Git is distributed, meaning that people can maintain a copy of the source code. While Git’s distributed nature is what makes it so popular amongst developers, it is also what makes it a security concern to enterprises. The concern is that your source code is only as secure as the machine it’s been copied. Each of these devices could be a point of exposure. We understand how important it is to maintain the integrity of your source code.
With the release of GitLab 8.9 we announced that we partnered with Yubico to help customers strengthen their authentication process with YubiKeys. YubiKeys are a single key providing universal 2nd factor authentication into an unlimited number of applications. After our announcement, we asked Yubico to join us on a webcast. In this webcast, we talked about common security threats and how you can use GitLab and Yubico to protect your private data and maintain a secure Git repo as a single source of truth.
If you don’t have time to watch the full video, here are the highlights.
Definition of a YubiKey
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.
Reasons YubiKeys are preferred over 2FA via SMS
From a security standpoint, push notifications and SMS codes (a form of One-time Passwords) are all vulnerable to phishing attacks and replay attacks. Getting a bit technical here, if you are using the U2F protocol with the YubiKey, a properly implemented U2F registration flow contains Origin (phishing protection!) information as well as TLS Channel Identification information (Man in the Middle attack protection). Finally, the challenge-response piece of the U2F protocol provides complete replay attack protection.
GitLab + YubiKey
Our goal is to secure our customer’s work with proven, seamless solutions. The YubiKey provides one-touch authentication, reducing the number of steps users have to take to access their accounts. Remembering and entering passwords or pins can be a cumbersome process. Hopefully, YubiKeys can reduce some of that friction and encourage more teams to secure their GitLab instance.
GitLab's additional security capabilities beyond authentication
Nine security best practices
Of course there are many more than just nine. These were the ones that stuck out to us but for more resources take a look at InfoSec’s article on security best practices for Git users and you can also check out the security section of our employee handbook.
.gitignorefiles by providing a proper
.gitignorefile content to all current and future projects.
As always, if you have any questions feel free to comment on this post or tweet at us.