I have a doubt... suppose a company one day decides to save all the code of their project on github, even if it is a private repository don't you risk sharing sensitive information that could compromise the entire project? (I am still referring to a free account without any upgrades or such things)
If this is the perception you have on GitHub or any other provider, you will have to do a local deployment in your infrastructure. In this way, you have to put extra effort for maintenance and updates and you will lose all the benefits that GitHub provides.
Anyway as a practice sensitive information such as credentials is not stored in git.
Related
I would like to ask a question regarding Disaster Recovery. Earlier we used to have our own source code repo and build server, so we had a Disaster recovery plan as to restore from a backup, in case if something fails. When we moved to Azure Devops, everything including Repo , Build Piplines etc is managed by Microsoft. In that case what would be the recommended Disaster recovery strategy?
Standard answer - most deletion operations in Azure DevOps are recoverable- is not valid in our case.
Backrightup also doesn't suit in our situation.
When talking about DR, the fundamental question is what kind of disasters you think of. Microsoft has its own DR, and I think they have higher reliability than what we might have in a local system.
One issue with a higher chance of happening is some internet issue, and you cannot reach the repository. Against that, the best option is checking them out in a local system.
There is a less probable issue of locking out of your DevOps account, but I imagine that you will be able to rectify it fast.
In a DR discussion about our repos a while back, we thought it is less of a concern because of the way GIT works. GIT maintains a local repository on each of the computers that checkout the code, so you can recover most of the code if worst comes to worst.
But these situations are very subjective, so you will have to think about your case.
I load sensitive details (eg, AWS Secret) into my node project with dotenv & an .env file, which I include in my .gitignore, as I've read that's best practice.
If I want to add others to the project, or even clone the repo on another system, what's the most efficient/safe way to transmit these sensitive details? I assume email/google drive are out, but I'm not sure what's 'in.'
My repo is private--does that mean the 'don't check-in API keys' advice is less concrete? As I see it, anyone with permission to see the repo will likely need relevant API keys, so it doesn't seem too unreasonable to simply check them in.
Security is always a trade-off with convenience. There are no real absolutes. Are you cool with anyone who accesses the repository and the (potential) git host having access to the keys? Are all developers' computer secure and use disk encryption? What do the keys give access to? Everything on AWS? Do you trust people with access to the repo enough to stay secure and not accidentally share things further? The point is that you need to try to fully understand in which ways the secrets may be leaked.
Personally I rather keep them outside of git and distribute keys to developers via usb sticks or encrypted email. And only to the people who need them. Only a subset of our developers actually need access.
Just make sure that you replace all your secrets if you do decide it's too risky. Don't just delete them from the repository. Once they are in there, they are in there forever.
Is it considered good practice to store passwords in a Github private repository?
[Related to, but very different from, this question]
I'd like to break this question into two parts:
Is it a good practice to store passwords in source control? No. Credentials are not versioned in the same way. For example, you should be able to change your password without releasing a new build of your software.
Is it a good practice to store passwords in the cloud? That's really up to your tolerance for security and reliability. In this case, you're outsourcing both to GitHub. If GitHub loses your data, do you have a backup elsewhere? If GitHub gets hacked (e.g. your private repo briefly becomes public) or if they don't securely destroy old drives, what's the impact if an unauthorized person has your credentials?
Also, when you store credentials, encrypt them and store the key elsewhere.
It's certainly not 'good practice'.
Whether it's tolerable depends on your security requirements. For SCI clearance type work that ** won't fly.
For a private fun project its probably ok. But putting sensitive passwords anywhere on the cloud is probably not a good idea.
Projects that are serious about security usually don't keep plaintext passwords in their security files.
I don't believe it's ever a good practice to store passwords anywhere else than where absolutely necessary. GitHub doesn't strike me as meeting such conditions.
As my company begins to further explore moving from centralized version control tools (CVS, SVN, Perforce and a host of others) to offering teams distributed version control tools (mercurial in our case) I've run into a problem:
The Problem
A manager has raised the concern that distributed version control may not be as secure as our CVCS options because the repo history is stored locally on the developer's machine.
It's been difficult to nail down his exact security concern but I've gathered that it centers on the fact that a malicious employee could steal not only the latest intellectual properly but our whole history of changes just by copying a single folder.
The Question(s)
Do distributed version control system really introduce new security concerns for projects?
Is it easier to maliciously steal code?
Does the complete history represent an additional threat that the latest version of the code does not?
My Thoughts
My take is that this may be a mistaken thought that the centralized model is more secure because the history seems to be safer as it is off on its own box. Given that users with even read access to a centralized repo could selectively extract snapshots of the project at any key revision I'm not sure the DVCS model makes it all that easier. Also, most CVCS tools allow you to extract the whole repo's history with a single command so that you can import them into other tools.
I think the other issue is just how important the history is compared to the latest version. Granted someone could have checked in a top secret file, then deleted it and the history would pretty quickly be significant. But even in that scenario a CVCS user could checkout that top secret version with a single command.
I'm sure I could be missing something or downplaying risks as I'm eager to see DVCS become a fully supported tool option. Please contribute any ideas you have on security concerns.
If you have read access to a CVCS, you have enough permissions to convert the repo to a DVCS, which people do all the time. No software tool is going to protect you from a disgruntled employee stealing your code, but a DVCS has many more options for dealing with untrusted contributors, such as a gatekeeper workflow. Hence its widespread use in open source projects.
