GitHub security – key basic security measures you should consider

GitHub, Bitbucket or GitLab? What to choose? For some businesses, especially those for which code as intellectual property is the most valuable asset, the security of code hosting and version control service aspect might be a decision-maker. In this article, we take a closer look at GitHub security.

GitHub security – breaches and failures

Since applications fuel our digital world and every company generates, processes, and stores data – every business is now a technology company. At the same time, code and enterprise applications create a prime target for malicious actors – resulting in devastating data breaches.

So how is it with GitHub security? Well, it’s considered a reliable and proven development tool, but as with any service, some events of failures or outages occur to GitHub from time to time. Security breaches are always a big thing in the community, a thing that might leave you wondering whether your data is next in order to be compromised. Let’s look at a few of the more recent ones that happened to Git or GitHub on user or service-side.

In March of 2021 the official PHP Git repository was hacked and the code base tampered with due to the software supply chain attack. 

In June 2020, there was a major outage of the Github service that lasted for hours and impacted millions of developers.

In May of 2019, a series of ransomware attacks happened targeting Git repositories on GitHub, BitBucket, and GitLab. Owners of affected repositories were blackmailed to pay or their code would be released to the public. 

And ransom itself might not be the higher cost. Just imagine what hackers can do with your code and access to your intellectual property…

GitHub security measures

Now let’s take a closer look at how GitHub is trying to protect your intellectual property – below you can find some of the most important GitHub security tools and approaches. 

Empowering stronger authentication measures

Strong credentials are critical to prevent malicious access to your account. There are many common ways that hackers try to gain access to your account with phishing and social techniques on the top of the list.

A strong password is an excellent starting point – include a mix of small and big letters, special characters, abstract words. Remember to set up a strong, long, and unique password for each and every website you have an account on. The strength of the password isn’t good when it’s used on many websites, because in case of any account credential breach that password is already known and can be used in further attacks in the future.

Also, it seems challenging to remember each password on each website. That is why GitHub itself recommends using a password manager. 

You have probably heard about, a project originally invented by Troy Hunt which you can use to check for compromised passwords (if not – we recommend you to try it). Hunt made over 500 million record datasets available for download. And GitHub made use of it. Using this data it created its own, internal version of the service. It checks whether a user’s password has been found in any publicly reported and available sets of breach data. 

Two-Factor Authentication (2FA) 

The other good practice that is recommended is to set up a 2FA (Two-Factor authentication) for your account. 2FA requires you to not only enter the correct password to the account, but also to provide another means of authentication like SMS code, or in-app confirmation on your phone. That means that, even if your password has been compromised, the hacker won’t gain access to your account, because he would also need to have access to your second layer of authentication. But make sure not to lose access to your second factor, because it can dramatically increase the difficulty of recovering access to your account in case of disaster.  

GitHub bug bounty

GitHub security department has launched a community project to find breaches within its systems and make sure it discovers bugs and vulnerabilities faster than threat actors. The premise of this project is to find as many vulnerabilities as possible and to do that GitHub employed the whole internet. When someone finds a vulnerability in GitHub, it can be submitted on the site, and depending on the scale of the problem found, the rewards may vary from $617 to even over $30,000. This way GitHub security can be greatly improved, mainly due to the actions of the community. 

Xopero’s way to ensure GitHub security

Whether you think GitHub security is sufficient or not, it’s a fact that when an attack strikes your intellectual property, your company would be in very big trouble. It doesn’t matter whether one of your developers accidentally deletes a branch, or a ransom attack targets your company, you need to be sure that your data is recoverable and accessible so your employees can get back to work, and there will be no risk of business interruption. Having a proper backup of your repositories will ensure that you can recover your data at any point in time and get back to code immediately. 

Protect your intellectual property with Xopero ONE Backup and Recovery for GitHub:

  • Predefined backup plans or advanced customization possibilities
  • Backup servers, repositories and metadata – both local and cloud
  • Backup with every push or according to schedule – just set it and forget it
  • Keep data on-premise or in the cloud – AWS, Azure, etc. – choose your storage
  • Manage it all with the most user-friendly console and data-driven interface
  • Instant, stress-free recovery – get back to code immediately
  • Advanced retention schemes – FIFO or GFS – choose yours
  • Unlimited scalability – simply add new repositories

and many more…