While using a paid account on github, we currently have a private repository which is forked only by contributors that work within the same network.
What is the best way to ensure that the code remains private? In other words, how can the organization restrict reading/cloning/downloading of the repository (or its forks) by a computer off network?
Thank you in advance for your help!
If you're using a version hosted on github.com, then there's no technical way to restrict access to that private repository based on the network from which the connection comes. If you need that functionality, you'll need to self-host with GitHub Enterprise Server, which is the on-premises version. You can then limit access to that server to only people on your network.
You could also enable SAML single sign-on and only allow access to GitHub if the SAML authentication comes from your network. However, do be aware that once a user has logged in, the SAML session is cached, so a user could log in while on your network and then take their laptop somewhere else and still access things. That also wouldn't prevent actually cloning a repository with a token or a key, however.
If your goal is solely to ensure that the code remains private and you generally trust your employees, you could try techniques like requiring 2FA for all employees, which makes it harder for people to compromise accounts.
Related
I'm planning to make the Tomcat (8.5) Manager accessible through a subdomain like this: https://tomcat.mydomain.com.
As you can see the connection is over HTTPS, but still, does this pose a security risk and is considered as 'bad practice'?
One think I did notice is that, by looking at the certificate for mydomain.com, you can see that https://tomcat.mydomain.com does exists. Which means there is not much security by obscurity.
Of course, it's important to have the tomcat accounts setup right and protected by a password, which I have.
Having the endpoint publicly accessible is not, in itself, a security risk. There are other considerations, though, that you might want to take into account when deciding whether or not to expose an administrative interface publicly:
How many people have credentials for the service?
Can all those people be trusted to have good passwords?
Can all those people be trusted not to re-use passwords across multiple sites?
Do you have lock-outs enabled (on by default if using Tomcat's authentication with the Manager app)?
Can the lock-outs be overwhelmed? (consider the lock-out implementation)
Do admins actually need public access to the Manager?
Are there additional layers of security you could add between the public and the management interface?
In general, I usually choose not to expose administrative interfaces to the public. I almost always require an administrative user to go through some other gate such as an ssh tunnel (with public-key-only access) before they can access any management interface, and then they most also authenticate a second time through that interface (i.e. you aren't automatically trusted just because you have the tunnel established).
If I were going to expose an administrative interface to the public, I think I would want something in addition to password-based authentication in the mix. Some other factor should be involved, whether that is something like a common 2FA solution like TOTP or similar, or TLS client certificates ("mutual authentication").
There is a presentation on the Tomcat web site about upgrading your credential security. There is sample code and configuration in there for how to set up TOTP within Tomcat's existing authentication system. You might want to read that presentation and consider whether you want to add protection like that to your administrative interfaces.
Context:
We have a VSTS account https://blahblahblah.visualtudio.com
We have configured it to block outside access by using Azure Premium conditional access and specifying the public IPs of our work network. So interactive access is blocked from clients outside the internal network.
But this does not block Personal Access Tokens (PATs). Nor do I see a setting to disable or block use of PATs. PATs can allow access to most of the data in our VSTS account via the REST API. Without a mechanism like the Azure AD Premium conditional access (whitelist), anyone in the world could access or modify our data by merely stealing a PAT. This seems like a huge security hole to me. Am I missing a control for that vulnerability?
Ideally, we would have a whitelist in VSTS instead of having to rely on Azure AD Premium. then the VSTS service would block both interactive and API calls that did not originate in our designated safe locations. But that does not exist so far as I know.
So, how can we protect our data from users out in the world who might access our account data via the API path and a stolen PAT?
You can disable Basic Authentication and Alternate Credentials, but that will also disable a few features on VSTS (like SSH Git and Git access from some tools that don't support the OAuth workflow).
Personal Access Token cannot be disabled this way unfortunately. Though you could have people limit the scope to their tokens and have them only create limited time tokens.
It's likely that in the future the integration with AAD will be tighter and will be able to check AAD Conditional Access.
Another important note: Once the user has logged on using AAD, they can take their laptop/device with them to another location. As long as the AAD authentication is still valid, they will not be blocked access from the other location. Conditional Access is checked upon login and renewal of the token in the case of VSTS as far as I know.
Right now only due diligence on the side of your users can prevent unauthorized access to your account. Have them treat their PAT the same way as they treat other important secret information. Use short duration PAT's, limit their scope to only what is needed and store them securely, in a Password vault like Lastpass or Keepass.
PS: in a cloud world where machines regularly get new IP addresses assigned and where IPv6 will make it harder to single out groups of machines, pure IP restrictions are not the way to keep your data safe. IP is also one of the things that is relatively easily spoofed or hidden.
Thinking about a situation where multiple developers cooperate on a project.
A project that is tested on a development server and then moved on a webserver when ready.
This project talks with paypal API so in dev-mode uses the Sandbox credentials, and when online uses LIVE api credentials.
Problem is security, since I want that only the team leader have access to the file that contains the live API data.
the only solution i've reach until now is to limit the FTP access to the webserver to one person, and this person is the only one who can access the credentials file. But this could be not very practical. Since there will be no synch with the dev server....
I guess this is a common pattern, where sensitive data has to be placed in a secured place, and just accessed from the ProjectLeader, and from the Live web-application.
I need an idea... any suggestion?
Hi and thanks in advance,
I am looking for industry best practice or a ready made app to store and share passwords for for network resources.
My current situation is that I have a number of people that need to access applications as a specific superuser in order to access some features of these applications. The applications are third party build and cannot be changes to grant access to the required features for anyone but the superuser account. Normal admin accounts have elevated rights but things like creating accounts have to be done via the superuser account.
For security reasons I would like to periodically change the superuser accounts' password. Because of the number of people that need to be able to log in as superuser changing the password would be problematic and a logistical nightmare.
I'm looking to purchase or create an application that would:
Track who is looking up the password and to what resource
Allow me to specify what passwords a user can retrieve
The data should be stored and transmitted ultra securely
Preferable this would be an on-line application (I have Mac and Windows clients)
Keypass is great for this kind of thing. It provides a strong encrypted database of passwords and secure information. This can be accessed share via svn/dropbox/fileshare implementations using a master password.
This is more for a master database of secure data you can set up additional databases, maybe per user, but it starts to get a little away from what it's deigned for.
I would do a C# app that checks with a web service if the user can run the app and with what permissions, it would then be sent the encrypted credentials for a 1 time run, the service would log the request. This would all have to be done securely, so the service would use SSL and preferably certs between the systems. You have a good bit of research here to figure this all out, and you might have to use Java if you want mac... but I dont know how well that can launch apps as other users.
Solution #2 would be to use KeePass. You will have to be creative.
I have used OAuth multiple times before for web applications.
However I am now looking into desktop applications and security issues involved.
Obviously public and private keys have to be stored somewhere, so how can I overcome the potential issue that someone will take the desktop application I create and steal the keys from it?
Cheers,
Thomas.
You can't. As long as you're planning on authenticating without going to a server, then the machine and private keys can be compromized.
You can reduce your vulnerability by encrypting your keys until the moment you need them, but at some point in time, your key will be in memory and viewable by a skilled and focused computer savvy thief.
i think i came up with some sort of a solution.
you could make a server for your desktop application that will interact with OAuth provider,
just like you do with a web application.
then you make an additional username and password for your webserver for each user.
so the user has to login to your desktop application (here is a desktop-server interaction to validate the user)
then enable user to connect to your server and make the heavy work.