Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

8/18/2020
11:15 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Articles
50%
50%

How to Stay Secure on GitHub

GitHub, used badly, can be a source of more vulnerabilities than successful collaborations. Here are ways to keep your development team from getting burned on GitHub.

Open source software is a fact of life for enterprise software developers, and GitHub is a fact of life for many open source software projects. The development platform and code repository has become the de facto home for projects ranging from enterprise applications to malware. The question for many security teams is how to make GitHub a safe place for their organization to get -- and store -- code.

There are a variety of different suggestions for best practices on GitHub -- suggestions that include both the obvious and the subtle.

And it's important to remember that "GitHub" isn't a monolithic thing. Much like content management system WordPress, there's the publicly available and accessible repository used by countless individuals and open source projects, there's the hosted private repository used by thousands of organizations with distributed software development group, and there's "Git," the code repository software that can be self-hosted by organizations that aren't looking for a SaaS solution.

The issues and solutions we found are applicable to all of these, but especially to the organizations that are using the public or hosted versions, GitHub.

Just Don't
Usernames, passwords, and other credentials should never, ever be included in code or comments. This is true whether you're talking about GitHub, a local code repository, or any other place code is stored. As a matter of security, credentials just should not be hard-coded into applications.

[Have you read: "6 Dangerous Defaults Attackers Love (And You Should Know)" yet? Default configurations can be massive vulnerabilities. Here are a half dozen to check on for your network.) 

"Organizations that use public repositories need to be very careful about the information that gets made public," says Brian Jack, CISO at KnowBe4. "Passwords, access tokens, and other sensitive information have been found many times to be included in public source repositories."

He also points out the need for an approval process for any information posted publicly, whether the posting is to social media or a code repository.

Who's There?
With so many open source projects hosted on GitHub, many people assume that all access to projects and code should be completely open. This may be fine philosophy, but, according to many security experts, it's poor security practice.

"The lack of role-based access control [RBAC] enforcement is one of the most common issues organizations overlook," says Brendan O'Connor, CEO of AppOmni.

As with other with other critical software-as-a-service (SaaS) applications, "it's important that all access to code repositories in GitHub adhere to the principle of least privilege," O'Connor says. "Organizations and security teams must ensure that the access to repositories is properly managed by using the 'Team' construct in GitHub, and that individual users are assigned only to the Teams they support or work for. This ensures that they only have access to the code repositories they need."

Story continues on the next page.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
Previous
1 of 2
Next
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
   OVER THE EDGE
Gone in a Flash

Source: StaySafeOnline.org

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Mask Out