GitHub is one of the most widely used software development platforms. You’d be hard-pressed to find a developer or a business that has never used or heard of GitHub. GitHub’s open-source nature makes it easy for communities of developers to collaborate, but also makes it easy for bad actors to exploit vulnerabilities in the code or the platform. Managing GitHub security risks is critically important for effective application security, and this article will discuss why in more detail, while also providing recommendations for how to do so effectively.
Why Securing your GitHub Operation Is a Must for Everyone
If you’re a GitHub user, then you are dealing with GitHub security risks whether you recognize them or not. And unfortunately, performing a periodic GitHub security audit or having an escalation/crisis response plan for GitHub security breaches isn’t nearly enough.
For example, in community-driven projects, new code is constantly being pushed and merged. Each commit may leak potentially sensitive company data, expose vulnerable sections of code that can be exploited in the wild, or even create (whether accidentally or on purpose) new vulnerabilities in the code. Even a small change to to a pull request can create major issues. Trying to catch these incidents using an offline process will often result in failure to catch them in time.
Dealing with these security breaches after exposure isn’t ideal either. A publicly disclosed vulnerability affecting your code, like Log4Shell, can cause massive damage to your customers, business operations, and brand. And by the time you’ve realized that your SSH keys have been leaked for example, an attack on your company’s broader infrastructure could be well underway. Every delay in containing a breach leads to greater loss of data, loss of reputation, and exposure to costly fines and other financial consequences.
Instead, you need to take preventative measures to ensure you’re not creating or overlooking potential vulnerabilities lurking in your code. That means deploying adequate measures like SCA scanning, making sure that you are using a code repository scanner, and checking for things like privilege escalation (which can also lead to vulnerabilities) Identifying and dealing with these vulnerabilities early in the development phase by utilizing specialized security tools and correctly enforcing their usage can save you time and money and protect your reputation so your business can thrive.
Use These Essential Security Tools to Secure Your GitHub Operation
There are many types of security tools and code scanning tools in the market that you can use to accomplish this. Not all of these tools were created equal, and each caters to different areas of vulnerability in your development process and targets a different technology or programming language. Some tools, such as SAST scanners, seek to find vulnerabilities in the code you write by statically analyzing it to find vulnerable patterns. Other tools, such as SCA scanning tools, seek to map out other software dependencies within your software, such as pointing out vulnerabilities in upstream libraries that are used by your code. Regardless of the specific need, there are a large number of options available that can help you secure your code and pipelines.
A large portion of these tools could be called “point solutions”, because they focus on specific (although important) types of vulnerabilities in your codebase. Some vendors acquire a portfolio of these point solutions, aiming to be a one-stop shop for securing your development operation with the option to cover many functionalities and risk categories. Picking the right set of security tools is important to help protect you from all the security risks that developing on GitHub exposes you to. Because GitHub has a large attack surface area and keeps growing, this isn’t a trivial decision. However, the first step in making progress on securing your GitHub deployment is know ing where to start.
In this article, we’ll cover two solutions for securing your GitHub operation – GitHub Advanced Security, and the Legit Security platform.
GitHub Code Security and GitHub Advanced Security (GHAS)
GitHub Code Security is a collection of scanners, configurations, and features used by GitHub to aid the process of securing your development process in GitHub.
Some of these are included in all GitHub licensing plans, while other security features require a GitHub Advanced Security license to run on private and internal repositories. In addition, all GitHub Advanced Security features are included for public repositories.
Vulnerability Disclosure and Patching
Security policies and advisories allow you to define and publicize “rules of engagement” for reporting and patching vulnerabilities in the repository’s code, including an option to create temporary private forks of the project in order to assist with the development of patches.
Dependency Management with “Dependabot”
Dependabot utilizes open-source dependency scanning to notify you when a vulnerability has been disclosed for an upstream dependency. This is done by comparing each of the projects’ dependencies version against the GitHub Advisory Database, which documents vulnerabilities that were publicly reported for a wide range of dependencies.
Dependabot security updates generate automatic pull requests for security updates in dependencies that were reported as vulnerable. Dependabot version updates do the same, except for every version update that is released for a dependency, without checking if the current version is vulnerable first. Part of your planning process should be focused on defining which updates you'll need under what circumstances.
The Dependency graph allows you to visually see a code project’s dependencies and makes it easier to identify the usage of different packages. Working with visualizations is generally a faster process than sifting through a large amount of text and tables. Finally, Dependency review can supply data about the dependency changes between subsequent commits, and optionally allows you to block merging vulnerable versions of dependencies.
Security risks in code
Secret scanning helps you remediate and deal with leaked secrets and credentials that were found in code. This is done using a partnership between GitHub and specific vendors. After using token scanning to find potential secrets, they are handed to the relevant vendor, which determines the course of action if they are indeed found valid, whether it be automatically revoking the secret or contacting you directly. This is a critical part of securing your code, as secrets can easily be lost in a sprawling mass of side branches and forked code. Research shows that for every 100 repositories, there are 8 with embedded secrets that can be easily exploited if an attacker ever gains access.
