Security: GitHub will deploy two-factor authentication by 2023


GitHub introduces new rules regarding developers and two-factor authentication (2FA) security. On Wednesday, the Microsoft-owned code repository said changes would be made to existing authentication rules as part of “a platform-wide effort to secure the software ecosystem by improving account security.” According to GitHub Chief Security Officer Mike Hanley, the platform will require any developer contributing code to the platform to enable at least some form of 2FA by the end of 2023.

Open source projects are emerging as valuable resources for individuals and businesses today. However, these are not infallible and if they are compromised, they can lead to data theft, which is sometimes extremely harmful. Salesforce-owned cloud platform provider Heroku revealed that it suffered a security incident in April. A subset of its private git repositories were compromised following the theft of OAuth tokens, potentially leading to unauthorized access to customer repositories.

What lead the GitHub platform to strengthen its controls, the latter noting that developer accounts are “frequent targets for social engineering and account takeover”. Recently, the issue of malicious packages uploaded to GitHub’s npm registry has also brought software supply chain security to the fore.

Reinforce a still light security

In many cases, it’s not a zero-day vulnerability that causes open source projects to collapse or gives developers a cold sweat. Rather, it is the fundamental weaknesses – such as weak passwords or information theft – that cyberattackers exploit. However, the code repository also recognized that there can be a tradeoff between security and user experience. So the 2023 deadline will also give the organization time to “optimize” the GitHub domain before the rules are set in stone.

“Developers around the world can expect more options for secure authentication and account recovery, as well as enhancements that help prevent and recover compromised accounts,” the side argued. from GitHub. The urgency is very real for the platform, while only 16.5% of its active users use at least one form of double authentication.

“While we invest deeply in our platform and in the wider industry to improve the overall security of the software supply chain, the value of that investment is fundamentally limited if we do not address the ongoing risk of compromised software. accounts,” says Mike Hanley. “Our response to this challenge continues today with our commitment to drive the improvement of supply chain security through safe practices for individual developers. »

Recall that GitHub introduced a new analysis feature in April to protect developers and prevent them from accidentally leaking secrets. The enterprise user feature is an optional check that developers can enable for use during workflows and before initiating a git push.

Source: ZDNet.com





Source link -97