GitHub is the world’s most extensive code management system, but is your code being stored securely? While GitHub takes its security seriously, there are a few things all GitHub users should do to secure their projects even more.
- 1 What exactly is GitHub security?
- 2 What happens if my GitHub account is compromised?
- 3 How to improve your GitHub security
- 3.1 Make your GitHub credentials unique
- 3.2 Have a local copy of your repository
- 3.3 Avoid storing passwords as code
- 3.4 Lockdown access to your repository
- 3.5 Validate permissions on your application
- 3.6 Rotate authentication keys
- 3.7 Use the right GitHub solutions
- 3.8 Collect GitHub logs
- 3.9 Includes a SECURITY.md file in your repository
- 3.10 Audit your Git/GitHub configurations
- 3.11 Leverage real-time code scanning
- 3.12 Scan for secrets
- 3.13 Enable security alerts for critical assets
- 3.14 Perform regular code/security audits
- 4 Conclusion
What exactly is GitHub security?
Github security is a methodology for protecting your GitHub environment by implementing layers of protection both on and off of GitHub. This can include everything from code auditing to using two-factor authentication to secure logins.
Implementing proper GitHub security ensures that your intellectual property is protected and that attackers inject malicious code into your projects for later use. Unfortunately, the nature of an online repository is an attractive target for skilled hackers, putting extra pressure on GitHub repository owners to step up their security game.
By default, GitHub implements many different features to protect its users, such as identifying account compromise based on login location. Given the collaborative nature of application development, this leaves much room for vulnerabilities to be accidentally introduced. GitHub security procedures help both stop and mitigate the damage of GitHub-related attacks.
What happens if my GitHub account is compromised?
Attacks can all have different outcomes depending on the goal of the attacker. In many cases, attackers wish to either steal your code, hijack your application’s credentials, or inject their malicious backdoors into your codebase.
A recent strategy for cybercriminals is to steal the code and delete all of the commits. This leaves your GitHub repository essentially empty. The attacker then reaches out with a bitcoin address demanding payment in exchange for your code back.
Some attacks can be more subtle than others. For example, attackers can slowly steal code with a compromised GitHub account and implement it into their tools. In some cases, privileged credentials are stolen and used to send spam or malware from your app to its users.
In any case, none of this is good. So let’s take a look at strategies you can use to improve your GitHub security.
How to improve your GitHub security
While most GitHub security techniques involve changes on GitHub itself, some include policies and procedures outside of the platform. These policies can take time to fully implement and audit, especially if you’re working with a larger development team.
Make your GitHub credentials unique
It should go without saying that your GitHub credentials should be unique and not include any form of credentials used elsewhere. Unfortunately, however, many attacks against GitHub accounts still leverage account credentials that are stolen elsewhere.
When websites are compromised, their data is often dumped or sold online. Then, attackers use bots to sift through stolen usernames and passwords and try them on other sites, hoping to get lucky.
Use unique credentials combined with two-factor authentication to lock down your account.
Have a local copy of your repository
Having multiple backups of your repository is key to recovering from a breach or stolen data. For example, having a local backup of your code can allow you to quickly recover from an attack by force pushing your local copy to your GitHub repository.
This saves your time by eliminating the need to audit your code and completely keep projects if held for ransom. In addition, while you can use many tools and techniques to compare your local code to your GitHub code, running a local recovery is often more accessible and more efficient.
Avoid storing passwords as code
Avid storing credentials in your repository. It may sound obvious, but more significant projects can often contain sensitive information that gets included accidentally.
There are some great tools you can use to scan your code for sensitive data automatically. Git-secrets analyses your commits and checks for credentials and other forms of sensitive data. You can also audit your reports with tools like GitRob, which uses pattern matching to identify sensitive information and pattern recognition.
Implement strong policies among your dev team and perform regular audits of your code for usernames, passwords, and other sensitive information before commits are pushed. Strong internal policies combined with tools like git-secrets can help improve your teams’ workflow and the overall security of your GitHub environment.
Lockdown access to your repository
Locking down access has many different layers and is best implemented through policies and procedures over time. You can have a unique set of credentials for your GitHub account, but that does little good if those credentials are sticky-noted to your monitor. We often rush to patch complicated attack vectors while not seeing the lower-hanging fruit opportunities for attackers or internal abuse.
Have strict account security controls in place can help prevent breaches that start from within the company. For example, make revoking account access a part of the termination process. GitHub accounts can still be accessed, even when that user leaves the company. Creating similar procedures for all IT systems falls in line with best practices.
GitHub accounts should not be shared and should be generic, such as having a single account for the entire QA team. Password sharing leads to a lot of problems, specifically around auditing. Shared accounts create a blindspot where that account cannot be adequately audited and causes problems when one person with that account access is terminated. Additionally, each account should have a single owner.
Hardware access policies can also help keep your GitHub repository secure. Mandate that any hardware that is accessing company source code must be a company machine or secured correctly. Doing this ensures that malware can’t steal GitHub credentials from a staff member’s device.
