Bitbucket security – best practices

For some businesses, especially those for which code is the most critical resource, the security of the code hosting and version control service might be a key decision factor. There are three main such services on the market – GitHub, Bitbucket, GitLab. In this article, we will take a closer look at Bitbucket security.

Bitbucket security – failures and breaches

Nowadays, applications and software fuel the digital world. Every company either generates, stores, processes data – nearly every business is a technology company now. And with that in mind, with every culminating bit of information, more and more businesses, software, or code becomes a perfect target for malicious attacks, which can result in devastating data breaches.

So what are the means that Bitbucket puts into securing business data? Bitbucket as a service is a part of an enterprise called Atlassian, and they as a company are quite transparent when it comes to their systems and interaction with a customer/user of their service, that includes, of course, security issues. 

Overall their security is considered reliable, but as with any internet service, some outages, or events of failures occur to Git itself or Bitbucket. Even if not to the entire company – a specific company Bitbucket account might be attacked and compromised. Still can’t believe it? Let’s mention just a few situations. 

In March of 2021 the official PHP Git repository was hacked and the code base tampered with due to the software supply chain attack. 

In May of 2019 IT services reported that attackers were targeting Bitbucket, GitHub and GitLab users, wiping code and commits from multiple repositories and leaving behind only a mysterious ransom note and a lot of questions.

It’s worth mentioning that ransom itself is just a small part of the entire ransomware damage cost. What are other ingredients? Cost of damaged/stolen data, downtime costs, lost productivity, post-attack disruption to the normal course of business, forensic investigation, employee training, loss of reputation and direct response to the ransomware attacks. 

Just imagine what would happen if hackers have gained access to your intellectual property – your company’s code.

Bitbucket security measures

Let’s now take a look at how Atlassian and specifically – BitBucket – is trying to protect your repositories on their site. Below you will find some of the most important Bitbucket security measures.

Increasing login security

Creating strong login credentials for user accounts is critical in preventing malicious access to your account. Nevertheless, there are many ways hackers would try to gain access to your accounts, with social techniques and phishing on the top.

Having a strong password is a great starting point. A strong password should contain a mix of small and capital letters, special characters, numbers. But the 100% of the strength of the password doesn’t lay in its complexity, but rather in the unique use for each and every account you have. Let’s pretend you created the unbreakable password for one website and then used it on every other one. A security breach happens, and that password is now compromised, and hackers can gain access to every account you have that password set on. 

Single sign-on for Bitbucket security

The need to remember each and every password you create might seem challenging. That is why BitBucket suggests using a Single sign-on (SSO). This makes it possible to access network services as well as all resources associated with it, with the help of one set of login data. The user simply logs into his SSO portal, from which he easily obtains access to all applications without another authentication.

Can you rely on it? It depends. In this case, the strength of SSO equals our credential strength. Only in conjunction with the appropriate password administration policy, and even tokenization it is much more secure than logging in each time with weak passwords that are repetitive for various services. 

With a growing number of cloud services used in the workspace, an SSO allows users to have just-in-time provisioning, centralized management of authentication policies, and automatic lockout when a user is deactivated from an SSO provider. 

Bitbucket allows you to log in with a G Suite, or if you have a subscription to Atlassian Access, you can connect with any identity provider you see fit.

Two-step verification in Bitbucket

The other good practice is to force a two-step verification in addition to your password. It guarantees that your account stays secure even if your password is compromised. To enable this two-step verification in Bitbucket you need: 

  • An authentication app on your mobile device or desktop (such as Authy, Duo, Google Authenticator for Android/iOS, or Microsoft Authenticator for Windows mobile)
  • Confirmed email and password on you Atlassian Account 
  • An SSH key assigned to your account. 

Actually you can use any application which supports the Time-based One-time Password Algorithm (TOTP) method. You can also use security keys – hardware devices as your second step verification. 

To make it work you also need to enable two-step verification within your Bitbucket account (avatar -> Personal Settings -> Security -> Two-step verification). and confirm it with providing your password. 

Setting such a method requires the user not only to enter the correct password for his account but also to provide another step of verification.

Please keep in mind that if a user forgets the password and loses access to the second factor, it would be much more difficult to recover the access to his account.

Atlassian bug bounty enforcing Bitbucket security

Atlassian operates a public bug bounty program for their products via their partner, Bugcrowd. It helps its security team to find breaches within their systems, to make sure vulnerabilities and bugs are found first by the “good guys” before the hackers can find and use them with malicious intent. Security researchers can receive cash payments in exchange for a qualifying vulnerability report submitted to Atlassian. Depending on the scale of the bug the monetary rewards vary. The average payout for a problem found in the last 3 months (at the time or writing this article) is $568.

Xopero’s way to ensure Bitbucket security

It doesn’t matter if you think Bitbucket security is sufficient or not, it’s a fact that your business would be in very big trouble if an attack strikes your intellectual property. Accidental deletion of a branch, or a ransom attack targeted at your repositories, doesn’t matter, you need to make sure that your data is recoverable and accessible so your employees can get back to work as soon as possible, minimizing the risk of business interruption. Having a proper backup of your repositories can ensure that you will be able to recover your code at any point in time and get back to work immediately.

Protect your intellectual property with Xopero ONE Backup and Recovery for BitBucket:

  • Backup with every push or according to schedule – just set it and forget it
  • Instant, stress-free recovery – get back to code immediately
  • Predefined backup plans or advanced customization possibilities
  • Backup servers, repositories, and metadata – both local and cloud
  • Unlimited scalability – simply add new repositories
  • Keep data on-premise or in the cloud – Amazon, Azure, etc. – choose your storage
  • Manage it all with the most user-friendly console and data-driven interface
  • Advanced retention schemes – FIFO or GFS – choose yours

and many more…

Join beta test