Git Security Pitfalls and How to Avoid Them
January 12, 2023

Dotan Nahum
Check Point Software Technologies

Ask any developer and most will agree that Git it is the most popular software version control (SVC) standard today. Just because it's the most popular, however, doesn't mean it's the most secure. Regardless of whether you're using GitLab, GitHub, or a locally hosted Git server each has its own security issues that can sneak up on you and start a wave of additional issues.

Keep in mind, Git is not built for security but for collaboration. It can be made secure through certain tools and best practices, but still requires caution. Self-hosting a Git server, for example, is a security issue, particularly if you lack experience in Git server configuration as there are simply too many opportunities to exploit a misconfigured or unpatched Git server by experienced hackers.

Even hosted Git services such as GitHub or GitLab offer limited security. Such services offer an easy-to-use interface with enhanced access controls. But convenience and ease-of-use can prove to be a hindrance and lead to complacency and human error. This especially true when code-commits are not properly screened by secret detection tools.

Not surprisingly, with so many companies relying on Git for code management, it has become a popular attack vector for hackers. History is littered with cautionary tales of poorly configured or insecure Git management.

What can you do to avoid repeating the Git security mistakes of others? Here are a few common Git security pitfalls and pointers to help you navigate them.

Hardcoded Sensitive Data

Developers understand the convenience of storing passwords, tokens, and authentication keys directly in the code where such credentials are used. It's difficult for them, however, to resist the temptation of saving them where they are easily accessible when issue pop up.

Hardcoded secrets are a terrible security practice that unfortunately plagues software development. Like most people, developers can be forgetful on occasion and share code that contains stored passwords. In such cases, long-forgotten secrets, still embedded in code, can leak and even get indexed on online search engines. Yes, it happens.

There is simply no good technical reason to use hardcoded authentication credentials. To avoid this, train developers to use secure coding practices. Simultaneously, ensure that security tools are integrated into the development process for the start that can monitor the development workflow.

Unsigned Commits

When committing code to a Git repository, you should be able to see the author who's committing the code. Unless the author used a GPG key to cryptographically sign the commit, it's impossible to trust what's there.
It may sound trifling for a developer with access to a repository to assign a code-commit they themselves performed to another developer on the project. But a disgruntled employee can do this to inject a backdoor into the code, thereby covering their tracks by assigning ownership of the code to another developer.

A similar exploit would be to assign a code commit to a manager of the project's development, hoping the new code would be integrated with less oversight.

When code commits are signed, a "verified" icon appears next to the commit log entry. This ensures every member of the project knows the code was committed by the true code author and was not tampered with in any way.

Unsecured Pipeline Configurations

A CD/CI pipeline that is not secure can lead to data leaks or secrets being put at risk by pull requests coming from forks of your repository, CD/CI VMs left operating unattended, or other processes.

Securing the pipeline requires holding secrets with very limited exposure. Beyond training developers to use proper security practices when storing secrets, it's a recommended best-practice to integrate tools or online services into the CD/CI pipeline to provide an extra layer of protection. This step is even more important when protecting extremely sensitive materials such as code-signing certificates.

Unpatched Software

Generally speaking, Git is used in combination with other applications to automate, secure, and provide analytics throughout the CD/CI pipeline. Hackers have evolved today are not limited to attacking a target directly. Instead, they have found it easier and worth more to execute a supply-chain attack on tools or services to upend multiple entities that use them.

To minimize exposure to supply chain attacks, it's critical to apply tool-chain software security patches as soon as they are released. And while you're at it, limit online service access to the minimum required for reliable operations and — it goes without saying but we'll say it anyway - perform regular backups.

Inaccurate Access Permissions

Poorly configured permissions can provide an access point to every Git repository on the server. In the case of one well-known automaker, the server automatically granted full access to anyone who just signed up for a developer account. More inconspicuous access permissions configuration errors may result in persons accessing data they are not authorized to in other cases.

When establishing access permissions, it's important to define access roles on a per-repository basis to ensure only developers with exact access credentials are allowed to interact with the repository.

Git security is not to be taken lightly. Losing source code or compromising intellectual data can prove disastrous and effectively level an organization. By applying some of the lessons here — along with the enforcement of security practices and policies — you can better assure that code will be more secure using Git in a production environment.

Dotan Nahum is Head of Developer-First Security at Check Point Software Technologies
Share this

Industry News

December 06, 2023

ngrok unveiled its JavaScript and Python SDKs, enabling developers to programmatically serve their applications and manage traffic by embedding ingress with a single line of code.

December 06, 2023

Data Theorem introduced API Attack Path Visualization capabilities for the protection of APIs and the software supply chain.

December 05, 2023

Security Journey announced support for WCAG, SCIM and continued compliance with SOC2 Type 2, which are leading industry standards.

December 05, 2023

Vercel announced a new suite of features for its Developer Experience (DX) Platform, made for enterprise teams with large codebases.

December 04, 2023

Atlassian Corporation has completed the acquisition of Loom, a video messaging platform that helps users communicate through instantly shareable videos.

December 04, 2023

Orca Security announced that the Orca Cloud Security Platform has achieved the Amazon Web Services (AWS) Built-in Competency.

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023 achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.