Git, a version control system, is one of the most commonly found tools in a developer’s arsenal. With 100 million active users on GitHub alone, the system’s popularity is undeniable. Despite these numbers, many users aren’t aware of the optional security measures it provides. Because they’re not implemented as standard, they’re easily missed – but often crucial for your organization’s integrity.
Immersive Labs is the first platform to interactively teach you all you need to know about these security measures, with our new Git Security collection.
The True Cost of Bad Git Security
There are tens of millions of public Git repositories on the internet. Now consider this: personal repositories are public by default. This can prove especially troublesome if an employee accidentally sets themselves as the repository owner instead of their organization. How many of those public repositories should have been private? How many contain proprietary code, credentials, or other secrets?
There is a recent upwards trend of ransomware operators and threat groups stealing source code for blackmail and ransom. Meanwhile, stolen and compromised credentials stand out in IBM’s 2022 Cost of a Data Breach report. According to the report, they’re the most common initial attack vector in data breaches. At 327 days, they also result in the longest mean time to identify and contain the breach. As far as cost to the target organization goes, they’ve been among the top five for years. Leaked secrets and credentials are not uncommon in Git repositories. To make matters worse, they’re not always dealt with correctly, even when they’re detected.
A Real-World Example
Back in 2020, a hospital employee in Brazil committed a spreadsheet containing credentials to a public repository. This mistake made two government databases public, which held the personal information of 16 million patients and prominent figures, including the president of Brazil at the time. The labs in our new collection include more interesting anecdotes and cautionary tales proving that Git security is essential in daily operations.
Beyond the initial attack, compromised accounts can be used to inject malicious code into repositories. The first step to mitigate this is to shift left with more secure authentication methods. But you should also take a defense-in-depth approach and prepare for the worst. This requires checking the authenticity of commits made to a repository.
Our New Series
The new Git Security labs cover the vulnerabilities and security measures discussed and more. The series will start you off with the basics and set you on your way to becoming a Git guru with the following labs:
- What are version control systems? Why we use version control systems such as Git and how they work.
- Git Security: Introduction to Git The fundamentals of Git; from using the web UI to setting up your own repository.
- Git Security: SSH Keys The what, why, and how of a more secure way of authenticating your Git account.
- Git Security: Public and Private Repositories What makes your repository visible to the world, why you might need to make it private, and how to do so.
- Git Security: .gitignore Certain types of files should never end up in your repository. How to cast a safety net that will catch these files before you can commit them.
- Git Security: Git History Introduced sensitive information to your repository and removed it? It might still be there… How to really purge that data from your repository.
- Git Security: Verify Commit How to assure others that the changes you made to a repository came from you and not an impostor.
- Git Security: The .git Folder The .git folder: what it is, why it’s hidden, and why it should stay that way.
- Git Security: Public Security Policy How to allow for responsible vulnerability disclosure in your repository.
These labs contain our very own Git hosting service called Metrolio, which is akin to popular services like GitHub. To complete them all, you’ll have to use both the web interface and the command line interface. Your reward at the end will be a Git Security badge and a security-first mindset in how you use Git day to day.
