Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

11:15 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles

How to Stay Secure on GitHub

GitHub, used badly, can be a source of more vulnerabilities than successful collaborations. Here are ways to keep your development team from getting burned on GitHub.

Open source software is a fact of life for enterprise software developers, and GitHub is a fact of life for many open source software projects. The development platform and code repository has become the de facto home for projects ranging from enterprise applications to malware. The question for many security teams is how to make GitHub a safe place for their organization to get -- and store -- code.

(image by PixieMe, via Adobe Stock)
(image by PixieMe, via Adobe Stock)

There are a variety of different suggestions for best practices on GitHub -- suggestions that include both the obvious and the subtle.

And it's important to remember that "GitHub" isn't a monolithic thing. Much like content management system WordPress, there's the publicly available and accessible repository used by countless individuals and open source projects, there's the hosted private repository used by thousands of organizations with distributed software development group, and there's "Git," the code repository software that can be self-hosted by organizations that aren't looking for a SaaS solution.

The issues and solutions we found are applicable to all of these, but especially to the organizations that are using the public or hosted versions, GitHub.

Just Don't
Usernames, passwords, and other credentials should never, ever be included in code or comments. This is true whether you're talking about GitHub, a local code repository, or any other place code is stored. As a matter of security, credentials just should not be hard-coded into applications.

[Have you read: "6 Dangerous Defaults Attackers Love (And You Should Know)" yet? Default configurations can be massive vulnerabilities. Here are a half dozen to check on for your network.) 

"Organizations that use public repositories need to be very careful about the information that gets made public," says Brian Jack, CISO at KnowBe4. "Passwords, access tokens, and other sensitive information have been found many times to be included in public source repositories."

He also points out the need for an approval process for any information posted publicly, whether the posting is to social media or a code repository.

Who's There?
With so many open source projects hosted on GitHub, many people assume that all access to projects and code should be completely open. This may be fine philosophy, but, according to many security experts, it's poor security practice.

"The lack of role-based access control [RBAC] enforcement is one of the most common issues organizations overlook," says Brendan O'Connor, CEO of AppOmni.

As with other with other critical software-as-a-service (SaaS) applications, "it's important that all access to code repositories in GitHub adhere to the principle of least privilege," O'Connor says. "Organizations and security teams must ensure that the access to repositories is properly managed by using the 'Team' construct in GitHub, and that individual users are assigned only to the Teams they support or work for. This ensures that they only have access to the code repositories they need."

Story continues on the next page.

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications ... View Full Bio
1 of 2

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cartoon Caption Winner: Magic May