GitHub is the leading software development and version control application, evolving into a complex platform armed with extensive capabilities designed to bolster the CI/CD process. Users can augment their productivity and functionality by connecting GitHub Apps, OAuth Apps, and other third-party tokens to interact with external services, thereby expanding the GitHub ecosystem. Integrations, external collaborators such as contractors, publicly shared code repositories and other misconfigurations can facilitate unauthorized sharing of source code and other sensitive data . However, such complexity can inadvertently lead to GitHub security risks, misconfigurations, data exposure, account takeovers and SaaS supply chain attacks.
Over the past year, GitHub found itself entangled in several breaches, starting with the Heroku and Travis CI breach. The most recent in December involved CircleCI, a vendor specializing in CI/CD and DevOps tools, which admitted that customer data had been compromised in a data breach. The inciting incident was a compromised GitHub OAuth token, an increasingly popular attack vector. The CircleCI investigation revealed that the attackers stole a valid session token of a CircleCI engineer, enabling them to bypass two-factor authentication and gain unauthorized access to production systems. As a result, they managed to purloin customer variables, tokens, and keys.
Valence’s automated remediation workflows offer a collaborative approach to security, allowing security teams to engage with GitHub admins and business users throughout the remediation process. This engagement provides insights into the business rationale for SaaS adoption and usage, motivates business users such as developers and DevOps to rectify risks autonomously — reducing the burden on security teams — and promotes education on GitHub security risks and best practices.
Valence enables the detection and tracking of identities not managed by your Identity Provider (IdP), overprivileged users, and weak authentication that fails to leverage MFA. These risks can then be automatically rectified to prevent account compromises and data loss breaches.
GitHub serves as a repository for your development team’s most sensitive data—source code, IP, design files, and product information. However, its data sharing capabilities are often misjudged, which can lead to adding external collaborators such as contractors, or even lead to exposing a code repository to the public. Valence provides a security buffer against careless data sharing by ensuring that sharing privileges align with company policies and that privilege creep is consistently identified and adjusted.
GitHub has transcended its initial design as a stand-alone software development and version control application to emerge as a robust CI/CD platform. It encourages business users to integrate it with third-party applications using GitHub Apps, OAuth Apps, Personal Access Tokens (PAT), SSH and other tokens, to connect to third-party vendors that can improve the development process such as TravisCI, secure it like Snyk, and more. These integrations can escalate the risk of supply chain attacks that leverage the fact that non-human identities can login directly without strong authentication methods like MFA, to bypass existing security mechanisms. Valence empowers security teams to unearth and continuously remediate misconfigured, inactive and over privileged integrations.
Valence's collaborative SaaS security platform provides security teams with unparalleled visibility and control to identify and remediate GitHub security risks, misconfigurations and privilege drift, as well provide security controls around third-party SaaS-to-SaaS integrations, and unmanaged SaaS users.
