Final week Okta introduced a safety breach that concerned an attacker getting access to its supply code hosted in GitHub. That is simply the newest instance in an extended string of assaults getting access to firm supply code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts focused earlier than.
With 90 million energetic customers, GitHub is the most well-liked supply code administration device for each open supply and personal enterprise code repositories. It is a main piece of elementary infrastructure and the keeper of a few of the most delicate belongings and knowledge on the earth.
It is no marvel that attackers are more and more going after supply code. In some instances, reminiscent of Okta, they is likely to be attempting to realize entry to the supply code. Extra typically, the attackers are on the lookout for delicate data to make use of in a subsequent assault.
An attacker who can achieve entry to non-public supply code can study it for vulnerabilities after which exploit these vulnerabilities in subsequent assaults. Attackers may harvest hardcoded keys, passwords, and different credentials that is likely to be saved in GitHub to realize entry to cloud providers and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield mental property, legitimate credentials, and a pleasant listing of vulnerabilities in manufacturing software program which can be able to be exploited.
Shiny Hunters, an assault group recognized to particularly goal personal GitHub repositories, has breached tens of firms utilizing this method, and offered their knowledge throughout varied Darkish Net marketplaces.
Securing the Group’s GitHub Surroundings
There is no such thing as a query that GitHub is a crucial a part of the group’s infrastructure, however locking it down is a fancy and difficult id safety drawback. The fantastic thing about the GitHub mannequin is that it permits for unfettered collaboration, however that additionally creates one of many greatest complications in fashionable IT safety.
Simply give it some thought: Anybody remotely technical in 2022 has a GitHub account. And you need to use your GitHub account for the whole lot. We are able to use these accounts for private aspect tasks, open supply contributions, and our work in private and non-private code repositories which can be in the end owned by our employers. That’s numerous heavy lifting for a single id!
You can even use the “Sign up with GitHub” characteristic to make use of your GitHub id in different web sites and providers outdoors of simply GitHub itself. And there is extra: GitHub is exclusive in that you do not simply register to their web site, you additionally pull, push, and clone code from GitHub’s servers right down to your native machine by way of git operations over HTTPS and SSH, which themselves require your GitHub id.
Clearly GitHub picked up on these safety implications when it introduced the deprecation of usernames and passwords for git operations final 12 months — a step in the suitable path.
7 Suggestions for Securing Your GitHub
Whereas GitHub supplies instruments to lock down the setting, organizations must know the best way to use them. Sadly, a few of the most essential safety capabilities require GitHub Enterprise. Nonetheless, listed here are seven ideas for higher GitHub safety.
- Do not permit private accounts for work. We get it, your organization has a number of public repositories and you may construct your credibility by exhibiting off some public contributions in your subsequent job interview. Your private GitHub account is a part of your model. Sadly, that is additionally one of many greatest holes in organizations utilizing GitHub right this moment: They don’t strictly govern the usage of private accounts for work functions. As tempting because it is likely to be, private accounts shouldn’t be used for work. There’s simply no option to management who has entry to that non-public Gmail deal with that you simply used to create your private GitHub account.
- Require authentication by way of firm SSO. Sadly, GitHub reveals up prominently on the SSO Wall of Disgrace. That is proper — it’s essential to pay additional for SSO integration. After you have GitHub Enterprise, you’ll be able to join GitHub to your organization SSO, reminiscent of Okta or Azure AD or Google Workspace, and you may lock down your group to solely permit authentication by way of SSO.
- Require 2FA on all accounts. Even when you implement two-factor authentication (2FA, aka MFA) by way of your SSO and likewise require SSO authentication, the most secure possibility is to nonetheless implement 2FA for all GitHub customers in your group. Exemption teams and coverage exceptions in your SSO supplier could make SSO MFA straightforward to bypass.
- Use SSH Keys for git operations. Whereas GitHub has launched fine-grained permissions management with private entry tokens (PATs), they continue to be inclined to phishing as these tokens are sometimes copied round in plaintext. Through the use of SSH keys for authentication for git operations, your group can use considerate PKI to control how SSH keys are provisioned, and may tie this to your organization’s gadget administration and your personal certificates authority (CA).
- Prohibit repository member privileges utilizing roles. GitHub gives a number of totally different repository roles that may be assigned primarily based on the precept of least privilege. Base permissions may be managed on the group degree. All the time take care to assign the least privileged position {that a} member must be productive. Do not make everybody an admin.
- Do not permit outdoors collaborators. Working with contractors is a standard a part of managing giant software program tasks. Nevertheless, the governance surrounding outdoors collaborators in GitHub is inadequate to maintain your group safe. As an alternative, power outdoors collaborators to authenticate by way of your organization SSO, and don’t permit repository admins to ask them on to your group’s repositories.
- Audit, analyze, and audit once more. No group is ideal; even with the perfect insurance policies in place, accounts fall by way of the cracks and errors are made. Even earlier than locking down your GitHub group, take the time to implement an everyday audit course of to search for dormant accounts that aren’t utilizing their entry and to restrict the variety of privileged roles in your repositories. As soon as your setting is locked down, preserve a watch out for coverage violations, reminiscent of a consumer who’s by some means nonetheless authenticating outdoors of your SSO or not utilizing 2FA.
The breach of Okta’s GitHub repository is a strong instance of simply how laborious it’s to guard identities inside enterprises, but it surely is not a novel one. Day by day we see what occurs when staff and contractors expertise account takeover. We see the results of weak authentication, lax insurance policies for private e mail accounts, and the ever-expanding dimension of the id assault floor.
Sadly, this newest incident is only one a part of a rising development of identity-related breaches to look at for in 2023.
