Improve your GitHub security with these steps
GitHub has become an essential platform for developers to collaborate, share, and manage code. With millions of users and repositories, it's critical to ensure the security of the platform. Unfortunately, over the years, there have been several high-profile breaches and attacks on GitHub users which have highlighted the importance of security.
In 2019, a hacker gained access to a GitHub account belonging to Canonical, the company behind the popular Ubuntu operating system. The threat actor created several repositories and planted backdoors in them, which could have compromised millions of users. Another notable attack on GitHub was the 2018 incident when a threat actor infiltrated the GitHub account of Gentoo Linux and planted malicious code.
Such breaches and attacks have far-reaching consequences and can lead to the loss of sensitive information and can result in customers losing trust in your business.
So here are 12 steps you can take to enhance your security posture:
Enable two-factor authentication: Two-factor authentication (2FA) provides an extra layer of security by requiring a second factor in addition to a password to access your GitHub account. To enable 2FA, go to your GitHub account settings, click on "Security," and then "Two-factor authentication."
Use a personal access token (PAT) instead of your password: When you need to authenticate with the GitHub API or CLI, use a PAT instead of your password. PATs are like passwords, but they can be revoked or regenerated, reducing the risk of a compromised password.
Limit repository access: To limit who has access to your repository, ensure that you only grant access to users who need it. You can do this by setting up teams and adding specific users to those teams.
Enable branch protection: Branch protection allows you to restrict who can merge changes into specific branches. This helps prevent accidental or malicious changes to your repository. To enable branch protection, go to your repository settings, click on "Branches," and then select the branch you want to protect.
Enable automatic security alerts: GitHub can automatically send you alerts when it detects a potential security vulnerability in your repository. To enable this feature, go to your repository settings, click on "Security & analysis," and then turn on "Automated security fixes."
Monitor access logs: You can monitor access logs to see who has accessed your repository and when. To view access logs, go to your repository settings, click on "Audit log," and then filter by the event type you want to view.
Regularly review and update dependencies: Keeping your dependencies up-to-date is crucial to maintaining the security of your repository. You can use GitHub's Dependabot to automatically check for updates to your dependencies and open pull requests to update them.
Enable IP Whitelisting: With IP whitelisting enabled, only the specified IP addresses will be allowed to access your GitHub account. Any other IP addresses attempting to access your account will be blocked. This can be done by clicking on the "Settings" tab at the top of the repository page. Scroll down to the "Danger Zone" section and click on "Enable whitelisted IPs".
Incident response: A plan for Incident Response should be in place that outlines the steps to take in the event of a security incident on GitHub. NIST provides detailed guidance on incident response planning in its Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide."
Use code scanning tools: GitHub offers code scanning tools that can help identify potential security vulnerabilities in your code. You can enable code scanning in your repository settings, and then view the results in the "Security" tab.
Use Canary Tokens to create a honeypot: Consider creating a "GitHub Repository Access" token. By creating a realistic GitHub repository and adding a canary token as a secret, you can help to protect your sensitive data and be alerted if anyone tries to access it without permission. This involves creating a dummy GitHub repository and adding the canary token as a secret within the repository.
Using a SIEM tool: Consider ingesting your GitHub logs into a SIEM tool such as Splunk. This will then allow you to set up rules and generate alerts. Here are some SIEM rules and alert ideas that can be used for monitoring activities on GitHub:
Abnormal login activity: Create a rule that detects abnormal login activity, such as multiple failed login attempts, logins from unusual geolocations, or unusual login times. You can create alerts for these events, which can help you identify potential unauthorized access attempts to your GitHub account.
Unusual Repository Activity: Monitor for any unexpected changes in a repository, such as commits to a repository that doesn't normally receive many changes, or changes made by users who don't typically work on that repository.
Malicious Code Execution: Monitor for any code execution attempts that are not authorized and look for code injection attempts.
High-Risk Repositories: Monitor for activities on repositories containing sensitive information, such as financial data, credentials, and personally identifiable information (PII).
Large File Uploads: Monitor for large file uploads that exceed a defined threshold, which may indicate the exfiltration of sensitive data.
Suspicious User Activity: Monitor for any unusual activity by users, such as performing actions outside of their normal scope or accessing repositories they don't typically work on.
Unauthorised Access: Alert when unauthorized users attempt to access sensitive repositories or confidential information.
New Branches: Monitor for the creation of new branches and ensure that only authorized personnel can create them.
GitHub Token Abuse: Monitor for abuse of personal access tokens and OAuth tokens, such as attempts to use them for unauthorised activities.
New collaborators: You can create a rule that detects when a new collaborator is added to a repository. This can be useful for monitoring who has access to your codebase and ensuring that only authorised individuals have access.
These are just a few examples of SIEM rules and alert ideas that can be used for monitoring activities on GitHub. You can customize these to meet the specific needs of your organization or use them as a starting point to develop your own rules and alerts. If you have an MSSP, they may even have out-the-box SIEM rules to set free of charge for you.