Laptops and other tablets can also be easily lost or stolen. If these devices are accessing your codebase, ensure that they are adequately secured. Enabling Bitlocker on Windows devices automatically encrypts all of the contents on the device, providing information that cannot be stolen if the device is lost.
Company devices can be secured easier through group policies, Active Directory authentication, and your flavor of endpoint security. All of these more minor security policies play a significant role in your overall GitHub security posture.
Validate permissions on your application
GitHub applications can quickly and conveniently add additional features to your repository, but these same applications can cause a breach in security. Avoid adding too many unnecessary applications to your repository, and vet each installation carefully.
Review the author of the application and their credibility. Are they used widely among other projects? Have they been in the space for a while? Do they have any negative reviews or comments about them?
For each application, audit exactly what permissions they require and ensure they do not have more permissions than they need. For example, sloppy plugins and applications may request bulk access to operate but only need narrow permission to function in reality.
Once you’ve narrowed down exactly what permissions the application needs, consider why it needs those permissions in the first place. Review what this application could access or damage given its level of access to your repository.
Rotate authentication keys
Access to your repository can be secured through personal access tokens or SSH keys. But this is all in vain if those tokens are stolen. So consider changing out your security keys from time to time to prevent stolen keys from being used for unauthorized access.
Other policies such as enforcing company devices for GitHub access can also help prevent keys from being stolen. However, even with rigid policies in place, it is still best practice to refresh these keys every few months.
Use the right GitHub solutions
GitHub has several different product offerings that can be used to fit other organizational and security needs. This is common for projects that must adhere to compliance regulations or governmental policies.
If security is the main priority, GitHub Enterprise offers teams the ability to run GitHub entirely on-premises. This gives your more control over your infrastructure and doesn’t place your code in the crosshairs or attackers looking to compromise GitHub,
GitHub also now offers unlimited free private repositories with up to three collaborators per repository. Private repositories detach public forks and give you more control over your project’s visibility.
Collect GitHub logs
GitHub logs are a trove of security information that can telegraph malicious activity is taking place. If your logging isn’t enabled, consider turning it on and implementing a plan to monitor its contents.
Larger organizations can implement a SIEM solution such as SolarWinds Security Event Manager to scan and identify indications of compromise automatically. These tools can also be configured to fire off automated alerts and remediation steps when a threat is discovered, making it a highly scalable security solution.
Includes a SECURITY.md file in your repository
A SECURITY.md file is like readme documents, but for outlining security procedures. This file is great for small and large projects and helps users understand how they should proceed with updates and general security practices.
Information about security disclosures is often included in the documentation, giving clear and concise information about how vulnerabilities and bugs can be disclosed and who they should contact. This helps make sure the right project maintainers get the correct information regarding their roles.
Configuration-related security information is also included to help others tailor your project to their unique environment. Default and suggested settings are often outlined in this section of the file and best security practices for the application.
Security update policies within the file help users understand how you disseminate information to them if a vulnerability is discovered. This is important, especially for popular projects where a bug could impact thousands of users that rely on your application. It’s best practice to update users as soon as you have known a bug has been discovered and outline precisely how they can receive the latest patches from you.
Audit your Git/GitHub configurations
Misconfigurations can be either accidental or intentional, depending on the nature of the threat. Consider auditing your GitHub configurations to ensure shared assets and user accounts all have the proper permissions. In addition, automated configuration monitoring tools can be used to monitor your Git environment. Many of these tools leverage SNMP integrations to collect data and monitor different environments.
Leverage real-time code scanning
You don’t have to wait until your code is finished to scan it for vulnerabilities or data leaks. Tools like CodeQL can collect information as the code is entered into the repository and review before every push.
The CodeQL engine works by analyzing data flows through an application to find vulnerabilities. This helps uncover bugs like SQL injections, remote code executions, and cross-site scripting attacks.
Scan for secrets
Secret scanning is a part of GitHub Advanced Security and works to detect well-known secrets automatically. It works by automatically scanning repositories that get pushed for credentials or other sensitive information. If secrets are found, the provider of the mystery is notified. This allows them to validate the unknown and then revoke or renew access.
Enable security alerts for critical assets
For dependencies and other areas of your GitHub account, you can enable security alerts for your repository. This is beneficial for all repositories but is especially useful for larger projects where a dependency vulnerability or outage could cause significant downtime.
The security alerts also tap into the National Vulnerability Database (NVD), which provides a constant source of up-to-date vulnerability information that compares your project to the latest known vulnerabilities and threats.
Perform regular code/security audits
Before importing any projects or large pieces of code into GitHub, consider thoroughly auditing the code. While this might not be necessary for smaller projects, larger repositories should audit new code imports before adding them.
It can be tough to secure such a collaborative environment as GitHub, but it can come as second nature with the correct procedures and mindset. So, above anything else, take the time to incorporate these best practices into policies and procedures your team must follow.
This will create a culture of security over time, and bake GitHub best security practices right into the core of your application development process.