CISOs, Come Enjoy Drinks & Hors D'oeuvres With Us At RSA 2022!
Valence security- SaaS-to-SaaS-supply-chain-security-Github

How Do I Secure GitHub Against SaaS Supply Chain Attacks?

SaaS-to-SaaS Third-party Integrations in GitHub

GitHub, a leading software development and version control platform, is a business critical application for many organizations today, since digital transformation is turning many companies across multiple sectors into software and technology companies. GitHub users can connect GitHub Apps and  OAuth apps, to increase their productivity and collaboration, configure Personal Access Tokens (PAT) in order to integrate with external services, generate SSH keys to identify themselves without a username and password, and even automate their CI/CD and other workflows reducing manual work using GitHub Actions.

GitHub Apps could be published in the GitHub Marketplace, though it’s not mandatory, especially if the app is an internal custom app (i.e., an app that the org created for its personal usage). In addition, the authorization of GitHub apps on an organizational account is limited to admins, though non-admin users can authorize GitHub apps on personal accounts.

Securing Non-human GitHub Third-party Integrations

While GitHub is inherently secure, third-party vendors who have access to it through these methods can be a weak link. Inherently risky or over-privileged OAuth tokens, etc. can be exploited to gain the keys to the kingdom, placing GitHub customers at risk of data breaches and account exposure.

Supply chain access attacks against GitHub are not properly covered by existing security approaches such as IdP (Identity Providers), CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solutions that focus on human-to-SaaS access controls and neglect the critical growing non-human SaaS-to-SaaS third-party integration layer.

GitHub Supply Chain Risks

The rapid adoption of GitHub, the increasing number of integrations and GitHub apps, and the importance and sensitivity of source code files stored in private repositories, made GitHub a prime target for attackers. That said, attackers don’t necessarily need to try to breach GitHub directly or your organization directly, in order to gain access to your organization’s private repositories. Instead, they can target a third-party vendor that is integrated with your GitHub instance. The recent high profile breach illustrates how attackers were able to steal and abuse OAuth tokens issued to well known vendors like Travis CI and Heroku. In this case, the attackers were able to leverage the trust and high access granted to highly-reputed vendors to steal data from dozens of GitHub customers and private repositories. This is not the first case of stolen GitHub tokens, in the past hackers were able to steal GitHub and GitLab OAuth tokens from Git analytics firm Waydev and leverage it to gain access to their source code projects of victim organizations.

How Can Valence Help Secure Your GitHub?

Valence seamlessly integrates with your GitHub environment and helps you discover your SaaS mesh attack surface and manage the risks associated with it:

  • Discover all your third-party integrations that connect to GItHub such as Personal Access Tokens, OAuth Apps, GitHub Apps, and SSH keys
  • Analyze the scope of access and actual usage of SaaS-to-SaaS connections to remove over-privileged and inactive integrations
  • Uncover the third-party vendors that were granted access tokens to ensure alignment with vendor risk management and TPRM programs
  • Monitor API calls made by 3rd party apps to detect potential abuse, compromise or API takeover attacks against your critical data
  • Automat workflows to ensure effective remediation and communication with end users and business owners in the modern distributed IT environment

Request A Free SaaS-to-SaaS Third-Party Integration Risk Assessment for Github

Free Assessment