GitHub is a hosting platform which helps developers to collaborate in building software’s. It helps the developers to manage source code management. GitHub lets the project owner and others to work on your project. As we all know, GitHub is open source and provides unlimited free private repositories. In this article, we are going to see how to avoid security loopholes and utilize GitHub in a secure way.
CONTENTS:
Never store credentials in GitHub
Validate your GitHub applications
GitHub Enterprise
SSH keys and personal access tokens
Develop projects with security in mind
Audit code on regular intervals
Best practices
Conclusion
Last but not the least
You may be interested on
Never store credentials in GitHub
Storing your credentials locally or remotely has always been a risk of losing your data. Common people and developers, sometimes store their credentials and other configuration stuffs in their Git repository, with or without their knowledge. There are some great tools to avoid these practices, and one such is Git-secret. This tool actually prevents the users from exposing their sensitive information by analyzing it statically. You can get it here https://github.com/awslabs/git-secrets. Pre-commit Git Hook is another tool which uses strong regular expression patterns to prevent the leakage of sensitive data.
Fortunately or unfortunately, if you find out that your credentials are exposed from your Git repository, first invalidate tokens and passwords, and then remove them from the Git repository. Finally, clear your history.
Validate your GitHub Applications
Application that’s present in the GitHub platform is not always trustworthy because it is written by third party developers, or by some organizations. So, always be cautious before installing an application from Git repository as it may contain a backdoor. Some best practices to follow are:
- Before installing an application, always question yourself about what level of user access should be given to the application, and what could go wrong if it is a rouge application.
- Always validate the author of the application and do some back ground checks.
- Provide only the required access to the application, not more and not less.
- Make sure you monitor or audit your applications and their contributors at regular intervals to ensure that they are legitimate and still trustworthy.
GitHub Enterprise
In some organizations like financial institutions and government departments, it is forbidden to use GitHub as some other organization may have access to the application. For this kind of tightly secured organization, Git Enterprise comes into play. It allows you to fully host GitHub repositories within your organization. This means you can be disconnected from the internet and still have internal access to your projects within your GitHub Enterprise repositories.
SSH keys and Personal Access Tokens
Some applications and services assign default passwords. Not every system can be integrated with active directory. GitHub uses SSH key for SSH connection or user tokens (User name and Password). These Access Tokens should be changed on a regular basis. Sometimes, prevention is better than cure. Change passwords according to your password management policies.
Develop Projects with Security in Mind
When a developer creates a new project, they mostly try to find shortcut or insecure way of running the application. This might lead to the disclosure of sensitive information like passwords which might be hard coded, or stored locally in config like a properties file. The developers must be aware of security issues that may arise because of poor source code knowledge techniques. In addition, if you’re planning to build an open source application, it will be much easier and safer because it would be developed with a security mindset.
Audit code on Regular intervals
Before pushing the code into GitHub, always check whether any sensitive information is present in the code. The source code that you import into GitHub may have existed for months or years, and possibly could’ve been developed in a closed source repository. This can lead to many of the reasonable assumptions made in a closed source environment, now being invalid. Always ensure you do a complete audit before you import anything into GitHub.
Best Practices:
- Implement Two-Factor-Authentication (2FA) on every contributor’s GitHub account.
- Never let users share GitHub accounts/passwords.
- Laptops/Devices with access to your source code must be properly secured.
- Repository administrators should manage team access to data. Only give contributor’s access to the data, they need to do their work.
- GitHub accounts are often personal ones, and do not naturally disappear when users leave the company. Disable the account after the employee relieves from your organization.
- Give proper knowledge to the users about security.
Conclusion:
GitHub has helped many developers and students to build their project and host. But, we all at one point of time, inadvertently forget that technology should be handled in a secured way. Proper implementation of the above best practices are the best methods to maintain GitHub security.
Last but not the least:
Have you ever heard the name Threatsploit Adversary report. If not, read it. It’s our report which contains the global collection of cyberattacks, the impacts caused, the losses faced and much more. It is way better than tiresomely searching for all these, one by one in search engines.
You may be interested on: