In 1998, Christine Peterson coined the term “open-source software”. She explained that “it was a deliberate attempt to make this field of endeavor more understandable to new people and business”. It was also the year of the first “Open Source Summit” hosted by O’Reilly.
Open-source software refers to source code that anyone can inspect, modify, and enhance. Also the difference between “proprietary” or “closed source” software is that authors make their source code available to others who want to view it, copy it, learn from it, change it or use it. share.
Many people prefer to use open-source software for a variety of reasons. They have more control because they can examine the code. It is considered stable for long term projects because the projects follow open standards and will not disappear if their maintainers stop working on them. The community of users and developers is also important.
Open source is considered more secure than proprietary software because anyone can view and modify it. A contributor can see an error and make a pull request to propose some changes. Still, it comes with its own set of security challenges.
What is Supply Chain Attack?
A supply chain attack occurs when someone uses an external provider or a third party who has access to your organization’s data and systems to infiltrate your digital infrastructure. Supply chain attacks are varied, but we will focus on open-source supply chains.
With the open-source initiative anyone can contribute to the development of the project. Using this entry point, malicious actors program vulnerabilities into open-source solutions, making it easy to introduce new threats to companies that use the produced software, often through traversal or indirect dependencies. without going through.
Importance of Web Application Security
Web application security is a concept that covers a range of security controls embedded in web applications to protect their assets from potentially malicious actors. This includes leveraging secure development practices to detect security vulnerabilities in the project and its configuration, and implementing security measures throughout the software development lifecycle (SDLC).
The good news is that you can implement security within GitHub using a variety of applications and functions, whether it’s for a pet project you want to showcase during a job interview or if you’re the maintainer of an open-source project. This way you can provide your project with the same security as a proprietary project.
Section 1: GitHub Marketplace and GitGuardian App
What is GitHub Marketplace?
The GitHub Marketplace was first introduced in 2016 during the GitHub Universe. It is a place where developers can find integrations and apply them to their workflow.
How can you take advantage of safety tools to build basic plumbing and implement railings?
You can take advantage of the security applications and functions available on the GitHub Marketplace to secure your pipeline at each stage of your development.
A basic pipeline would include:
- One software architecture analysis Tools to focus on identifying open source in a codebase so that maintainers and contributors can manage their exposure to security and license compliance issues.
- One Tools to prevent the spread of secrets Which is the unwanted distribution of secrets such as API keys and credentials through multiple systems.
- One Tools to cover status code analysis Which is a method of debugging by examining the source code before running the program where it analyzes a set of code against a set of coding rules.
How to select relevant applications for your projects? What do you need to consider?
Choosing a tool, application or action will depend on your project or your team’s workflow. What kind of tech stack are you using? Are you deploying in Docker or using Kubernetes? How many stages are in your pipeline? Can you put a railing on every step?
You will find many tools and applications that can meet your needs. And the good news for OSS maintainers is that these applications are usually free for public repositories or OSS projects.
You can apply two tools to cover one step – for example, Snyk and Mend to scan your dependencies. Both tools will have their advantages and disadvantages in terms of coverage and will help you get a better view of your dependency on your project. If you think one device is better than another, you can still remove the one you don’t need.
Experiment and keep what’s best for your project!
Let’s take a look at the OWASP Zap Baseline Scan GitHub Action. This action scans a target URL for vulnerabilities and will feed it back to your project when you make a pull request.
When you consider implementing an action or application within your project, you will see a variety of information available on the project page. Has GitHub verified this action? In that case yes, it has a little blue tick next to a verified manufacturer. How many contributors are working on this project? How many stars did the project get? How many issues and pull requests?
Navigate to the GitHub repository and see how actively maintainers and contributors are working on the project. How well is it documented? Do they provide basic example usage like a simple YAML file to get started? Is it easy to implement? Would it fit your needs for your project in terms of programming languages?
Now let’s take a look at an example of an application git guardian, You can find it by typing it on the search bar of the Marketplace.
Navigating to the product page will give you more information. As a project maintainer, you will investigate the same requirements we described earlier with the OWASP action. We can see if GitHub has verified more information about the application, the number of installs, and the organization.