You are right in that distributed version control does not really introduce any new security concerns since the developer has already access to the code in both cases. I can only think that since it is easier to work offline and offsite with GIT, developers might become more tempted to do it than in centralized. I would push to force encryption on all corporate laptops with code
not really easier, just the same. If you enable logs, then you will have the same information when the code is accessed.
I personally do not think so. It might represent the thought process leading to certain decisions but not necessarily more.
It comes down to knowledge on how to implement security measures in both cases. If you have more experience in one system vs another then you are more likely to implement more to prevent such loss but at the end of the day, you are trusting your developers with code the minute you allow them access to it. No way around that.
DVCS provides various protections against unauthorized writing. This is why it is popular with opensource teams. It has several frustrating limitations for controlling reading. Opensource teams do not care about this.
The first problem is that most DVCS encourage many copies of the full source. The typical granularity is the full repo. This can include many unneeded branches and even entire other projects, besides the concern of history (along with searchable commit comments that can make the code even more useful to the attacker). CVCS encourages developers to copy as little as possible to their desktop, since the less they copy, the faster it works. The less you put on mobile devices, the easier it is to secure.
When DVCS is implemented with many devices acting as servers, it is much more difficult to implement effective network security. Attacking a local CVCS workspace requires the attacker to gain access to the filesystem. Attacking a DVCS node generally requires attacking the DVCS itself on any device hosting the information (and remember: the folks who maintain most DVCS's are opensource guys; they don't care nearly as much about read controls). The more devices that host repositories, the more likely that users will set up anonymous read access (which again, DVCS encourages because of its opensource roots). This greatly simplifies the job of an attacker who is doing random sweeps.
CVCS that are based on URLs (like subversion) open the opportunity for quite fine-grain access control, such as per-branch access. DVCS tends to fight this kind of access control.
I know developers like DVCS, but there's no way it can be secured as effectively as CVCS. Most environments do a terrible job of securing their CVCS, and if that's the case then it doesn't matter which you use. But if you take access control seriously, you can have much greater control with CVCS as part of a broader least-privilege infrastructure.
Many may argue that there's no reason to protect source code. That's fine and people can argue about it. But if you are going to protect your source code, the best implementation is to not copy the source to random laptops (which are very hard to secure well), and rather have developers mount it from a central server. CVCS works well this way. DVCS makes no sense if you are going to keep it on a single server this way. If you are going to copy files to mobile devices, make sure you copy as little as possible. That's the opposite of DVCS.
There are a bunch of "security" issues; whether they are an issue depends on your setup:
There's more data floating around, which means the notional "attack surface" might be bigger (it depends on how you count).
But how much data does the "typical" developer check out? You might want to use a sparse checkout in svn, but lazy people and some GUI tools don't support that, so they'll have all your code checked out anyway. Git users might be more likely to use multiple repos. This depends on you.
Authentication/access control might be better (and it might be worse!). This is largely a function of the VCS, not whether it is "D" or "C". svn:// is plaintext.
Is deleting files a priority, and how easy is this to do? An accidental commit of a confidential file is more painful to do in git if it happened in the distant past (but people might be more likely to notice).
Are you really going to notice a malicious user pulling the entire history instead of merely doing a checkout? It depends on how big your repository is and what your branches are like. It's easy for a full SVN checkout to take up more space than the repository itself due to branches.
Change history is generally not something you want to give away for free (even to people with a source code license), but how valuable is it? Maybe you have top-secret design methodologies or confidential information in your commit messages, but this seems unlikely.
And finally, security economics:
How much is the extra security worth?
How much is increased productivity worth?
How much is caring about the concerns about your developers worth?
(IIRC it turns out that users should ignore security advice, because the expected cost is more than the expected benefit — this is especially true for things like certificates that expired yesterday. How much does it cost you to check the address bar every time you type in password? How often do you catch a phishing attempt? What is the cost to you per thwarted phishing attempt? What is the cost per successful phish?)
How safe is to use an online SVN repository?
I want to develop collaboratively with some friends. I know you can create non-public accounts in some of those services, but I can't fell confortable to send all of our intelectual products to another company manage. After all, if your idea works, those companies can easily find your source code!
Do you think this care is important? If so, what is the best solution?
My question isn't "how good it is" or "which is better", I just want know if you trust them and why (or why not).
Below I give you SVN repositories examples:
XP-Dev
Unfuddle
Assembla
Thank you all!
If you have something valuable enough to be stolen, it's time to get a lawyer anyway. Get him involved from the start, have him review whatever agreements the various hosting sites have to offer, and make sure they can be held accountable for breaches of security, including the value of your source code in the hands of competitors.
It is definitely important to be concerned about your source code in the cloud. At the end of the day you have to weigh up the cost of installing, securing, maintaining, backing up yourself vs a $10/month plan with a hosted SVN service. There are always going to be a certain sector that will never upload code into a hosted repo, i.e. banks, military, etc, but for the majority of us the risk is low and minor compared to the benefits of not doing it yourself. Make sure the provider you choose enforces SSL, has regular backups (at least hourly granularity), their datacenter provider is SAS70, and a policy allowing you to download your full SVN repo dump if you choose to leave, or go elsewhere, and how long the provider has been in business, do they have a good track record, and does the provider enforce a password policy.