6 of the biggest GitHub application security threats

GitHub is the Megladon of source code hosts, and as such, it sports a gargantuan bulls-eye that flashes neon to hackers looking to poison the software supply chain.  

As of January 2023, the platform was the world’s biggest, with a reported 100+ million developers and 372+ repositories, including at least 28 million public repositories. That vast landscape of repositories was threatened by a recent impersonation attack, spotted in September, in which malicious pull requests and commits were disguised as Dependabot: a tool that helps to update dependencies on GitHub. 

“Users may tend to blindly trust and approve the requests, which end up stealing secrets and passwords,” warned Contrast Security Chief Information Security Officer David Lindner in his CISO Insights column of Sept. 29. “It’s just another reminder to pay close attention to any new requests to commit to your managed codebases.”

But the Dependabot attack was just one of multiple threats that have focused on GitHub. Other recent incidents:

• In November 2022, attackers stole code from Dropbox's GitHub repositories by phishing away a DropBox employee’s credentials to unlock 130 code repositories.
• In December 2022, a malicious Python package impersonated a software development kit for a popular security client.

GitHub isn’t the only code repository plastered with a bulls-eye. In July 2021, for example, a credentials-stealing code bomb using legitimate password-recovery tools in Google’s Chrome web browser was found lurking in the npm open-source code repository, waiting to be planted within the sprawling galaxy of apps that pull code from that source. 

In fact, a new report from Sonatype found that open-source software supply chain attacks tripled in a year: One in eight open-source downloads were found to have known risk, and 245,000 malicious packages were discovered — twice as much as all previous years combined. 

I spoke with Contrast CISO Dave to find out more about the GitHub code security threats that developers and organizations face, as well as the defensive measures they can implement to protect their code and data. Read on for our CISO’s advice. 

GitHub code security threats

1. Credential exposure

Analysis of logs showed that some victims of the Dependabot attack found that their accounts had been compromised with stolen PATs (personal access tokens). These tokens are stored locally on developers’ systems and can be used to log in to GitHub without the  need to go through two-factor authentication (2FA). While initial analysis didn’t reveal how those credentials were compromised, it could have been the result of a malware infection or installation of a malicious package. 

Unintentional exposure of credentials or personal information is, in fact, one of the most common security threats on GitHub. Developers sometimes inadvertently include application programming interface (API) keys, passwords and access tokens in their code repositories. Hackers actively scan GitHub repositories to find such information and exploit it to gain unauthorized access. 

“If you're not using fine-grained PATs, those tokens are usually provided with very broad access — more than what you really need,” Dave comments. “And they're easily lost. People, for whatever reason, commit them in code. Or they save them on an email. Or they put them in a document on their laptop. They save them because they need them, but PATs should be stored in password managers, or in some secrets-management tool that their owners may be using at the company they're working for.” 

Multiplying the risk of PAT loss is that their owners won’t necessarily detect that they’re gone, he explains. And the risks of PAT loss are intense: “It can result in code theft, or attackers committing code,” the CISO says. “Attackers can use all manner of code functionality: For example, they may be able to access a purchase functionality. Depending on what level of access the PAT has, an attacker may have access to everything. Some people just scope their PATs at the order level: In that case, if the PAT is compromised, it grants full-blown access to every single repo in that organization.”

Defensive measure: Fine-grained PATs 

Switching to GitHub's fine-grained PATs, which limit each user to specific permissions, can reduce risks in case of compromise. Introduced a year ago, these tokens draw from a set of over 50 granular permissions that control access to GitHub’s organization, user and repository APIs. Some of the benefits, as outlined by GitHub in October 2022: 

• Each permission can be granted on a “no access,” “read” or “read and write” basis. As an example, you can now create a PAT that can only read issues and do nothing else — not even read the contents of a repository.
• Fine-grained PATs expire. They also lack access to all the repositories a user can access. Instead, they only have access to the repositories or organizations to which they’re explicitly granted access. They can even be targeted at a single repository in an organization.

Defensive measure: Secrets management

To mitigate the threat, developers should also adopt robust secrets-management practices. Tools like GitHub Actions' Secrets and third-party solutions such as HashiCorp Vault can help store and manage sensitive data securely. At Contrast, we use an enterprise version of  TruffleHog: an open-source, secret-scanning tool that searches for credentials in code. The tool can sniff out GitHub tokens — or your precious, God-like AWS tokens, as another example — that someone may have committed to code, Dave notes. 

Defensive measure: Audits

Conduct regular audits of repositories for accidental exposure of secrets.

2. Malicious code injection

Malicious actors may attempt to inject code into repositories through pull requests or by exploiting vulnerabilities in third-party dependencies. This code injection can lead to various security issues, including data breaches, code execution and backdoor installations.

