Blog Insights Security Webcast with Yubico
Published on: August 31, 2016
4 min read

Security Webcast with Yubico

GitLab and Yubico discuss security best practices for Git users.


Git is distributed, meaning that people can maintain a copy of the source code. While Git’s distributed nature is what makes it so popular amongst developers, it is also what makes it a security concern to enterprises. The concern is that your source code is only as secure as the machine it’s been copied. Each of these devices could be a point of exposure. We understand how important it is to maintain the integrity of your source code.

With the release of GitLab 8.9 we announced that we partnered with Yubico to help customers strengthen their authentication process with YubiKeys. YubiKeys are a single key providing universal 2nd factor authentication into an unlimited number of applications. After our announcement, we asked Yubico to join us on a webcast. In this webcast, we talked about common security threats and how you can use GitLab and Yubico to protect your private data and maintain a secure Git repo as a single source of truth.

In this Webcast

  • Top security threats
  • Inside look at how YubiKeys work
  • Demo of setting up and using a YubiKey with GitLab
  • Demo GitLab’s additional security capabilities beyond authentication
  • Industry best practices for securing your Git repository

Recording & Slides

Key Takeaways

If you don’t have time to watch the full video, here are the highlights.

Definition of a YubiKey

A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.

Reasons YubiKeys are preferred over 2FA via SMS

From a security standpoint, push notifications and SMS codes (a form of One-time Passwords) are all vulnerable to phishing attacks and replay attacks. Getting a bit technical here, if you are using the U2F protocol with the YubiKey, a properly implemented U2F registration flow contains Origin (phishing protection!) information as well as TLS Channel Identification information (Man in the Middle attack protection). Finally, the challenge-response piece of the U2F protocol provides complete replay attack protection.

GitLab + YubiKey

Our goal is to secure our customer’s work with proven, seamless solutions. The YubiKey provides one-touch authentication, reducing the number of steps users have to take to access their accounts. Remembering and entering passwords or pins can be a cumbersome process. Hopefully, YubiKeys can reduce some of that friction and encourage more teams to secure their GitLab instance.

GitLab's additional security capabilities beyond authentication

  • Access and permissions: control who has access to your repositories
  • Workflow management: control what changes are being made to your repositories
  • Audit trail: keep a record of what happened within you GitLab instance

Nine security best practices

Of course there are many more than just nine. These were the ones that stuck out to us but for more resources take a look at InfoSec’s article on security best practices for Git users and you can also check out the security section of our employee handbook.

  1. Assign strong passwords and store in an encrypted vault (e.g., 1Password).
  2. Never reuse your passwords across accounts.
  3. Ensure proper user identity by restricting the use of shared or system accounts.
  4. Enforce two-factor authentication.
  5. Assign and review the proper access and permissions levels to projects.
  6. Only use HTTPS or SSH to access git repositories, git repository management software, CI systems and ticketing / bug tracking systems.
  7. Enforce integrity checks on all incoming objects by setting transfer.fsckObjects, fetch.fsckObjects and receive.fscObjects to true.
  8. Enforce usage of .gitignore files by providing a proper .gitignore file content to all current and future projects.

As always, if you have any questions feel free to comment on this post or tweet at us.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert