As the attack surface of most organizations’ IT environments expands into cloud-based services and infrastructure, it’s becoming more challenging than ever to secure assets and avoid data leaks. As more businesses become software-led, hosting services like GitHub provide tangible benefits, but their use also carries cyber risks. Ever-willing to adapt their tactics, threat actors increasingly seek out security flaws in how businesses use GitHub to compromise sensitive assets. This article provides a guide to best practices for GitHub security.
GitHub Security Risks
With today’s software development projects being characterized by high levels of collaboration and developers working from disparate remote locations, Github is an invaluable code hosting platform that facilitates these workflows. GitHub makes collaboration more fun and makes version control much easier. It’s no wonder that 84% of Fortune 100 companies use GitHub.
To borrow a phrase from Microsoft’s CEO, “all companies are software companies”. Modern businesses code software for internal uses and for discerning customers whose smartphone use created a huge demand for mobile apps.
In GitHub, there are public repositories that anyone on the Internet can access; developers often use these to show off their skills, while companies can use public repos to host code for open-source projects. There are also private repositories that should only be accessed by select individuals because they contain code for internal projects.
GitHub security risks can stem from private repositories being accessed by threat actors seeking to find valuable, confidential data. Another risk is private information ending up in publicly accessible repositories. As GitHub became more popular, cybercriminals began taking advantage of this popularity and actively targeting security weaknesses.
To take a recent example of the security risks involved, a threat actor used stolen OAuth app tokens to access private repositories at dozens of organizations in April 2022. Just over a year earlier, a report found that two million corporate secrets were detected and publicly accessible on GitHub. These corporate secrets included API keys, private keys, certificates, usernames, and passwords.
GitHub Security Best Practices
Implement Strong Access Controls
Strengthening access controls makes a huge difference in lowering the risk of GitHub account compromise. In particular, multi-factor authentication provides widely documented benefits in securing accounts by requiring two or more distinct categories of evidence to prove a user’s identity before they get access to their account.
How you implement multi-factor authentication also makes a difference in the strength of account access controls. Threat actors have deployed various methods to bypass SMS-based implementations, where account holders receive a one-time code to their mobile phone numbers to gain access. Better options include physical security tokens in a user’s possession or virtual tokens hard-coded into a registered device.
Another tip to harden access is to regularly audit accounts with access to your repositories and revoke access for former employees or contractors. Often, people use their personal GitHub accounts for professional purposes so look out for personal emails during audits and revoke them if they don’t belong to a current employee.
Encourage Users to Regularly Inspect Security Logs
GitHub accounts come with a useful security log feature that’s accessible by going to Settings -> Archive -> Security log. This log contains details of all actions performed on an account during the previous 90 days. A variety of operators enable developers to inspect security logs for specific actions, such as authentication events, or resources being modified.
It’s worth encouraging developers to inspect this log regularly in the repositories used within your organization. Events indicating malicious activity can become evident when searching through these logs.
Never Hardcode Secrets
Reports into GitHub security practices find with startling regularity that developers hardcode secrets into GitHub repositories. These secrets include API keys, credentials for databases, and various private keys. Since developers can make mistakes from time to time, it’s worth using a tool like git-secrets to programmatically scan code commits and associated commit messages for secrets. If a secret is detected, git-secrets rejects the commit from your repository.
Be Careful of GitHub Marketplace Application Risks
Many development teams quickly realize the value of using GitHub marketplace to find third-party applications and tools that refine their workflows. These apps could include code review tools or project management software. Since GitHub marketplace apps are coded by third-party developers outside your organization, it’s worth taking extra caution and recognizing their potential security risks.
When adding any marketplace application to your workflow, exercise the principle of least privilege. Least privilege access means that the app only gets the minimum permissions necessary for performing its relevant tasks or functionality on your codebase or workflow. It’s also worth performing some due diligence on the application’s author to ensure they have established a level of trustworthiness and security within the GitHub community.
Understand Dependencies and Fix Vulnerabilities
The security risks from dependencies can quickly spiral out of control because of the sheer number of them in most projects. Even a codebase with few direct dependencies can introduce transitive dependencies as a result of a directly referenced component relying on another library or framework. Furthermore, as open source accelerates, private repositories increasingly leverage readily available functionality from third-party components.
To understand dependencies, GitHub includes tools like dependency graph and review to map things out and let developers easily see what they’re introducing to codebases, including vulnerabilities and license information. When paired with a tool like Dependabot, you can not only understand dependencies but also fix vulnerabilities by getting the latest, most secure releases of components.
Get Data Leak Monitoring in Place
A best practice often recommended for strengthening Github security is to use the Enterprise edition. The Enterprise edition allows your business to self-host GitHub in your private, on-premise network environment. However, what’s often ignored in this recommendation is that it comes with additional security considerations, such as firewalls, network policies, IAM, monitoring, and VPNs.
For companies that may not be able to securely implement GitHub on-premise or that simply prefer the cloud-hosted offering, data leak monitoring solutions can monitor your repositories for accidentally leaked information. Being able to monitor GitHub for data leaks gives you proactive cybersecurity so that you can remediate the problem before you get breached.
Flare’s Data Leak Monitoring Platform
Flare provides 24/7 data leakage detection for GitHub repositories, employee credentials on the dark, deep, and clear web, and code or other secrets posted to anonymous sharing sites (e.g. Pastebin).
Get your demo here.