GitHub, a leading software development and version control platform, is a business critical application for many organizations today, since digital transformation is turning many companies across multiple sectors into software and technology companies. GitHub users can connect GitHub Apps and OAuth apps, to increase their productivity and collaboration, configure Personal Access Tokens (PAT) in order to integrate with external services, generate SSH keys to identify themselves without a username and password, and even automate their CI/CD and other workflows reducing manual work using GitHub Actions.
GitHub Apps could be published in the GitHub Marketplace, though it’s not mandatory, especially if the app is an internal custom app (i.e., an app that the org created for its personal usage). In addition, the authorization of GitHub apps on an organizational account is limited to admins, though non-admin users can authorize GitHub apps on personal accounts.
While GitHub is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing GitHub customers at risk of data breaches and account exposure.
Supply chain access attacks against GitHub are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.
The rapid adoption of GitHub, the increasing number of integrations and GitHub apps, and the importance and sensitivity of source code files stored in private repositories, made GitHub a prime target for attackers. That said, attackers don’t necessarily need to try to breach GitHub directly or your organization directly, in order to gain access to your organization’s private repositories. Instead, they can target a third-party vendor that is integrated with your GitHub instance. The recent high profile breach illustrates how attackers were able to steal and abuse OAuth tokens issued to well known vendors like Travis CI and Heroku. In this case, the attackers were able to leverage the trust and high access granted to highly-reputed vendors to steal data from dozens of GitHub customers and private repositories. This is not the first case of stolen GitHub tokens, in the past hackers were able to steal GitHub and GitLab OAuth tokens from Git analytics firm Waydev and leverage it to gain access to their source code projects of victim organizations.
Valence seamlessly integrates with your GitHub environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it: