Identity-related attacks continue to be the top culprit behind data breaches. Once a threat actor gains unauthorized access to source code, they can inject malicious code into a project, unchecked by engineers and security teams.
With just one-time access, a threat actor can download code for offline viewing, giving them ample time to look for exploits, find customer data, and harvest credentials and API keys. An incident at Okta, reported in December, showed how hackers could retrieve source code by gaining unauthorized access to GitHub repositories.
Source code is valuable IP and an attractive target for theft. However, it can be challenging to maintain appropriate access permissions across all the organization members, outside collaborators, teams working in GitHub.
It’s common for internal employees to collaborate with external contributors, so there is no single identity provider to track all users and ensure MFA (multi-factor authentication) is being used.
Moreover, developers often use their personal GitHub identity across multiple jobs, making it difficult to distinguish internal from external contributors. While GitHub’s out-of-the-box permissions management system offers fine-grained access control, organizations struggle to understand those permissions. The challenge grows with the number of contributors.
“For many of our customers, GitHub repositories contain the crown jewels of the company, so we’re giving them the power to find and fix inappropriate access,” said Tarun Thakur, CEO at Veza.
“When threat actors are working everyday to find vulnerabilities, it’s no longer an option to rely on quarterly access reviews. Veza makes it easy to achieve continuous compliance,” Thakur added.
“To secure our customers’ data and stay compliant with global regulations, it’s critical to maintain the integrity and confidentiality of our source code,” said Frank Dellé, Head of Global Compliance, Nozomi Networks.
“Veza enables us to monitor and enforce our access policies across GitHub and other data systems, allowing us to manage role-based access control at scale. With Veza, we can understand the combined effect of our access control layers to maintain least privilege,” Dellé continued.
With Veza’s integration for GitHub, identity and security teams go beyond role-based access control to understand what actions users can take (read, write, delete).
Veza customers can automatically find excessive permissions and take steps to remediate. For teams that work on IAM, security assurance, and compliance, Veza accelerates access reviews and certifications with automated workflows.
Key features of the integration with GitHub:
- Perform access reviews and remediation for any GitHub repository
- Visualize access across internal and external collaborators
- Architect least privilege access controls
- Audit orphaned or inactive local GitHub accounts to eliminate unnecessary access
- Configure alerts for changes in permissions to highly sensitive code, such as Infrastructure as Code repositories