October 3, 2022
GIT Open Source Code Benefits And Vulnerabilities
Git is the most popular and widely used source code management system today. Some of the core features include, but are not limited to the following:
- Support for non-linear development allowing developers to work on different parts of a project concurrently,
- Support for distributed development allowing multiple people to work on the same project (even the same file) at the same time, and
- Every change recorded by Git remains part of the project history and can be retrieved at a later date, so even if a mistake is made, the developer can revert to a point prior to change.
Git improves the software development process by helping developers collaborate on code with teammates; combining powerful features like commits and branches with specific principles and strategies helps teams organize code and reduce the time needed to manage versioning. Git is most commonly seen in GitHub and GitLab. GitHub is a cloud-based hosting service to manage Git repositories. GitHub must be integrated with the Continuous Integration/Continuous Delivery (CI/CD) tools of your choice. Examples may include Jenkins, CircleCI, or TravisCI. GitLab has CI/CD and DevOps workflows built-in.
Git is not built for security but for collaboration. As such, source code and confidential data (e.g. application architecture) can be compromised if security practices and policies are not consistently enforced.
Key vulnerabilities include:
- Hardcoded Sensitive Data
- Insecure Directories
- Unsigned Commits
- Inaccurate Access Permissions
- Unpatched Software and Servers
Below we’ll cover each of these topics to better understand the potential issues and how to address them.
Hardcoded Sensitive Data – Developers may store passwords, tokens, and authentication keys within code temporarily for testing purposes or to allow software to access privileged data or services automatically. Developers may also share code with passwords embedded for ease of use. Secure coding practices should be followed to test all code for security vulnerabilities.
Insecure Directories – Hackers will use URLs containing the Git directory command to access the metadata within a Git repository. Metadata often includes user login information (such as passwords) or customer data information. Publicly accessible Git directories can allow malicious actors to clone the repository then scan for secrets in the code. Directories can be checked for vulnerabilities by going to the application’s root directory and adding /.git to the URL. If no error is received then all folder contents can be accessed and retrieved.
Unsigned Commits – When committing code to a Git repository, you can easily verify that the author is committing the code. However, unless the author used a GPG key (Gnu Privacy Guard) key to cryptographically sign the commit, you have no guarantee who made the commit. Rejecting unsigned commits all together will ensure that only verified commits are allowed and the code is from trusted sources.
Inaccurate Access Permissions – Poorly configured permissions can provide an access point to every Git repository on the server. The repositories contain application code, Infrastructure as Code (IaC) and Git configuration rules to make it easier for developers to move their code down the CI/CD development pipeline. Access roles need to be defined on a per-repository basis to ensure only developers with valid access credentials are allowed to interact with the repository and each branch needed for their job role. Other safeguards including multi factor authentication (MFA), regular review of the list of collaborators for each repository and review of security logs should be considered.
Unpatched Software and Servers – Git is often used in combination with other tools or services to automate, secure, and provide analytics throughout the CD/CI pipeline. Security vulnerabilities for these unpatched versions and/or misconfigured or unpatched Git servers can be exploited by attackers to gain unauthorized access. Git should be patched with the latest security updates as soon as they are released.
Git usage will continue to grow. Development teams must meet the demands of rapid changes in the industry combined with increasing demand for new features. With all of the benefits that Git brings to an organization, there are also security concerns that should be considered. Implementing cybersecurity best practices to address the vulnerabilities covered above can help organizations effectively deal with potential security concerns.
Johnson Lambert’s consulting practice can evaluate the overall security posture of Git at your organization. Our efforts are aimed at improving your software development process to further provide value in your company.
If you have any additional questions, please reach out to Greg Daniel, Principal.