Why Attackers Target GitHub, and How You Can Secure It

Last week Okta introduced a safety breach that concerned an attacker having access to its supply code hosted in GitHub. That’s simply the newest instance in a protracted string of assaults having access to firm supply code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts focused earlier than.

With 90 million energetic customers, GitHub is the preferred supply code administration device for each open supply and personal enterprise code repositories. It’s a serious piece of elementary infrastructure and the keeper of among the most delicate property and information on the earth.

It’s no marvel that attackers are more and more going after supply code. In some instances, similar to Okta, they is perhaps making an attempt to realize entry to the supply code. More usually, the attackers are in search of delicate info to make use of in a subsequent assault.

An attacker who can achieve entry to non-public supply code can study it for vulnerabilities after which exploit these vulnerabilities in subsequent assaults. Attackers can even harvest hardcoded keys, passwords, and different credentials that is perhaps saved in GitHub to realize entry to cloud providers and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield mental property, legitimate credentials, and a pleasant record of vulnerabilities in manufacturing software program which might be able to be exploited.

Shiny Hunters, an assault group identified to particularly goal non-public GitHub repositories, has breached tens of corporations utilizing this system, and offered their information throughout varied Dark Web marketplaces.

Securing the Organization’s GitHub Environment

There is not any query that GitHub is a crucial a part of the group’s infrastructure, however locking it down is a posh and difficult identification safety drawback. The fantastic thing about the GitHub mannequin is that it permits for unfettered collaboration, however that additionally creates one of many largest complications in fashionable IT safety.

Just give it some thought: Anyone remotely technical in 2022 has a GitHub account. And you should utilize your GitHub account for every part. We can use these accounts for private facet tasks, open supply contributions, and our work in private and non-private code repositories which might be finally owned by our employers. That is numerous heavy lifting for a single identification!

You can even use the “Sign in with GitHub” characteristic to make use of your GitHub identification in different web sites and providers exterior of simply GitHub itself. And there’s extra: GitHub is exclusive in that you do not simply check in to their web site, you additionally pull, push, and clone code from GitHub’s servers all the way down to your native machine by way of git operations over HTTPS and SSH, which themselves require your GitHub identification.

Clearly GitHub picked up on these safety implications when it introduced the deprecation of usernames and passwords for git operations final yr — a step in the appropriate course.

7 Tips for Securing Your GitHub

While GitHub offers instruments to lock down the setting, organizations have to know the best way to use them. Unfortunately, among the most necessary safety capabilities require GitHub Enterprise. Nonetheless, listed here are seven ideas for higher GitHub safety.

1. Don’t permit private accounts for work. We get it, your organization has a number of public repositories and you may construct your credibility by displaying off some public contributions in your subsequent job interview. Your private GitHub account is a part of your model. Unfortunately, that is additionally one of many largest holes in organizations utilizing GitHub as we speak: They don’t strictly govern using private accounts for work functions. As tempting because it is perhaps, private accounts shouldn’t be used for work. There’s simply no technique to management who has entry to that non-public Gmail handle that you simply used to create your private GitHub account.
2. Require authentication by way of firm SSO. Unfortunately, GitHub reveals up prominently on the SSO Wall of Shame. That’s proper — it’s good to pay additional for SSO integration. Once you might have GitHub Enterprise, you possibly can join GitHub to your organization SSO, similar to Okta or Azure AD or Google Workspace, and you may lock down your group to solely permit authentication by way of SSO.
3. Require 2FA on all accounts. Even when you implement two-factor authentication (2FA, aka MFA) by way of your SSO and likewise require SSO authentication, the most secure possibility is to nonetheless implement 2FA for all GitHub customers in your group. Exemption teams and coverage exceptions in your SSO supplier could make SSO MFA simple to bypass.
4. Use SSH Keys for git operations. While GitHub has launched fine-grained permissions management with private entry tokens (PATs), they continue to be vulnerable to phishing as these tokens are sometimes copied round in plaintext. By utilizing SSH keys for authentication for git operations, your group can use considerate PKI to control how SSH keys are provisioned, and can even tie this to your organization’s system administration and your personal certificates authority (CA).
5. Restrict repository member privileges utilizing roles. GitHub provides a number of totally different repository roles that may be assigned based mostly on the precept of least privilege. Base permissions may be managed on the group stage. Always take care to assign the least privileged function {that a} member must be productive. Don’t make everybody an admin.
6. Don’t permit exterior collaborators. Working with contractors is a standard a part of managing massive software program tasks. However, the governance surrounding exterior collaborators in GitHub is inadequate to maintain your group safe. Instead, pressure exterior collaborators to authenticate by way of your organization SSO, and don’t permit repository admins to ask them on to your group’s repositories.
7. Audit, analyze, and audit once more. No group is ideal; even with the perfect insurance policies in place, accounts fall by the cracks and errors are made. Even earlier than locking down your GitHub group, take the time to implement an everyday audit course of to search for dormant accounts that aren’t utilizing their entry and to restrict the variety of privileged roles in your repositories. Once your setting is locked down, preserve an eye fixed out for coverage violations, similar to a consumer who’s by some means nonetheless authenticating exterior of your SSO or not utilizing 2FA.

The breach of Okta’s GitHub repository is a robust instance of simply how arduous it’s to guard identities inside enterprises, nevertheless it is not a novel one. Every day we see what occurs when workers and contractors expertise account takeover. We see the results of weak authentication, lax insurance policies for private e mail accounts, and the ever-expanding measurement of the identification assault floor.

Unfortunately, this newest incident is only one a part of a rising pattern of identity-related breaches to look at for in 2023.