-- Herding the Octocats --Getting Control of GitHub

Mike Grima, Senior Cloud Security Engineer @ Netflix

06/30/2016

Background and Overview

● Netflix uses public GitHub.com for various purposes:○ Open Source ○ Collaboration with outside partners○ Developer ease and preference

○ GitHub Flow

● Organizations

● Public AND Private repositories

3

Security Challenges using GitHub.com

● Identity and User Administration

● Organization Management & Permissions Model

● 3rd Party Tools

● Sensitive Data Leakage

4

Serious question:How many GitHub Orgs do you have?

5

IDENTITY & ACCESS MANAGEMENT

6

Exactly ‘who’ is using your GitHub orgs?

● GitHub is a public service; uses it’s own identity system○ Bring your own account

● The customer of GitHub is YOU, the developer

● Name, email, workplace, etc. are optional fields

7

8

Identifying GitHub Users is…

… A challenge without some tooling...

● You will need a source of truth for your employees.○ API’s FTW!

○ You will store GitHub IDs here

● Scripts to associate an employee with a GitHub ID○ Who is an employee and who isn’t○ Can automate removals○ Assist with 2FA enforcement

Association Strategies

● Making guesses based on GitHub attributes○ Username○ Email○ Workplace

○ Etc.

○ Hard to automate all cases -- some may be left behind

○ One time task; once it’s done, it’s done

9

2-Factor Authentication Enforcement

● GitHub supports 2FA -- but provides no enforcement mechanism○ Users must already be org members to check 2FA

● I wrote scripts to boot employees from our orgs if they don’t enable it within 7 days○ GiiitOut -- Python scripts that are CRON’d up

10

DANGER, DANGER, DANGER, 2FA LOCKOUT!

● USE SMS AS FALL-BACK!!● Save your 2FA Recovery Codes!

○ 1Password or somewhere safe and secure

● If you use the App, lose your phone, and don’t have the recovery codes, you can PERMANENTLY LOSE YOUR ACCOUNT!!

11

ORG ENTRY AND OWNERSHIP

12

How are users getting added to your Orgs?

● “Owners” are powerful users that can add and remove users into the organization○ They can do pretty much anything in the org

■ Create and delete repos■ Alter permissions and teams■ Change billing info■ Delete the org■ Rename the org■ Transfer repo ownership

13

Limit your Owners

● Goal: Reduce the number of Owners in your organization

○ They should be employees and have 2FA enabled!

● Problem: “Owner” role is needed for lots of tasks○ GitHub has made significant improvements, but still need to be an

Owner for significant tasks

● Solution: Create a “Bot” user to perform Owner and Administrative actions -- used via tooling○ Write tools to manage users, teams and repos

14

ORGANIZATION MANAGEMENT &

PERMISSIONS MODEL

15

Membership and Teams

● Aim for self-service

● Team management is hard without good tooling○ We have a more open approach -- employees have access to all repos

● Non-employees are added as outside collaborators with specific repo access

● Our scripts automatically remove users when they leave the company

16

GitHub Tooling -- Nathan Explosion

● Self-service Slack bot to addusers to our orgs

● Create repos

● Add outside-collaborators

17

18

19

THIRD PARTY APPS

20

3rd Party Apps Security Issues

● 3rd party applications obtain access to organization resources via OAuth ○ Whatever the user has access to… so does the 3rd party app!

● OAuth scopes can be rather large -- many require write access to access source code○ INCLUDING PRIVATE REPOS!

● Enable 3rd party app restrictions○ Owners must approve apps that are allowed to access resources.

21

SENSITIVE DATA LEAKAGE

22

Passwords, Tokens, and the Like

● We regularly scan all of our GitHub repositories -- using Scumblr

● We probe for AWS keys, RDS hostnames, Slack tokens, and other sensitive data

23

24

Q&A

25