Why GitHub Security Isn’t Enough.

Last week, GitHub made a series of announcements at GitHub Satellite, including some great news around code scanning and increased security for their platform. We love to see this because the more companies who use GitHub (and GitLab and Bitbucket), the better for the industry, and the more value BluBracket can provide on top of these platforms. And while GitHub has many useful security features, especially around open source projects, GitHub security is not enough for most large companies who value their code. Why?

GitHub’s Open Source Roots

Customers who rely on GitHub for code security, even the enterprise level version of GitHub, are exposed to numerous vulnerabilities—not by any fault of GitHub, but rather because GitHub was built and rolled out for open source projects, only later adding features for the enterprise. That means the protocol and product are designed for code proliferation and sharing by default. It’s not instrumented to give security teams insight into developer actions and security vulnerabilities. 

Here is a summary of why GitHub security isn’t enough:

  • GitHub doesn’t track or expose code on developer endpoints (workstations, VMs, etc). The number one code exfiltration vector is the developer endpoint, not the repository. Git providers such as GitHub, BitBucket and GitLab are doing nothing about clones and copies of code on developer machines. We are. 
  • Since Git is a distributed source control system, users download all code in the repository to their end machine. This equals code proliferation. Security teams have no visibility or control over where their valuable code has been downloaded. And as we have seen, unprotected machines can be easily hacked or simply lost track of. 
  • GitHub’s DNA is in open source, so its tooling and focus is on developers in public projects. It wasn’t built for security teams or devsecop teams; it was built for open source developers who it serves very well. 
  • GitHub covers GitHub, which means if your company uses multiple Git providers (most large companies do) you are out of luck. BluBracket has a holistic approach to enterprise security which means it allows you to view all of your code actions, vulnerabilities and alerts from all Git providers in one pane of glass.
  • GitHub doesn’t focus on or alert on developer actions. For instance, you may want to be alerted if a core developer is pushing code from a private repository to open source, or changing the repo’s designation to public.
  • GitHub has no way to fingerprint your important code and then discover it in public repositories, wherever that may be, or tell you which secrets detected in your private enterprise have also been leaked into open source. Many companies have been surprised to learn how much of their proprietary source code has made its way to the public domain. Developers frequently re-use and push code developed for the company to open source or other public repositories. This can give hackers a way to access your protected infrastructure.
  • GitHub doesn’t have code classification. To do security effectively, you have to determine the signal vs noise. Enterprises need a tool to classify code by importance to the business, and have all permissions, alerts and security policies follow that classification. 

Comprehensive Code Security

BluBracket is the industry’s only comprehensive security solution for code, securing every major Git-based solution including GitHub, Bitbucket and GitLab. Unlike GitHub, BluBracket analyzes developer behavior and Docker containers for vulnerabilities. It allows you to set and then enforce your security policies across all Git repos, regardless of what cloud or on premise solution you choose. 

We believe Git and GitHub in particular are industry-changing services that have driven massive gains in innovation and collaboration. We are thrilled to offer advanced security solutions on top of these platforms for companies who understand the risk now inherent in code sharing sites. 

Learn more about BluBracket’s Code Security Products or contact us for a free Code Security Audit Report


BluBracket named to Top 10 Start-Up List

CRN magazine chose BluBracket as a top 10 start-up.


Hacker gains access to Microsoft’s private GitHub repos

“A hacker has gained access to a Microsoft employee’s GitHub account and has downloaded some of the company’s private GitHub repositories.

The intrusion is believed to have taken place in March, and came to light this week when the hacker announced plans to publish some of the stolen projects on a hacking forum.”

Read the full article.


BluBracket Founders’ Story

Curious about how BluBracket came into existence? Our founders have started three companies together, and the creation of BluBracket was born from customers asking about code security. Read the classic Silicon Valley story in this founders spotlight from Unusual Ventures.


BluBracket featured in Silicon Valley Business Journal

The venerable Silicon Valley Business Journal profiled BluBracket and our Git security solution. And they grabbed an impressive picture of our CEO in our Palo Alto office.


Code security in action at the RSA Innovation Sandbox

BluBracket was named a finalist in the prestigious RSA Innovation Sandbox. This week we presented our story and why the time is now to get serious about code security. You can view founder Ajay Arora in action and hear the questions directly from the judges. View Now

It’s time to get serious about code security.

In a digital economy, is there any more valuable asset than code? Increasingly, more critical information is found in source code, especially in machine learning models and AI, making code even more irreplaceable. 

Yet incredibly, if you ask a CIO, CTO or CISO simple questions such as

  • Where is their code?
  • Who has access to it?
  • Where did it come from? 

they can’t tell you. They can quickly report how many printers they have and who prints at what location, but code has little visibility, access controls or monitoring. It’s like putting a world class alarm system around your shed and leaving your mansion’s doors wide open. 

Just this month we saw issues from code all over the news, from the Iowa caucus to malware in Bitbucket. 

Starbucks, Amazon, Uber, Capital One and many more have had high profile breaches all stemming from Github. 

Software drives everything from elections to nuclear submarines, but we don’t know where code is, where it came from, what secrets live in it and who has access to it. And it can be shared publicly with one click. 

This puts us all at risk. And that’s why we founded BluBracket.

Read more from our CEO Prakash Linga on his oped on LinkedIn.