When you scroll to the bottom of the page, you will see the Pricing and Setup section. GitGuardian provides free monitoring of public repositories. Select the account you want to install it on and click “Install it for free”.
You can choose to install GitGuardian on all repositories or select certain repositories. We would recommend installing it on all repositories. This will give you visibility on all the projects you have done and if any credentials are publicly available.
Once this is done, repeat this process for each stage of your plumbing where you believe a safety railing can be applied.
Section 2: Managing Your Open Source Project
How does it work on GitHub?
When a contributor makes a pull request, it will trigger all the applications and actions you have implemented in your pipeline. Ideally, in the case of GitGuardian, you want the credentials not to be pushed to the source code and stopped before the pull request is raised on the contributor’s machine. You can implement GitGuardian Shield (ggshield) on your CLI with pre-commit git hook integration to add this extra railing and make sure no credentials are put in your source code.
When they don’t have ggshield set up, contributors pushing a secret on the repository will be alerted when a pull request is raised. On this dummy pull request, you can see some of the tools that are triggered during the process at the bottom of the PR. Depending on the application and functions, you may implement a widget within your PR.
You can require some of these tools on your main branch. To do this go to your projects settings and in Code & Automation, click on Branches. This is where you can add branch security rules by checking the required condition to pass before merging PRs.
How to get value from ChatOps
ChatOps is a collaboration model that combines people, tools, processes and automation into a transparent workflow. Using a free Slack account where you can discuss with your team of contributors, and having dedicated channels for specific tools will help you gain visibility into what’s going on in your projects. Monitoring and setting up alerts is an important part where developers can help get the information right.
Github Project: How You Can Leverage Boards to Follow Up on Security Actions
When working on an OSS project, you can take advantage of GitHub Projects to list all the tasks you need to work on for a specific feature. You can create labels and epics (milestones) to track progress or raise issues. Create a security label to track vulnerabilities in your project.
You can use automated projects or boards where cards will move according to the status of the pull request. It’s also a good way to show what features you’re working on and where you might need some help and contributors.
Display your project’s health with a label on the README file
If you want to attract more contributors to your project, don’t forget to display the health of your project using small labels or tags provided by these applications and action workflows, and put them in your README at the top of your project. add to file. You can learn more about badges in the GitHub documentation.
Section 3: Hardening your open source project
Adding a safety railing to every stage of your pipeline is great, but you can also harden your open-source project by implementing the following best practices.
- Enforce Least Privileges: Set the base permissions on the Member Privileges section to Unallowable so that they can only clone and pull public repositories. To give contributors additional access, the maintainer must add them to teams or make them collaborators in different repositories. Create teams, add users and assign them to specific repositories with specific permissions.
- Make 2FA mandatory for all maintainers and contributors. By the end of 2023, GitHub will require all users who contribute code to enable one or more forms of two-factor authentication.
- Protect your main branch: As mentioned above, make sure to protect your main branch to avoid accidental deletion by an maintainer.
- Enable Notifications and Alerts: Update the email address to be sure to receive notifications from your project.
- Add the Right License: An OSS license protects contributors and users. This is a good starting point if you’re not sure of the right license to use, and make sure you have LICENSE.md or LICENSE.txt in your archive.
- Review the list of applications, tools, and webhooks: If you are using multiple applications, tools, or webhooks for a stage in your pipeline, review whether it is still in place and remove any old or unused ones. Give.
- If you rely on GitHub Actions to build, test, and deploy your project, be sure to check your workflow configuration (you can use this GitHub Actions Security Best Practices cheat sheet).
Open-source components can be a vector for large-scale cyber attacks. We’ve seen this last year with a vulnerability in Apache Log4j, an open-source Java package used to support activity logging in many Java applications. While not all software written in Java is vulnerable, the affected package is widely used by developers and there are many applications and services that use this library. Big tech firms like Microsoft, VMWare, Amazon, IBM and others were affected.
Having visibility into your entire pipeline using different tools and railings is key to reducing your attack surface and we’ve seen that leveraging applications and functions from the GitHub Marketplace can help.
As maintainers and contributors, don’t hesitate to build a small pipeline for starters and experiment with some of these tools and harden your GitHub project for everyone who contributes.
Experiment but most importantly don’t push your keys on GitHub! ,