the platform (represented by the brain logo), unlike
internal developers who have direct access. Both types of access cohabit seamlessly.
Now that your account is ready, you can invite your liquid team. This can be done directly from the sign-up flow after the account plan has been purchased or once on the platform via the People dashboard.
The People dashboard lets you send invitations to team members and visualize member locations.
Team members will get an invitation to join your project by email. You get to pick up the role they will play in your project, which is a way to give them different sets of permissions, e.g. to access dashboards, security logs, etc. Typically, developers have the smallest set of permissions, while managers can create workspaces, access metrics, and onboard new users.
In your team, you will typically need a project manager, tech leads and developers. You can invite any user for free and will only pay for workspaces used by developers. Buying workspaces is very much like buying development machines for your team.
Note that initially an account only provides a single workspace, which allows you to equip a single developer. You can add a new workspace to your account anytime, for example, when you or a manager simply creates a new one (I’ll show that next.)
Managing Your Liquid Resources
Once you are on the platform, the second step consists in associating the resources that you need for your liquid team and providing access. By creating and giving access to workspaces, you provide each developer with a fully installed environment composed of an IDE, e.g. Visual Studio Code, and a software stack defined as a docker container. This means that developers don’t have to install anything on their laptops and can start working immediately.
This is very much like providing any developer with a development machine. Workspaces can be automatically started following a personal schedule that users define in their settings. This is in contrast to what GitHub’s Cloudspaces is doing, i.e. providing ephemeral workspaces that deploy as quickly as possible. Our goal is not to compare with GitHub’s solution in terms of access speed (ours deploys in a minute or so). Instead, we want to be multi-cloud and with a particular focus on security to ensure you can effectively manage a secure liquid workforce. That's why our platform is the first-ever engineered Secure Cloud Development Environment.
The first screen of the workspace creation wizard lets you choose an IDE, software (via a container), an owner for that workspace
The second screen of the workspace creation wizard lets you associate selected resources such as Github, Gitlab, Secrets, Connected Services and a Script (see below)
To enable access to an entire git application, the manager who creates a workspace checks the option to use a personal key.
To install the workspaces with software, with all plans, you have access to a series of “themed containers”, i.e. python, golang, etc that can further be customized with a start-up script. With the Enterprise plan, you can provide your own containers that perfectly fits any project’s requirements.
Workspaces have a startup script such that containers can be customized.
Provide Access to Code and More
It is through workspaces that you can provide access to your repositories, data buckets and secrets (token, credentials, etc) individually to each user. Any such resources can be managed in a granular manner by importing or creating them one by one on the platform.
Step 2: Create fully-installed workspaces and provide access to your resources through them.
For example, you can provide access to a single project repository from your GitHub or GitLab application. Access keys (to authenticate the developer to the application) will be fully managed for you such that when accessing the workspace, code can then be readily pushed to it without any credential configuration necessary. We call these keys project keys.
A project key provides access to a single project repository in a git application.
The main benefit of doing this is that, once strongly authenticated by the platform, freelancers can contribute code without ever having been explicitly provided credentials to your git application because all needed keys are managed by the platform transparently. This quenches the risk of suffering credentials leaks or forgetting to revoke access to a departed employee. This is the key to enabling Zero Trust access control as explained here.
You can also provide access to an entire git application by using a personal key assigned to a developer and managed by the platform. Keys to each available application are created in the user settings. Note that the support of internal git applications is only available with a self-hosted instance (our solution for enterprise clients).
Personal keys are created on a per-application basis from the User Settings menu and referred to when configuring a workspace’s access to the application (next figure below).
In this case, access rights to project repositories managed by the application are directly reflected by the application settings. When creating a workspace, resource access is set such that a personal key can be used with applications for which a key was deployed (as in the previous figure).
The platform also allows you to manage access to data buckets from AWS, GCP and Azure - a great way to save money by avoiding using git LFS with GitHub and GitLab- such that your team can have shared (and monitored) access to your datasets. This is, however, useful for application development as well in its own right.
Finally, the platform allows you to manage secrets and make them available to workspaces as environment variables or files, such that they can be used safely across applications — plus that lets you keep track of who has access to which secret. In all, workspaces can provide access to a diversity of resources, as shown below.
Through the platform, the workspace has access to resources such as: software, a single project code, an entire git application, a data bucket in AWS, and two secrets as credentials.
Trust but Verify: Security Set-up and Project Insights
Now here comes step 3: Being able to trust-but-verify your liquid workforce is conveniently supported by a security mechanism whose reach depends on your plan.
Step 3: Now freelancers in your team can access fully installed and secured workspaces
The platform will enable you at a minimum to provide access to single projects and full applications, which lets developers push code without explicitly having credentials. It also enables them to create secure Pull Requests via a special secured web browser. This is necessary because GitHub, GitLab and others are collaboration applications and, as such, do not prevent users from downloading entire projects.
A pull request is protected against code exfiltration via a secure browser provided by the platform.
The platform enhances data protection by enabling data loss prevention in workspaces. This feature enables monitoring of developer activity, such as clipboard usage in the IDE or network operations in the console, to prevent data exfiltration. Network Security Policies, which can be customized, allow setting different levels of network isolation based on verification requirements.
During workspace creation, the manager chooses a network security policy that provides an adequate protection level. Policies can be fully customized to reflect the project’s needs.
The platform allows you to access extended security logs that reflect all activities on the platform attached to your project.
The Advanced plan adds colorful dashboards about team insights on performance, such as work attendance, type of work performed, time spent coding per day, week and month. This is particularly useful when freelancers are asking for an hourly rate.
Project insights help managers to visualize work performance (for example in hours) daily, weekly and monthly, with different activities represented using distinct colors.
Start Global Collaboration While Controlling Costs
You can see that adding freelancers to your team is as simple as summarized by the three steps below.
Three steps to securely onboard freelancers in your project.
Billing is today solely dependent on the number of workspaces that you are using in your team. Developers and (coding) tech leads will each need a workspace, but adding project managers, auditors and other non-coding roles to the platform will not impact your monthly bill. A developer can still share her workspace with any type of user to allow collaboration activities such as co-editing (of code), 4-eye reviews, etc.
Lastly, you can contact us with ideas about new features, or simply to ask for a promo code to test drive the platform. If you’re already a user, register to our referral program to get free workspace capacity for your team.