Git is distributed, meaning that people can maintain a copy of the source code. While Git’s distributed nature is what makes it so popular amongst developers, it is also what makes it a security concern to enterprises. The concern is that your source code is only as secure as the machine it’s been copied. Each of these devices could be a point of exposure. We understand how important it is to maintain the integrity of your source code.
With the release of GitLab 8.9 we announced that we partnered with Yubico to help customers strengthen their authentication process with YubiKeys. YubiKeys are a single key providing universal 2nd factor authentication into an unlimited number of applications. After our announcement, we asked Yubico to join us on a webcast. In this webcast, we talked about common security threats and how you can use GitLab and Yubico to protect your private data and maintain a secure Git repo as a single source of truth.
In this Webcast
- Top security threats
- Inside look at how YubiKeys work
- Demo of setting up and using a YubiKey with GitLab
- Demo GitLab’s additional security capabilities beyond authentication
- Industry best practices for securing your Git repository
Recording & Slides
Key Takeaways
If you don’t have time to watch the full video, here are the highlights.
Definition of a YubiKey
A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.
Reasons YubiKeys are preferred over 2FA via SMS
From a security standpoint, push notifications and SMS codes (a form of One-time Passwords) are all vulnerable to phishing attacks and replay attacks. Getting a bit technical here, if you are using the U2F protocol with the YubiKey, a properly implemented U2F registration flow contains Origin (phishing protection!) information as well as TLS Channel Identification information (Man in the Middle attack protection). Finally, the challenge-response piece of the U2F protocol provides complete replay attack protection.
GitLab + YubiKey
GitLab's additional security capabilities beyond authentication
- Access and permissions: control who has access to your repositories
- Workflow management: control what changes are being made to your repositories
- Audit trail: keep a record of what happened within you GitLab instance
Nine security best practices
Of course there are many more than just nine. These were the ones that stuck out to us but for more resources take a look at InfoSec’s article on security best practices for Git users and you can also check out the security section of our employee handbook.
- Assign strong passwords and store in an encrypted vault (e.g., 1Password).
- Never reuse your passwords across accounts.
- Ensure proper user identity by restricting the use of shared or system accounts.
- Enforce two-factor authentication.
- Assign and review the proper access and permissions levels to projects.
- Only use HTTPS or SSH to access git repositories, git repository management software, CI systems and ticketing / bug tracking systems.
- Enforce integrity checks on all incoming objects by setting
transfer.fsckObjects,fetch.fsckObjectsandreceive.fscObjectstotrue. - Enforce usage of
.gitignorefiles by providing a proper.gitignorefile content to all current and future projects.
As always, if you have any questions feel free to comment on this post or tweet at us.
