As the leading open source community, GitHub prides itself as a place where developers work together to shape the future of software. While the motivation behind the platform is admirable, is GitHub safe? In essence, the platform is as secure as the user makes it.
By implementing best practices and instituting appropriate protocols within repositories and projects, there is no reason to fret over this platform’s security. There are a minimum of 10 security precautions and protections developers should implement to ensure a project’s security.
1. Do Not Store Credentials in Repositories
Performing a simple GitHub search for the phrase “removed password” returns over 440,000 commit results; that shows the storage of passwords is a problem in repositories. Whenever uploading projects or code, programmers should eliminate sensitive data to ensure maintained security.
Thankfully, there are many tools, such as git-secrets, for analyzing commits to limit or eliminate the risks of accidentally storing sensitive information and credentials in a repository. While using such analytic tools can slow pushes into GitHub, the added security is worth it.
2. Check and Remove Sensitive Information
Along with everything developers can do to secure their secrets before putting a project on the platform, what should they do if they find sensitive information after pushing a project through? When sensitive information ends up in a GitHub repository, the first thing to do is invalidate any public passwords and tokens. Second, remove the data set from the repository. Finally, developers need to clear their history on the platform. Essentially, they want to purge files from the repository history, including changelogs.
3. Practice Secure Password Use
Developing software is challenging, and most developers want to make their jobs as streamlined as possible. Unfortunately, many programmers take extreme measures to protect their projects, only to leave valuable passwords in plain sight, written on sticky notes and taped to their desk or monitor. While the topic here is GitHub security, it is also necessary to realize that security on the platform starts with best practices off the platform. To ensure a project is as secure as possible, institute the following practices for all team members:
- 2-factor authentication should be implemented for every contributor.
- Laptops or devices with source code access need adequate security.
- Users cannot share accounts or passwords.
- Repository administrators must limit data access based on individual needs.
- Inactive team members must have access revoked.
4. Create SECURITY.md Files
The addition of
SECURITY.md files is growing in popularity and usefulness. The file provides vital security information and disclosures to users and forces maintainers to consider security practices and protocols. The files should cover a variety of areas, including:
- Disclosure policy
- Security update policy
- Security configurations
- Security needs and improvements
There is some risk in providing a
SECURITY.md file to users, including vulnerabilities to hacking. It is best for programmers to always consider how any provided information could be used by both parties.
5. Be Careful Adding Applications To a Repository
The use of GitHub applications is convenient and can save time on large scale projects. However, applications are written by third parties, so users need to consider their reputation, security measures, and the level of trust to afford them. When opting to use a third-party application, make the following considerations:
- How much access does the application need?
- Why does the application require the specific access it requests?
- What type of damage can the application cause with the specified access?
- Who is the developer or organization, and are they credible and legitimate contributors?
Validating the application and its creator is essential to maintaining security. If the application has weak security but developers still implement it into their repository, they potentially open the whole project up to that application’s vulnerabilities.
6. Include Security Testing With Pull Requests
The pull-request event is among the most advantageous events on the GitHub platform, especially for testing incremental code changes. Using a Git Hooks-supported static code analyzer, developers can test updates with a PR to ensure all config and code changes align with security protocols and expectations.
7. Understand a Project’s Security Needs Before Selecting a GitHub Offering
Many people and organizations assume GitHub is off-limits if they want their repositories only accessible through internal access with no internet connection. However, GitHub Enterprise is an offering that permits companies to host their repositories entirely on-prem, even with no internet connection, and eliminates GitHub access.
Before opting out of or selecting a GitHub offering, consider the project and organizational requirements. The platform is capable of meeting various needs and requirements. GitHub is continuously evolving to ensure individual and corporate security needs are met and surpassed.
8. Refresh Keys and Tokens To Maintain Security
Because a project requires 2FA, users access GitHub with user tokens or SSH keys. Unfortunately, as with passwords, tokens and keys can be stolen. Therefore, to avoid the risk of damage to a project from leaked or stolen keys, it is best to refresh all tokens and keys periodically.
9. Do Not Allow Complacency
Complacency is the biggest threat to security. Developers often use shortcuts or hacks to get a project off the ground, but sensitive information may be put at risk in the process. Sometimes, developers store passwords in local files or hard-code them into the project.
The key is to build every project like it’s open-sourced, knowing that the entire project is put at risk without rigorous programming and security. Sometimes, having a bit of a paranoid mindset is ideal for developers and their teams.
10. Audit Before Importing
Anything a developer or team member imports into GitHub requires an audit. The goal is to ensure that the code works as expected. It is not uncommon for closed source code to become invalid when transferred. Doing an audit at every step can save significant time as the project approaches completion.
While GitHub is relatively safe when best practices are followed, developers may need more help on the backend. SOOS creates cybersecurity software for software engineers that can scan open-source software for vulnerabilities, helping organizations and teams develop policies and governance around their software projects. Check out SOOS’s competitive pricing and bring peace of mind to your team.