GitHub code scanning uses GitHub’s CodeQL infrastructure, based on technology from GitHub’s acquisition of Semmle, allowing analysis of a project’s source code and running custom queries against it. This can be facilitated to detect vulnerable patterns and create security alerts if any are found. Fast detection is critical for minimizing risk to your GitHub assets.
To summarize , GitHub Code Security gives repository and organization owners a set of powerful tools that can significantly improve their security posture, albeit a large portion of them are pretty involved technically and demands a degree of expertise to operate effectively. This can be an issue for application security teams that are stretched for time and resources, and adding additional tools and capabilities doesn't help without the ability to operationalize.
In addition, many GitHub security features are still managed on a per-repository basis, lacking high-level overviews, making it difficult to manage code security in larger and more complex software organizations using GitHub from a "single pane of glass". That's why many organizations look to 3rd party platforms to help with GitHub security.
The Legit Security platform also aims to help software organizations secure their broader software supply chain environment inclusive of the CI/CD pipeline, the systems and infrastructure within those pipelines, and the code and people that operate within it. The Legit Security platform includes a feature rich integration with GitHub Cloud, GitHub Enterprise Server, as well as several other Source Code Management systems (SCM), build servers, and artifact repositories. These integrations are available out of the box and typically only require read-only access, making setup a quick and painless process.
Some features not found in GitHub Advanced Security, such as secret scanning, are included by default in Legit. Legit Security’s repository secret scanning recognizes and categorizes secrets found in code, checks their validity against the supplying vendor where applicable, and notifies you directly in order to eliminate or shorten the time of exposure. Automated secret scanning can help you quickly identify secrets in your main branches as well as side branches--something that isn't feasible for most organizations using manual processes.
Pull request checks are an additional option that enables running secret scanning automatically at the pull request level, blocking the merging of secrets with the main branch, where they are most exposed. This significantly helps cut down on the risk that attackers can steal those secrets and use them to perform a wide range of nefarious actions.
Importantly, Legit Security also aids in configuring your GitHub organizations and repositories correctly. GitHub includes many configuration options to tailor a secure development policy that is right for you. However, building and enforcing this properly can prove difficult and requires intimate knowledge of GitHub. Accordingly, Legit Security comes with a pre-baked set of optimal security policies and tracks enforcement of these policies individually, or using calculated aggregate scores to understand the overall security posture of your repository or organization immediately. Using these out-of-the-box policies accelerates time to value with a Legit deployment.
Legit Security also includes descriptions and remediation suggestions for each potential security flaw, helping you resolve incidents without the need to research additional technical material and instructions. Every piece of information that Legit delivers is a significant help in lowering your mean time to remediation (MTTR). This applies not just to GitHub, but to all of the other systems and infrastructure that Legit Security supports spanning SCMs, build servers, and artifact repos. In this regard, Legit Security is providing security coverage across the broader supply chain and not just the SCM.
Another layer of protection included with Legit Security is supply chain pipeline scanning. Legit Security scans to find code patterns that expose you to software supply chain risks, such as using mutable image tags. Safe development pipeline patterns can protect you from falling victim to major supply chain security incidents, such as the Codecov incident. Legit Security also scans for other security controls across pipelines, such as SAST and SCA tools, and reports on their placement and any associated gaps in coverage. The platform can also show you where you have redundant coverage, giving you the ability to determine where you can reduce overhead by eliminating unnecessary licenses.
Lastly, as mentioned above, one of the difficulties in managing security features in GitHub is that many of them are applied on a per-repository basis. Legit Security provides dashboards and organization-wide overviews, allowing you to quickly identify which repositories are not covered by Dependabot, for example, or to track the number of open Dependabot alerts. These dashboards give you a functional single pain of glass that isn't available with GitHub alone.
Overall, Legit Security is a broader and more complimentary solution to your usage of GitHub code security, giving you a layer of governance over the use of GitHub security features and adding a broader range of missing capabilities to assure a safe software supply chain environment. Legit security can improve your GitHub security coverage while also helping you to simplify your approach.
Don’t Wait to Secure Your Infrastructure with Legit Security’s GitHub Integration
GitHub is one of the most widely used and easily accessible development platforms that enables developers around the globe to collaborate effectively and quickly. However, this flexibility and freedom does not come for free, as many unchecked development practices will exposes you to security risks that can damage operations, open the door to embed vulnerabilities in your source code, and cost your organization valuable time, money, and brand damage. That's why it's so important to find solutions that help you minimize GitHub security risks.
Fortunately, there has been significant development of repository security tooling and code scanning tools and that can help you stay one step ahead of the bad guys.
GitHub comes pre-loaded with many valuable security controls, customizable policies and scanners, some of which are available free-of-charge, and some of which require purchasing an additional license. But without the ability to take advantage of those tools, whether or not they're free is irrelevant.
Implementing GitHub code security effectively across your organization takes time and effort but is a must for modern development. Legit Security can help make this process easier for GitHub and a range of other SCMs, build servers, and artifact repositories in your software supply chain. With Legit Security in place, you can efficiently and cost effectively secure GitHub and keep your code and pipelines safe.