For several months now we had commented on several publications what we do about the psecurity problems that have arisen in GitHub and about the measures that they had planned to integrate into the platform to be able to counteract to a greater extent the security gaps that hackers took advantage of to access project repositories.
And now nowadays, GitHub disclosed that it will require that all users who contribute code to the platform enable one or more forms of two-factor authentication (2FA).
“GitHub is in a unique position here, simply because the vast majority of the open source communities and creators live on GitHub.com, we can make a significant positive impact on the security of the global ecosystem by raising the bar for information hygiene. security,” said Mike Hanley, GitHub's chief security officer (CSO). “We believe this is truly one of the best ecosystem-wide benefits we can offer, and we are committed to ensuring that any challenges or obstacles are overcome to ensure successful adoption. »
GitHub has announced that all users uploading code to the site will need to enable one or more forms of two-way two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.
The new policy was announced in a blog post by GitHub Chief Security Officer (CSO) Mike Hanley, who highlighted the role of Microsoft's proprietary platform in protecting the integrity of the software development process from threats created by malicious actors taking control. of developer accounts.
Of course, the user experience of the developer is also taken into account, and Mike Hanley emphasizes that this requirement will not hurt you:
“GitHub is committed to ensuring that strong account security doesn't come at the expense of a great developer experience, and our end-2023 goal gives us the opportunity to optimize for that. As standards evolve, we will continue to actively explore new ways to securely authenticate users, including passwordless authentication. Developers around the world can look forward to more authentication and account recovery options, as well as
Although multi-factor authentication offers additional protection significant for online accounts, GitHub's internal research shows that only 16,5% of active users (about one in six) currently enable enhanced security measures in their accounts, a surprisingly low number given that the platform from the user base must be aware of the risks of password-only protection.
By directing these users to a higher minimum standard account protection, GitHub hopes to strengthen overall security of the software development community as a whole.
“In November 2021, GitHub committed to new investments in npm account security following the acquisition of npm packages as a result of the compromise of developer accounts without 2FA enabled. We continue to make improvements to npm account security and are also committed to protecting developer accounts through GitHub.
“Most security breaches are not the product of exotic zero-day attacks, but instead involve low-cost attacks such as social engineering, credential theft or leaks, and other avenues that give attackers a wide range of access to accounts of victims and the resources they use. have acces to. Compromised accounts can be used to steal private code or make malicious changes to that code. This exposes not only the people and organizations associated with the compromised accounts, but also all users of the affected code. As a result, the potential for downstream impact on the broader software ecosystem and supply chain is substantial.
An experiment already done with a fraction of a subset of GitHub platform users already set a precedent for requiring the use of 2FA with a smaller subset of platform users, having tested it with contributors to popular JavaScript libraries distributed with npm package management software.
Since widely used npm packages can be downloaded millions of times per week, they are a very attractive target for malware operators. In some cases, hackers compromised the accounts of npm contributors and used them to release software updates that were installed by password stealers and crypto miners.
In response, GitHub has made two-factor authentication mandatory for maintainers of the top 100 npm packages since February 2022. The company plans to extend the same requirements to contributors of the top 500 packages by the end of May.
In general terms, this means setting a long deadline to make the use of 2FA mandatory across the site and design a variety of onboarding flows to drive users toward adoption well before the 2024 deadline, Hanley said.
Securing open source software remains a pressing concern for the software industry, especially after last year's log4j vulnerability. But while GitHub's new policy will mitigate some threats, systemic challenges remain: Many open source software projects are still maintained by unpaid volunteers, and closing the funding gap is seen as a major issue for the tech industry as a whole.
Finally if you are interested in knowing more about it, you can check the details In the following link.