Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.
Ask any developer and most will agree that Git it is the most popular software version control (SVC) standard today. Just because it's the most popular, however, doesn't mean it's the most secure. Regardless of whether you're using GitLab, GitHub, or a locally hosted Git server each has its own security issues that can sneak up on you and start a wave of additional issues.
Keep in mind, Git is not built for security but for collaboration. It can be made secure through certain tools and best practices, but still requires caution. Self-hosting a Git server, for example, is a security issue, particularly if you lack experience in Git server configuration as there are simply too many opportunities to exploit a misconfigured or unpatched Git server by experienced hackers.
Even hosted Git services such as GitHub or GitLab offer limited security. Such services offer an easy-to-use interface with enhanced access controls. But convenience and ease-of-use can prove to be a hindrance and lead to complacency and human error. This especially true when code-commits are not properly screened by secret detection tools.
Not surprisingly, with so many companies relying on Git for code management, it has become a popular attack vector for hackers. History is littered with cautionary tales of poorly configured or insecure Git management.
What can you do to avoid repeating the Git security mistakes of others? Here are a few common Git security pitfalls and pointers to help you navigate them.
Hardcoded Sensitive Data
Developers understand the convenience of storing passwords, tokens, and authentication keys directly in the code where such credentials are used. It's difficult for them, however, to resist the temptation of saving them where they are easily accessible when issue pop up.
Hardcoded secrets are a terrible security practice that unfortunately plagues software development. Like most people, developers can be forgetful on occasion and share code that contains stored passwords. In such cases, long-forgotten secrets, still embedded in code, can leak and even get indexed on online search engines. Yes, it happens.
There is simply no good technical reason to use hardcoded authentication credentials. To avoid this, train developers to use secure coding practices. Simultaneously, ensure that security tools are integrated into the development process for the start that can monitor the development workflow.
Unsigned Commits
When committing code to a Git repository, you should be able to see the author who's committing the code. Unless the author used a GPG key to cryptographically sign the commit, it's impossible to trust what's there.
It may sound trifling for a developer with access to a repository to assign a code-commit they themselves performed to another developer on the project. But a disgruntled employee can do this to inject a backdoor into the code, thereby covering their tracks by assigning ownership of the code to another developer.
A similar exploit would be to assign a code commit to a manager of the project's development, hoping the new code would be integrated with less oversight.
When code commits are signed, a "verified" icon appears next to the commit log entry. This ensures every member of the project knows the code was committed by the true code author and was not tampered with in any way.
Unsecured Pipeline Configurations
A CD/CI pipeline that is not secure can lead to data leaks or secrets being put at risk by pull requests coming from forks of your repository, CD/CI VMs left operating unattended, or other processes.
Securing the pipeline requires holding secrets with very limited exposure. Beyond training developers to use proper security practices when storing secrets, it's a recommended best-practice to integrate tools or online services into the CD/CI pipeline to provide an extra layer of protection. This step is even more important when protecting extremely sensitive materials such as code-signing certificates.
Unpatched Software
Generally speaking, Git is used in combination with other applications to automate, secure, and provide analytics throughout the CD/CI pipeline. Hackers have evolved today are not limited to attacking a target directly. Instead, they have found it easier and worth more to execute a supply-chain attack on tools or services to upend multiple entities that use them.
To minimize exposure to supply chain attacks, it's critical to apply tool-chain software security patches as soon as they are released. And while you're at it, limit online service access to the minimum required for reliable operations and — it goes without saying but we'll say it anyway - perform regular backups.
Inaccurate Access Permissions
Poorly configured permissions can provide an access point to every Git repository on the server. In the case of one well-known automaker, the server automatically granted full access to anyone who just signed up for a developer account. More inconspicuous access permissions configuration errors may result in persons accessing data they are not authorized to in other cases.
When establishing access permissions, it's important to define access roles on a per-repository basis to ensure only developers with exact access credentials are allowed to interact with the repository.
Git security is not to be taken lightly. Losing source code or compromising intellectual data can prove disastrous and effectively level an organization. By applying some of the lessons here — along with the enforcement of security practices and policies — you can better assure that code will be more secure using Git in a production environment.
Industry News
Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.
Securiti announced a new solution - Security for AI Copilots in SaaS apps.
Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:
Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.
Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.
OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.
Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.
Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.
Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.
Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.
Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.
Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.
MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.