Security Webcast with Yubico

Aug 31, 2016

Git is distributed, meaning that people can maintain a copy of the source code. While Git’s distributed nature is what makes it so popular amongst developers, it is also what makes it a security concern to enterprises. The concern is that your source code is only as secure as the machine it’s been copied. Each of these devices could be a point of exposure. We understand how important it is to maintain the integrity of your source code.

With the release of GitLab 8.9 we announced that we partnered with Yubico to help customers strengthen their authentication process with YubiKeys. YubiKeys are a single key providing universal 2nd factor authentication into an unlimited number of applications. After our announcement, we asked Yubico to join us on a webcast. In this webcast, we talked about common security threats and how you can use GitLab and Yubico to protect your private data and maintain a secure Git repo as a single source of truth.

In this Webcast

Recording & Slides

Key Takeaways

If you don’t have time to watch the full video, here are the highlights.

Definition of a YubiKey

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.

Reasons YubiKeys are preferred over 2FA via SMS

From a security standpoint, push notifications and SMS codes (a form of One-time Passwords) are all vulnerable to phishing attacks and replay attacks. Getting a bit technical here, if you are using the U2F protocol with the YubiKey, a properly implemented U2F registration flow contains Origin (phishing protection!) information as well as TLS Channel Identification information (Man in the Middle attack protection). Finally, the challenge-response piece of the U2F protocol provides complete replay attack protection.

GitLab + YubiKey

Our goal is to secure our customer’s work with proven, seamless solutions. The YubiKey provides one-touch authentication, reducing the number of steps users have to take to access their accounts. Remembering and entering passwords or pins can be a cumbersome process. Hopefully, YubiKeys can reduce some of that friction and encourage more teams to secure their GitLab instance.

GitLab's additional security capabilities beyond authentication

  • Access and permissions: control who has access to your repositories
  • Workflow management: control what changes are being made to your repositories
  • Audit trail: keep a record of what happened within you GitLab instance

Nine security best practices

Of course there are many more than just nine. These were the ones that stuck out to us but for more resources take a look at InfoSec’s article on security best practices for Git users and you can also check out the security section of our employee handbook.

  1. Assign strong passwords and store in an encrypted vault (e.g., 1Password).
  2. Never reuse your passwords across accounts.
  3. Ensure proper user identity by restricting the use of shared or system accounts.
  4. Enforce two-factor authentication.
  5. Maintain a single secure repository.
  6. Assign and review the proper access and permissions levels to projects.
  7. Only use HTTPS or SSH to access git repositories, git repository management software, CI systems and ticketing / bug tracking systems.
  8. Enforce integrity checks on all incoming objects by setting transfer.fsckObjects, fetch.fsckObjects and receive.fscObjects to true.
  9. Enforce usage of .gitignore files by providing a proper .gitignore file content to all current and future projects.

As always, if you have any questions feel free to comment on this post or tweet at us.

Install GitLab on your own server in 2 minutes

Browse all posts

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.