Bitbucket Security Best Practices for 2021

It’s challenging to keep up with the best cybersecurity practices, as recommended security measures change quickly and often. Thankfully, Bitbucket offers simple ways to maintain safe code. Although the specifics vary, the following best practices apply to almost any git or repository.

1. Change Keys, Tokens and Passwords Often

Security begins at login, so information such as keys, tokens and passwords are easy targets for hackers and security leaks. Two-factor authentication reduces the chance of information theft, but switching up secure keys and tokens adds an extra layer of protection for vital credentials. Communicate this expectation with all your team members to ensure regular updates.

2. Never Save Sensitive Information as Code

Software teams should agree on specific standards and regulations for storing credentials. Still, the best practice is to scan each commit for secure data before it is pushed to the repository of choice. Special git hooks automatically reject commits that contain sensitive information. Many teams prefer a more conservative approach since rejecting commits slows workflow by pausing push requests. However, failure to automate rejections increases the likelihood that secure data will inevitably sneak its way into source code.

In addition to rejecting vulnerable patterns, user management tools can help developers avoid security trouble. Routine security audits are another valuable way to catch remaining vulnerabilities that slip through the cracks.

3. Consider Better Server Hosting Options

Bitbucket allows users to choose from several different server locations: the Cloud, the user’s business premises and Bitbucket’s Data Center. Many development teams or projects require that servers remain local. Others may not determine host locations but instead regulate where code can be stored and who can access it. Strict regulation is prevalent in business environments that contain sensitive personal data, such as financial records or classified government documents.

These restrictions, however, do not prevent teams from using Bitbucket. It simply means teams or businesses should reevaluate where to host the servers. Unlike less secure cloud or data center options, an on-site server keeps everything local without limiting server capabilities.

4. Limit Access to Sensitive Data

With more tech-facing ways to reduce the chance of a security breach, software teams often forget the basics of cyber safety. Writing down keys or passwords, for example, opens the opportunity for that slip of paper to fall into the wrong hands. Whether paper or digital, sensitive information always needs to be well protected and difficult to access.

Other basic protective measures include:

  • Not sharing Bitbucket credentials with others
  • Limiting repository access to administrators only, instead of including contributors
  • Removing Bitbucket access for former employees, team members and users
  • Requiring two-factor authentication
  • Enabling Bitbucket branch permissions, which limits who has the rights to push commits, as well as where commits can go
  • Deactivating accounts, manually or via ScriptRunner, that have reached a certain age or passed a specific expiration date

Limiting access is one of the simplest ways to mitigate security risks.

5. Eliminate Sensitive Credentials in Bitbucket’s Files and History

Go through repositories periodically to extract sensitive data from Bitbucket files and history. If you find vulnerabilities, you can remedy the situation by:

  • Invalidating keys, tokens and passwords that are or have been public
  • Deleting vulnerabilities from their respective repositories
  • Clearing changelogs and other Bitbucket history items
  • Considering a ScriptRunner that automates the process of scanning files and history

It’s easy to forget to review files and history manually, as it’s generally not a security priority. For this reason, most experts suggest using automation instead, which is more reliable and consistent than manual checks.

6. Choose Applications and Extensions Wisely

Extensions can make excellent supplements to nearly any software. They are, however, created by third-party developers who are usually unaffiliated with the original software.

Failing to vet applications and extensions before installing them can lead to security concerns, as app creators may not prioritize safety or may even have bad intentions.

If you deem an extension safe to use, continue to take general safety measures to limit the chance of a cyber attack. Ask applications that request additional permissions to specify why they require high-level access, and deny them if the reason or application itself seems unconvincing. Before approving any application, it’s critical to think through how outside access to certain information could backfire. Security experts say it’s best to treat new apps like onboarding committers: Vet them with strict standards until you feel you can trust them with more confidential data.

Since applications don’t remain static over time, it’s wise to review them periodically. Delete unnecessary apps and extensions, and remove any add-ons with unclear sources since apps sometimes get approved hastily and without proper vetting.

7. Use Code Insights To Identify Important Pull Request Information

Code Insights is a handy Bitbucket feature that allows you to make better decisions regarding pull requests. Code Insights makes sure team members can see all information related to pull requests, scanning each one for vulnerabilities and sending an alert if something is found. The report permits Code Insights to automatically reject any pull requests that contain new sensitive data.

What sets Code Insights apart is its ability to let team members “fix” a pull request. Within a few clicks, users can view recommendations for repairing vulnerabilities.

8. Test Pull Requests for Security

Code Insights may simplify the process of identifying and fixing pull requests, but testing is still vital to the total elimination of security risks. Fortunately, Bitbucket makes testing pull requests as easy as analyzing them.

Vulnerabilities sometimes get added unintentionally while pull requests are fixed, but testing ensures that commits don’t introduce new risks. It also confirms that, in addition to not introducing new vulnerabilities, pull requests do not overlook existing vulnerable elements either.

9. Test Bitbucket Pipes for Security

Since Bitbucket provides several automated scanning and fixing tools for vulnerabilities, security experts stress that pipelines, which continuously check for sensitive data, can add a layer of protection to the process. Integrating pipelines requires users to write and implement code manually, which can’t be done without adequate research and debugging measures. As such, few software teams attempt to implement pipelines, despite their usefulness.

Bitbucket Pipes eliminates much of the guesswork that goes into integrating pipelines and reduces the chances that pipelines will introduce new problems. The app automates continuous integration and deployment and allows users to replicate and customize additional pipelines as needed.

10. Create Files That Detail Security Information

The practice of creating a SECURITY.md file, which contains all the necessary security information for a given project, is as crucial as the tried-and-true practice of maintaining a README.md file. SECURITY.md files allow users to view all security data in one location, which helps developers make safer coding decisions. These crucial records also urge users to consider their security policies and processes. While each SECURITY.md file varies by project, each one should contain, at the least, some variation of a:

  • Security update policy
  • Security disclosure policy
  • Report of security weak spots and possible fixes
  • Record of suggested security settings

If you find a vulnerability, alert all team members, as some could be including this sensitive data in other code. Since vulnerabilities are common, having a defined process for dealing with security updates prevents the changes from slowing workflow. It’s also essential to present this information to project members quickly and efficiently. If you can point to a set security update policy within the SECURITY.md file, entire teams can easily refer back to the best practices for updates.

Discrepancies in disclosure policies can mean team members never get notified about security changes. Studies show that having a clear disclosure policy raises the chances of alerting team members from 21% to 73%. Reasons for delaying notification include lack of knowledge about what can be shared, how to contact team members and who should be told. On the other hand, providing too much information poses a security risk, so detailing guidelines in one set location prevents overshare.

Keep clear records of security weak spots, solutions and settings. It isn’t feasible to instantly identify and fix all security issues, so it helps to let project members know when you’ve discovered a problem, even if you haven’t solved it yet. Just be mindful of how much you tell users since you want to limit the spread of credentials. A model SECURITY.md file should also detail suggested security settings — such as changing default login credentials, enabling HTTPS and requiring two-factor authentication — since many project members may be unfamiliar with security protections.

Technology evolves so rapidly that tracking and implementing best practices for optimal security is a continuous process. Fortunately, following some of these basic suggestions for using Bitbucket security in 2021 can reduce opportunities for a vulnerable element to become a significant security problem for you and your software team. Check out SOOS’ tips for using Bitbucket, or contact one of our team members for more information on how Bitbucket can make security a built-in part of your code development.