Last week, GitHub made a series of announcements at GitHub Satellite, including some great news around code scanning and increased security for their platform. We love to see this because the more companies who use GitHub (and GitLab and Bitbucket), the better for the industry, and the more value BluBracket can provide on top of these platforms. And while GitHub has many useful security features, especially around open source projects, GitHub security is not enough for most large companies who value their code. Why?
GitHub’s Open Source Roots
Customers who rely on GitHub for code security, even the enterprise level version of GitHub, are exposed to numerous vulnerabilities—not by any fault of GitHub, but rather because GitHub was built and rolled out for open source projects, only later adding features for the enterprise. That means the protocol and product are designed for code proliferation and sharing by default. It’s not instrumented to give security teams insight into developer actions and security vulnerabilities.
Here is a summary of why GitHub security isn’t enough:
- GitHub doesn’t track or expose code on developer endpoints (workstations, VMs, etc). The number one code exfiltration vector is the developer endpoint, not the repository. Git providers such as GitHub, BitBucket and GitLab are doing nothing about clones and copies of code on developer machines. We are.
- Since Git is a distributed source control system, users download all code in the repository to their end machine. This equals code proliferation. Security teams have no visibility or control over where their valuable code has been downloaded. And as we have seen, unprotected machines can be easily hacked or simply lost track of.
- GitHub’s DNA is in open source, so its tooling and focus is on developers in public projects. It wasn’t built for security teams or devsecop teams; it was built for open source developers who it serves very well.
- GitHub covers GitHub, which means if your company uses multiple Git providers (most large companies do) you are out of luck. BluBracket has a holistic approach to enterprise security which means it allows you to view all of your code actions, vulnerabilities and alerts from all Git providers in one pane of glass.
- GitHub doesn’t focus on or alert on developer actions. For instance, you may want to be alerted if a core developer is pushing code from a private repository to open source, or changing the repo’s designation to public.
- GitHub has no way to fingerprint your important code and then discover it in public repositories, wherever that may be, or tell you which secrets detected in your private enterprise have also been leaked into open source. Many companies have been surprised to learn how much of their proprietary source code has made its way to the public domain. Developers frequently re-use and push code developed for the company to open source or other public repositories. This can give hackers a way to access your protected infrastructure.
- GitHub doesn’t have code classification. To do security effectively, you have to determine the signal vs noise. Enterprises need a tool to classify code by importance to the business, and have all permissions, alerts and security policies follow that classification.
Comprehensive Code Security
BluBracket is the industry’s only comprehensive security solution for code, securing every major Git-based solution including GitHub, Bitbucket and GitLab. Unlike GitHub, BluBracket analyzes developer behavior and Docker containers for vulnerabilities. It allows you to set and then enforce your security policies across all Git repos, regardless of what cloud or on premise solution you choose.
We believe Git and GitHub in particular are industry-changing services that have driven massive gains in innovation and collaboration. We are thrilled to offer advanced security solutions on top of these platforms for companies who understand the risk now inherent in code sharing sites.