Herding the Octocats - Getting Control of GitHub
-
Upload
michael-grima -
Category
Documents
-
view
93 -
download
0
Transcript of Herding the Octocats - Getting Control of GitHub
-- Herding the Octocats --Getting Control of GitHub
Mike Grima, Senior Cloud Security Engineer @ Netflix
06/30/2016
Background and Overview
● Netflix uses public GitHub.com for various purposes:○ Open Source ○ Collaboration with outside partners○ Developer ease and preference
○ GitHub Flow
● Organizations
● Public AND Private repositories
3
Security Challenges using GitHub.com
● Identity and User Administration
● Organization Management & Permissions Model
● 3rd Party Tools
● Sensitive Data Leakage
4
Exactly ‘who’ is using your GitHub orgs?
● GitHub is a public service; uses it’s own identity system○ Bring your own account
● The customer of GitHub is YOU, the developer
● Name, email, workplace, etc. are optional fields
7
8
Identifying GitHub Users is…
… A challenge without some tooling...
● You will need a source of truth for your employees.○ API’s FTW!
○ You will store GitHub IDs here
● Scripts to associate an employee with a GitHub ID○ Who is an employee and who isn’t○ Can automate removals○ Assist with 2FA enforcement
Association Strategies
● Making guesses based on GitHub attributes○ Username○ Email○ Workplace
○ Etc.
○ Hard to automate all cases -- some may be left behind
○ One time task; once it’s done, it’s done
9
2-Factor Authentication Enforcement
● GitHub supports 2FA -- but provides no enforcement mechanism○ Users must already be org members to check 2FA
● I wrote scripts to boot employees from our orgs if they don’t enable it within 7 days○ GiiitOut -- Python scripts that are CRON’d up
10
DANGER, DANGER, DANGER, 2FA LOCKOUT!
● USE SMS AS FALL-BACK!!● Save your 2FA Recovery Codes!
○ 1Password or somewhere safe and secure
● If you use the App, lose your phone, and don’t have the recovery codes, you can PERMANENTLY LOSE YOUR ACCOUNT!!
11
How are users getting added to your Orgs?
● “Owners” are powerful users that can add and remove users into the organization○ They can do pretty much anything in the org
■ Create and delete repos■ Alter permissions and teams■ Change billing info■ Delete the org■ Rename the org■ Transfer repo ownership
13
Limit your Owners
● Goal: Reduce the number of Owners in your organization
○ They should be employees and have 2FA enabled!
● Problem: “Owner” role is needed for lots of tasks○ GitHub has made significant improvements, but still need to be an
Owner for significant tasks
● Solution: Create a “Bot” user to perform Owner and Administrative actions -- used via tooling○ Write tools to manage users, teams and repos
14
Membership and Teams
● Aim for self-service
● Team management is hard without good tooling○ We have a more open approach -- employees have access to all repos
● Non-employees are added as outside collaborators with specific repo access
● Our scripts automatically remove users when they leave the company
16
GitHub Tooling -- Nathan Explosion
● Self-service Slack bot to addusers to our orgs
● Create repos
● Add outside-collaborators
17
3rd Party Apps Security Issues
● 3rd party applications obtain access to organization resources via OAuth ○ Whatever the user has access to… so does the 3rd party app!
● OAuth scopes can be rather large -- many require write access to access source code○ INCLUDING PRIVATE REPOS!
● Enable 3rd party app restrictions○ Owners must approve apps that are allowed to access resources.
21
Passwords, Tokens, and the Like
● We regularly scan all of our GitHub repositories -- using Scumblr
● We probe for AWS keys, RDS hostnames, Slack tokens, and other sensitive data
23