Github Nearly every developer uses Git development at some point or another. It’s the default at most universities. It’s open source and widely available for anyone to use. And there’s a lot that Git is great for, especially if you’re working on a small project.
But, Git has its drawbacks. Especially when it comes to security.
Is Github Secure?
Native Git is not secure. By secure, we mean free from danger or threats, whether it’s:
An outside attack (e.g., a hack).
An internal threat (e.g., developer carelessness).
Here are the main reasons why Git is not secure:
There are no authentication or verification measures. You can only control Git with server access. And developers can easily rewrite your change history. Since Git is distributed, everyone winds up with a copy of the repository on their laptop. And they can do whatever they want with it.
Is There Git Access Control?
There are Git security tools that you can add on. Some of these give you Git access control options. For instance, using Git code hosting tools add layers of security. Popular Git code hosting tools include GitHub, GitLab, Bitbucket, or Helix TeamHub. Safeguards within these tools — such as user authentication — help protect your repositories and manage access.
Other tools give you encryption features — such as git-secret, which encrypts files in a Git repository.
Recent GitHub Security Breaches
Security breaches always make headlines. And GitHub security breaches are no exception. In the last few months alone, several GitHub security breaches have been reported.
(Although, it should be noted that “Awesome Hacking” is a public repository owned by an individual. It is not affiliated with GitHub staff or management. There are some major problems with having public repositories — access control being at the top of the list. In some ways, public repositories are like the wild west. Anyone can post anything.)
Why Do Hackers Target GitHub?
Hackers target GitHub (and other popular Git hosting tools) for many reasons. But the biggest is the potential they see in hacking into repositories on GitHub and stealing (and potentially selling) intellectual property.
Hardworking developers from companies all over the world use GitHub for personal and business needs, often on an ad hoc basis. And developers in the heat of battle can often overlook security concerns. Hackers know this — and exploit it.
Other Common Git Security Issues
Native Git lacks security features. Git hosting solutions can only do so much. And as a result, there are many Git security issues that you need to be prepared for. Here are a few of the most common ones.
Insecure Directories (.git/config)
Hackers use URLs containing the git directory (e.g., [company].git/config) to access the metadata within a Git repository. Metadata often includes user login information (such as passwords) or customer data information. And hackers can then use that information to plan an attack.
Many security breaches are the result of hackers stealing passwords. These breaches can be avoided by strengthening security measures, such as using two-factor authentication (2FA).
Git vulnerabilities can also leave repositories exposed to hackers. For instance, CVE-2018-11235 is a well-documented Git vulnerability. This vulnerability allows for random code execution when a user operates in a malicious repository. (And this is just 1 of 9 currently documented Git vulnerabilities, too.)