Securing GitHub Integrations

Track:DevSecOps
When:
Where:
Organizers
ParticipantsAbhinav Sejpal Abhinav Sejpal , Gabor Pek Gabor Pek
Remote ParticipantsArushit Mudgal Arushit Mudgal , Harmeet Singh Harmeet Singh , Madhu Akula Madhu Akula , Mohanish Mahajan Mohanish Mahajan , Mustaqiim Muhar Mustaqiim Muhar , Prakash Sharma Prakash Sharma , Sergio Issi Sergio Issi , Sophie Tonnoir Sophie Tonnoir , Sugumaran Uppili Sugumaran Uppili , Vandana Verma Vandana Verma

Why

This Working Session will examine the need for secure GitHub integrations.

As more and more services are integrated with GitHub, the public and private repos of different companies are being exposed to a much wider set of attackers and threats.

Currently, the GitHub security model does not allow the granularity required to control access (for example read-access to only one repo). This means that choices tend to be limited to either:

a) provide no access and no use of the 3rd party service (which ironically might provide a security service)

b) give the 3rd party service full access to public and private repos (i.e the 3rd party has full control to modify the code)

What

While we are using github as the platform for OWASP projects source code, we need to talk about the security of the code in order to provide integrity checks and other security controls needed.

Outcomes

  • Map out the various risks of the current granularity access
  • Reach out to Github with a request for comment

Who

The target audience for this Working Session is:

  • GitHub Security team and developers
  • 3rd party service providers: Travis, SNYK, Codiscope, Node Security, ….
  • GitHub corporate users with large (hundreds) numbers of GitHub repos

Note

Email exchange with GitHub on the topic of having multiple GitHub Accounts:

Since you don’t allow the control of which repos to expose to 3rd party services, the only choice we have (vs giving them full access to all public and private repos) is to create a separate account for those services.

Note that this is what is currently being recommended by those service providers, see for example https://twitter.com/snyksec/status/791922582584856577

It would be great if the GitHub Security team could work with organizations like OWASP and its community to find a way to improve the current situation (which doesn’t scale and is bound to back-fire when one of those service providers is compromised, exposing thousands of customers' private repos).

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Content

  • Github Risk
  • Github Integrations
  • Github Controls
  • Cheatsheets

Previous Summit Working Session

https://owaspsummit.org/Working-Sessions/DevSecOps/Securing-GitHub-Integrations.html

Register as participant

To register as participant add Securing GitHub Integrations to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page


Back to list of all Working Sessions