How to ensure 3rd party developer not able to theft code/data?

Here are some steps you can take to ensure best practices when engaging third-party developers for your project, even though you have signed an NDA:

Before engaging developers:

1/ Clearly define the scope of work:

Clearly outline the specific tasks and functionalities you expect the developers to deliver. This reduces the risk of them accessing irrelevant parts of your code or data.

2/ Set up a least privilege access model:

Provide developers with the minimum permissions necessary to complete their assigned tasks. This minimizes the potential damage if a security breach occurs.

3/ Leverage temporary credentials:

Instead of long-term credentials, consider using temporary access tokens that expire after a set period. This reduces the window of opportunity for misuse.

4/ Code obfuscation (optional):

While not a foolproof solution, obfuscating your code can make it more difficult for developers to understand and misuse it.

During development:

1/ Implement code reviews:

Establish a code review process where your internal team or senior developers can assess the code written by the third party for security vulnerabilities and adherence to best practices.

2/ Regular security audits:

Conduct regular security audits of your codebase to identify any potential vulnerabilities that may have been introduced by the third party.

3/ Data encryption:

If the project involves sensitive data, ensure it is encrypted at rest and in transit to prevent unauthorized access.

**Additional considerations: **

--> Security training: Provide security awareness training to both your internal team and the third-party developers to educate them on best practices for handling sensitive information.

--> Monitoring: Monitor your systems for any suspicious activity that could indicate unauthorized access or data exfiltration.

Regarding your request for architectural and design support:

1. Consider using the AWS Well-Architected Framework

https://docs.aws.amazon.com/wellarchitected/latest/userguide/waf.html to define your project's architecture based on best practices for security, scalability, performance, and cost.

2. AWS Landing Zones: Explore AWS Landing Zones https://aws.amazon.com/about-aws/whats-new/2018/06/introducing-aws-landing-zone/ which provide a reference architecture for deploying secure and scalable cloud environments.

For further support you can contact aws team(professional services) or any of our partners to guide and support you.

Cloudy did a good job with platform answers.

Data

Developers should not have access to production systems or data. Developers should write programs on a development environment based on approved use-cases and sanitized data. You should come as close to that as possible.

Code

Not all code should be sensitive or should cause the company damage if parts of it get leaked out. Any sensitive code should be obfuscated and the originals kept under lock and key.

If someone wants to steal source code even though they signed a non disclosure agreement then they will. Make certain the least privilege access is followed to minimize risk.

All third party developers should sign non disclosure agreements by the company responsible for the code.

Good luck.