To help developers and organizations defend against software supply chain attacks, GitHub plans to do so require that anyone contributing code to the platform use some form of multi-factor authentication until the end of next year.

The move is a follow-up to the company’s recent initiative to encourage developers and package maintainers to protect their accounts with 2FA. Currently, only about 16.5 percent of GitHub users have some form of 2FA enabled, but GitHub officials have been working to increase 2FA adoption across the ecosystem over the past several years. In February, the company announced that all maintainers of the 100 most popular npm packages are registered for mandatory 2FA, and the next month all npm maintainers were registered for extended login verification. GitHub will extend mandatory 2FA usage to the top 500 npm maintainers by the end of May.

Last summer, GitHub started requiring some form of strong authentication for every Git operation on the platform and no longer accepts passwords for those operations. Now the company is laying the groundwork to transition the more than 80 million developers who contribute code to projects on the platform to 2FA. The change is intended as a strong line of defense against account takeovers that could lead to attackers injecting malicious code into projects and cascading downstream effects.

Most security breaches are not the result of exotic zero-day attacks, but instead involve lower-cost attacks such as social engineering, credential theft or leaks, and other ways that allow attackers broad access to victim accounts and the resources they have access to . Compromised accounts can be used to steal private code or make malicious changes to that code,” said Mike Hanley, CSO of GitHub.

“This not only puts the individuals and organizations associated with the compromised accounts at risk, but also all users of the affected code. The potential for downstream impacts on the broader software ecosystem and supply chain is therefore significant.”

Attacks targeting the software supply chain have become a serious concern for enterprises, developers, and vendors, and a common tactic for threat actors looking to gain access to a variety of targets. The most prominent recent examples are the Attack by APT29 on SolarWinds in December 2020 and the Intrusion into Kaseya by REvil ransomware actors in July 2021. Both incidents had far-reaching downstream impacts on affected companies’ customers and partners and required significant time and resources to remedy. Last month, npm, a subsidiary of GitHub, was the target of an attack in which actors used stolen OAuth tokens for two third-party integrators and a stolen API key to access npm infrastructure and download some private packages.

GitHub doesn’t dictate to developers what form of 2FA to use, but it has encouraged the use of hardware security keys and has already distributed them to maintainers of critical open source packages.

“Although we are investing heavily in our platform and the industry as a whole to improve the overall security of the software supply chain, the value of that investment is inherently limited unless we address the ongoing risk of account compromise. Our response to this challenge continues today with our commitment to improve supply chain security through secure practices for individual developers,” said Hanley.

Source link
#GitHub #requires #2FA #users

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.