DoControl Integration for GitHub: Defense-in-Depth for Software Code

DoControl’s approach to securing SaaS has always been to prioritize the applications that are critical to the business. Today, the acceleration of software delivery through DevOps processes is a core requirement to remain competitive in any market. GitHub is for developers by developers. It provides everything a developer needs from task management to version control, quality assurance to continuous integration, bug tracking, governance, security and so much more. DevOps and SecOps need to be married. Security matters.

Here’s why. 

Consider the valuable intellectual property that exists within the over 200+ million repositories – that's an attractive target for nefarious characters when you also realize that over 90% of the Fortune 100 are leveraging this platform. Earlier this week, Toyota publicly disclosed a data leak after access keys were exposed, warning their customers of potential personal information exposure. Some of Toyota’s source code was inadvertently published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. Blame was pointed to a development subcontractor who made a pretty significant mistake in allowing that public key to be accessible for almost 5 years. Yikes!

Of course GitHub provides a number of useful security features natively such as Secret Scanning, Code Scanning, Supply Chain Security, and Dependabot. That said, the same shared responsibility model with cloud technologies applies here as well. With all the threat models that are present in today’s landscape (i.e. insider risk, unauthorized access, compromised identities, stolen credentials, etc) there’s a case to be made for implementing multiple layers of security to better protect sensitive software code.

We here at DoControl are thrilled to advance our integrated technology program to include an integration with GitHub. GitHub is the world’s leading software development platform, bringing together the world's largest community of developers to discover, share, and build better software. We are very excited to be able to integrate The DoControl SaaS Security Platform with one of the most critical software development tools for the modern business. 

Here’s the value the partnership brings:

1. Visibility: Once GitHub becomes onboarded into the platform, DoControl will expose a full inventory of users, assets, repositories, and 3rd party SaaS apps within the environment. The solution provides proactive monitoring to mitigate the risk of insider threats. User behaviors such as accessing a significantly high number of repositories or adding certain users to repositories could be indicative of risky insider activity. Being able to identify malicious insider or compromised identity behaviors such as this are critical to protect source code. DoControl can enable security teams to closely monitor developer behavior, and manually intervene through self-service tooling.

‍DoControl provides a full inventory of users, assets, repos, and more within GitHub.‍

2. Prevent Unauthorized Access: Contrary to what some might believe, developers are human beings too. They make mistakes just like everyone else. A public repo that should've been set to private happens way more often than it should. If repositories contain source code that should be kept in a private repo, security teams can automatically identify that and remediate the risk with DoControl. Undesired publicized repos can be reverted and unpublicized to prevent exposure of highly sensitive IP information, preventing the loss or leakage of source code. Another challenge is the fact that a lot of developer accounts are linked to private email accounts. After they leave the business, access should be revoked, and DoControl integrates with IDP to ensure access is provided and revoked as necessary with employee onboarding and offboarding.

‍A Security Workflow reverts publicized repo and automatically notifies SecOps.‍

3. Security Workflows: SecOps teams can create Security Workflows that will integrate with GitHub’s Dependabot alerts. Once an alert is triggered, DoControl will automatically initiate a notification for security teams to investigate CVEs that are disclosed within Dependabot. Teams can view alerts about dependencies that are known to contain security vulnerabilities and choose whether to have pull requests generated automatically to update these dependencies. These workflows automatically remediate the risk of an organization’s insecure code, and reduce the risk of a supply chain-based attack. 

‍

‍

‍A Security Workflow notifying SecOps team of disclosed CVE for investigation.‍

4. OAuth App Governance: DoControl provides governance and remediation across every user – both human and machine within the DoControl platform. The solution gains insight into all sanctioned and unsanctioned applications within GitHub and other business-critical apps. We provide strong visibility into the environment as well as real-time actionability. We’ve created a ‘synthetic’ event for application installations, which can trigger a Workflow that automatically notifies the SecOps team of potentially risk events such as a new application being installed that has ‘Write’ permissions and can access every single repo in the instance. This is unique to DoControl and cannot be achieved natively within GitHub’s APIs. Breaches that stem from OAuth token exploitation is a very popular attack vector. DoControl provides the means to monitor installations of Git Apps, which is essential to reduce and mitigate the associated risk with OAuth applications.

‍

‍

‍DoControl provides governance and remediation to 3rd party OAuth SaaS apps.‍

Software development security continues to be a top priority for organizations of any size and type, across every industry vertical. Creating a secure software development life cycle is no easy feat. However, when it's done effectively, it unlocks real business value. Design flaws can be removed prior to being embodied in the code, security flaws are detected and eliminated quicker providing stronger business continuity, and you can ultimately go to market faster. 

Please visit our partner listing in the GitHub Marketplace to learn more.

‍