# Essential Security Practices for DVS Developers

**Least Privilege:**&#x20;

Containers should run with the minimum required privileges, which should be specified by the DVS developer team. If not specified, operators should consult the DVS developer team directly.

**Security and Maintenance:**

* Emit runtime logs, including security events.
* Use minimal base images, such as [ko Go containers](https://ko.build/), to reduce the attack surface.
* Release updated images with security patches regularly.
* Ensure DVS-related ECDSA keys are used only for non-fund-holding updates (e.g., modifying IP and port details in a smart contract).

**Container Management:**

* Do not store key material on containers; refer to key management documentation.
* User IDs should be formatted as `DVS-NAME-random` to avoid conflicts with the host.

**Image and Software Management:**

* DVS developer teams should [sign their images](https://docs.docker.com/engine/security/trust/) for releases and upgrades, with Docker displaying a verified badge for signed images.
* Tag new releases via updated images and ensure clear release notes explaining new features and breaking changes.
* Operators should control their software upgrades, avoiding automated upgrade mechanisms.

**Communication:**&#x20;

Establish direct communication channels (e.g., Discord, Telegram) with operators to coordinate upgrades smoothly.