Version Control Security

Version control security - DevSecOps

This series of articles aims to identify the best practices to implement in order to secure your delivery process and your CI/CD pipelines:

0. DevSecOps & CI/CD Pipelines: understand the fundamentals.
1. Version Control System Security
2. Secure Continuous Integration (CI) Pipelines
3. Secure Continuous Delivery (CD) Pipelines

By Gologic with the collaboration of Alexandre Couëdelo.

The version control software GIT is at the heart of most software supply chain, with a key role in deployment processes. Many companies rely on SaaS platforms such as Azure DevOps, GitHub, or GitLab as their providers since they provide a whole ecosystem of tools, including CI/CD pipelines. The version control system (VCS) plays a pivotal role in saving code changes and preserving historical versions of those changes throughout the life of a project.

Moreover, version control systems are progressively employed as a configuration management system for the long-term management of applications and infrastructure components. This is primarily achieved through the GitOps approach, underscoring their expanding role in the systematic configuration and maintenance of software environments.

Certainly, in addition to version control security, Gologic offers comprehensive DevOps services. Our DevOps solutions seamlessly integrate with version control systems like GIT and ensure efficient CI/CD pipelines, enhancing your software development and deployment processes.

This article will review how you can protect your version control system. We will first look at the risk involved and how to secure individual repositories.

Evaluating the risk

As a result, most of the development process is centred around Git, making it a critical system you want to protect and adopt best security practices. When talking about security, it is essential first to have a look at what we are afraid of (aka. risk); in the case of version control systems, we have two cases to consider:

  1. Unauthorized access: when an external user is able to download or see the code source saved in the version control system. Code leaks can lead to attackers studying your system from the inside and preparing the next move, or if they are lucky, they may find hardcoded sensitive data (secrets or user data)
  2. Unauthorized write: when an external user is able to alter the code source saved in the version control system. This is a significant issue, as the attacker may inject malware directly in your production system. Ensuring the integrity of the code and the correct version control system is paramount in preventing such security breaches

In the next sections, we will discuss mitigating the two risks identified above.

Version control security representation

Repository Access

The first step is adequately setting repository access rights, defining who can access the repository and seeing the code. Then, you need to put in place contribution rules. Most development teams adopting continuous delivery need to protect their main branch (the one that is automatically deployed to production):

  • Enforcing contributions via pull requests
  • Enforcing a minimum number of human reviewer
  • Enforcing automated validation (that we will discuss in detail in a future article)

💡 Branch Protection and Policy with Azure DevOps

In the case of Azure DevOps, you should consider using the following features:

  1. Require a minimum number of reviewers: A certain number of reviewers must approve a pull request before it can be merged
  2. Build validation: Trigger a build pipeline to check if the code compiles successfully and passes tests before allowing the merge
  3. Required status checks: You can specify that certain status checks (Gates), like code analysis or security scanning, must pass before a pull request can be merged

Developer Identification

Once the permissions are correctly set, you must ensure that a cyber attacker can’t impersonate your developer. The risk of developers leaking passwords of private SSH keys is natural, and best practices must be followed.

Developer Credentials

Access to a Git repository can be achieved via HTTPS+Password or SSH. SSH is usually considered more secure, as the key is much more complex than user passwords. Common sense would recommend rotating the SSH key frequently and using passphrases.

The passphrase prevents someone from stealing and using it, as they also need to know the passphrase. You will be prompted to enter your passphrase the first time you use your key, and then it will be remembered by your SSH agent until you restart your laptop.

An alternative solution is to use a “smart” password manager that manages the SSH for you. They will save the key in your vault, provide it to the SSH Agent when needed, and never write the key to the disk, making it very hard to steal.

Developer Identity

The identity of the user (corporate email and full name) should be defined .gitconfig. This results in the commit must be associated with the correct user. However, it is easy to add anyone as the author of a commit. Therefore, commit signing with SSH or GPG key is highly recommended. This additional security is already widespread in GitHub and GitLab, and we hope to see it adopted in Azure DevOps in the future.

💡 Developer Authentication on Azure DevOps

Using the SSH key authentication method only requires two extra steps for better security. Worth, it?

  • Generate SSH Key Pair: If you don’t already have an SSH key pair, generate one on your local machine using the ssh-keygen utility
  • Add the Public Key to Your Azure DevOps Account: Go to your Azure DevOps account. Click on your profile picture in the top-right corner and select “Security.” Under “SSH public keys,” click “Add” and paste the public key

Conclusion

Protecting your version control system is critical to the security of your software supply chain. After all, it is the starting point and the source of truth for most of your continuous delivery system.

To safeguard your code source, it’s crucial to implement measures against unauthorized access or tampering. Ensuring developers adhere to the best practices for accessing repositories is the key, along with properly configuring protection for contributions, like mandated reviewers and automated validation for all pull requests. These steps not only enhance security but also promote efficient collaboration among team members.

However, securing your version control system is just one aspect of securing your overall software development process. For a comprehensive approach to software security and to learn more about how Gologic can assist you in fortifying your software supply chain, please don’t hesitate to get in touch with our expert team. Our next article will discuss the best practices regarding security and continuous integration systems.

By Gologic with the collaboration of Alexandre Couëdelo.

Suivez-nous et partagez

Leave a Reply