Defensive measure: Code review and dependency scanning

Code reviews are essential for identifying and preventing code injection. Automated tools like GitHub's built-in dependency scanning can help identify vulnerable dependencies and highlight potential security risks. Developers should also keep their dependencies up to date to minimize the risk of exploitation.

3. Cross-Site Scripting (XSS)

XSS attacks occur when an attacker injects malicious scripts into web applications viewed by other users. In the context of GitHub, XSS vulnerabilities can be introduced through issues, pull request comments or even the repository's README. These vulnerabilities can compromise user accounts and lead to unauthorized access.

Defensive measure: Input validation and sanitization

Developers should validate and sanitize user input to prevent XSS attacks. GitHub also provides security features like Content Security Policy (CSP) to mitigate the risk of such attacks. Additionally, regular security audits of issues and comments can help identify and remove malicious content.

4. Supply-chain attacks

Supply-chain attacks involve compromising the software supply chain to inject malicious code into the development process. GitHub's reliance on third-party libraries and dependencies makes it susceptible to such attacks. Attackers may target these dependencies, compromising the integrity of the entire project.

Defensive measure: Dependency verification

To guard against supply-chain attacks, developers should thoroughly vet and verify their dependencies. Implementing code signing, regularly checking for known vulnerabilities and monitoring the dependency tree for unexpected changes can help ensure the integrity of the supply chain.

5. Insider threats

While external threats are a significant concern, insider threats cannot be overlooked. Developers or employees with access to GitHub repositories may intentionally or inadvertently leak sensitive information or tamper with code.

Defensive measure: Access control and monitoring

Effective access control mechanisms should be in place to restrict access to sensitive repositories. Role-based access control (RBAC), 2FA and regular access audits can help prevent insider threats. Additionally, monitoring tools and anomaly detection systems can alert organizations to suspicious activities.

6. Unused accounts

Malicious actors target highly popular libraries that haven’t been used or updated for some time. They look to take over these “dead” libraries, trying to compromise the maintainer's accounts because of those neglected libraries, Dave says: “They make an update, and if no one's paying attention, it could have malicious code in it.” 

Defensive measure: Use Single Sign-On (SSO)

SSO solutions such as Okta enable removal of access to repos when employees leave.

GitHub code security best practices

In addition to addressing specific threats, there are several best practices that organizations and developers can adopt to enhance GitHub code security:

• Enable security features. GitHub provides various security features like dependency scanning, secret scanning and automated vulnerability alerts. Ensure that these features are enabled in your repositories to receive timely notifications about potential security risks.
• Regularly update dependencies. Keeping your project's dependencies up to date is crucial for security. Vulnerabilities in outdated libraries can be exploited by attackers. Automate the process of dependency management where possible to reduce the risk of overlooking updates.
• Implement strong authentication. Enforce strong authentication mechanisms like 2FA for all GitHub accounts. This extra layer of security can thwart unauthorized access attempts, even if credentials are compromised.
• Train developers. Educate your development team about security best practices and the risks associated with code repositories. Regular training sessions and awareness programs can help developers become more security-conscious.
• Conduct regular security audits. Regularly audit your repositories for potential security issues. This includes reviewing code for vulnerabilities, checking for exposed secrets, and assessing permissions and access controls.
• Incident response plan. Develop an incident response plan that outlines how your organization will respond to security incidents on GitHub. Having a well-defined plan can minimize the impact of a breach.
• Monitor for anomalies. Implement continuous monitoring and anomaly detection to identify unusual activities on your GitHub repositories. Unusual patterns of access or changes to code can be early indicators of a security breach.

Conclusion

GitHub application security threats are a grim reality that organizations and developers can’t ignore. By understanding these threats and implementing defensive measures and best practices, you can significantly reduce the risk of security breaches and protect your code, data and reputation. In today's digital age, code security is not a luxury; it’s a necessity. Ensuring that security is maintained throughout the software development life cycle (SDLC) entails securing GitHub and other code repositories: Their role is too pivotal to be overlooked. 

Related: 

• The top 8 AWS root user account best practices
• Contrast Security expands its GitHub security coverage with new SCA GitHub Action scan
• Kudos to GitHub for (gradually) chucking optional MFA out the window
• GitHub Actions Blog Series, Part 1: Pipeline Native Code Analysis
• GitHub Actions Blog Series, Part 2: Deploying with Amazon EKS
• GitHub Actions Blog Series, Part 3: Deploying with Microsoft AKS
• Understanding Software Supply Chain Risks and How to Mitigate Them
• Securing the software supply chain starts with a Software Bill of Materials (SBOM)
• President Biden’s Executive Cybersecurity Order: Secure the Software Supply Chain