In honor of Security Awareness month...which, in our opinion, should be a year-round thing, we’ve pulled together some of our GitLab security team members' best security advice to keep us all a little safer online. You might just see a pattern…
Advice: Look at security holistically.
It’s not just about securing the infrastructure, or the code, but also the people within the company. Security is everyone’s responsibility and effective security enablement and training go a long way.
Human error is the most significant cause of security problems. So many of the security breaches that have come to pass in recent years inevitably have an element where a person with good intentions has made a decision with dire consequences. So when thinking about Security, don’t just think about the cool hack or the clever technology. Most likely, the vulnerability will be a person who will make the mistake that causes a breach, so everything you can do to educate, inform and remove the potential for the human side of a system to fail will make the greatest difference. – Rob Mitchell, manager, Strategic Security
Read more of Robert’s viewpoints in this blog post:"The difference transparency makes in security".
The saying “if something seems too good to be true” still rings true today, as much as it ever has. Be alert for things that are unexpected or seem odd. Malicious intent can hide in emails, websites, links, and even in your social media feed. Arming yourself with education and tools makes you much less susceptible to scammers.
Everyday your attention is spread out over a multitude of things you need to accomplish, and in many cases that means you try and complete things like reading your email or social feeds quickly, and perhaps you multitask. This is a common situation, but malicious things can sneak past us most easily when our attention is divided. On a daily basis you could be exposed to phishing scams, malicious links, articles written specifically to spark Fear Uncertainty and Doubt (FUD) to drive an emotional response, or plain old hoaxes. A lot of these scams are designed by people using social engineering, to target individuals. They use a bit of technology and a bit of acquired information to manipulate an individual into providing account credentials or access information. Luckily there are many tools out there that you can use to double check things that feel a little off. You can learn about phishing scams and how to spot them, verify stories on Snopes or data points on Wikipedia that don’t check out, and for link checking, you can expand links or scan urls to confirm that where you’re headed online is safe. And, if you want to be extra sure you’re directed to your bank or other account’s actual website, don’t click the link in the email, just type in the url directly or search to find it find from your favorite, trusted browser. – Nicole Schwartz, product manager, Secure
Another great resource? Your company’s security team. A good security team would rather check that email you suspect might be a phishing attack rather than having someone fall for an attack. We map out how to identify a phishing attack in our handbook and guide our employees on next steps if they suspect they’ve received one.
Advice: Make strong, unique passwords, use a password manager and consider adding two-factor authentication (2FA).
This one is so important, we’re going to tell you twice.
Please, please, please, please use a password manager like 1Password, or LastPass, or Bitwarden (examples, not endorsements, YMMV and pick what fits your workflow best!) and start using it to generate and save unique and difficult passwords for each of your sites or services. You won’t need to remember them and so you don’t need to use a memorable one. Then, while you’re at it, turn on 2FA, and not that SMS/text message-based one. Use an app like Google Authenticator or Microsoft Authenticator, which will give you the six-digit number (aka Time-Based, One-Time Password) on your mobile device, or better. Having strong, unique passwords and 2FA enabled will significantly decrease the chance of your accounts being compromised. – Paul Harrison, security manager, security operations
Read more of Paul’s viewpoints in this "Ask GitLab Security" blog post.
Use a different password, preferably a completely random one, and two-factor authentication, for every website you visit. Use whatever form of password manager to keep them all straight. I have used 1Password for years. Websites are hacked daily and there is a high chance that one of the websites you have an account at was hacked within the last year. If your passwords are all the same, you are likely compromised as you read this sentence. – Alex Groleau, senior security engineer, Automation
Read more of Alex’s viewpoints in this blog post, How we use automation to scale up security at GitLab.
Basically, you’re going to want to use a strong, unique password on every site and service you use online. And, if you don’t already have 2FA, or the method of logging in with both information you know (username and password) and something you have (yubikey, authenticator app) and/or something you are (biometrics), enabled, you may want to do that. See Two Factor Auth for a list of sites where 2FA is an option. Lastly, you may want to check out haveibeenpwned.com, where you can see if your email address(s) or usernames have already been compromised.
Advice: Keep your systems updated and patch, patch, patch.
Use a password manager and generate unique passwords for everything. That way one website losing your data will not put all your other accounts at risk. Keep your systems updated, so you don’t get bitten by security holes that are years old. Ok, that was two pieces of advice. – Alexander Dietrich, senior security engineer, Automation
Read more of Alexander’s viewpoints in this "Ask GitLab Security" blog post.
Yes, okay, we slipped another recommendation for password management in there...but when something is so important (and simple to implement), it bears repeating.
Patch. Attackers will take advantage of security flaws to gain access to systems and devices, so make sure you install the latest patches. Most operating systems allow you to set them up to download and install patches and updates automatically, so you should do this. The same should apply to various applications - for example many web browsers can be set to download and install updates and upgrades. Software vendors frequently release patches and various upgrades, and these often contain security fixes. While less common, some vendors in the past have released “silent” security patches where it seems like a regular update but a security patch is slipped in without public notification. It is possible that a fix for a crash or some other flaw might have some security ramifications that the vendor is unaware they’ve actually corrected. So always patch. – Mark Loveless, senior security engineer, Security Research
See Mark’s ongoing Zero Trust blog series.
Advice: Avoid the FUD and adopt simple, secure practices into your everyday life.
Do not live and die by the headlines surrounding some evil hackers performing weird and mysterious digital sleight-of-hand and bringing destruction to all of humanity. The headlines are intended to not only get you to read the article but go to the online news site and generate revenue via ad impressions for the news site’s advertising, so they are often rather sensational. Yes you should patch and use strong unique passwords and multi-factor authentication. This fixes most problems. – Mark Loveless
You don’t have to be an industry-trained security expert to operate more safely and securely online. It comes down to some basic principles and incorporating more secure practices into your everyday life. Is everything you need to know included in the list above? No way. But, you can learn more about our [security best practices in our handbook](/handbook/security/).
Have a suggestion or tip that we missed? Please share so our community can benefit, and together we can grow more secure.