How secure would github hosting be for private repositories? [closed]

git security version-control github

Solution 1:

We tried out github recently.

Compared with our previous git hosting (which was on our own linux virtual server), I'm not overly impressed with the security. We did decide to use it, but only for projects where keeping the code private wasn't a huge concern.

Namely:

  1. There's no company control at all over the user accounts. We control which users have access to our repository, but there's no password policies, the users pick their own email addresses, etc.
  2. There's no way to limit access by IP address
  3. Passwords can only be reset by the user
  4. Compromising the users email account (which we're unable to see what account they've set it to) also results in a compromise of their github account, as they use an email challenge to reset forgotten passwords.
  5. There's no access logs (there is an audit trail for most or possibly all changes, but no logging at all for access)
  6. Access to the web front end is only password protected, so is vulnerable to password reuse from other sites and to some extent to brute forcing (github's statement about what they do for failed logins is pretty unclear).

One or two of these we could live, but in combination they basically make github completely unsuitable.

They have added 2 factor authentication recently, and there is an API so that organisations can at least check if users with access to their repositories have two factor authentication enabled. Whilst I don't feel this is really the best solution, it probably just about moves github into being secure enough that it can be considered for private repos.

As mt3 notes, you can run an enterprise install instead, which presumably significantly improves security - but the cost difference between that and a standard github company account is staggering, and it would probably mean you miss out on all the third party tools that integrate with github.

On a non-security note, they do at least now support annual billing properly, which helps reduce the paperwork overhead.

GitHub have recently announced new business plans with extra features - this could solve '1'/'4'/'5'. (Though the 'uptime guarantee' that's part of it is pretty laughable - not even "four 9s", and excludes scheduled maintenance and anything they deem 'outside their reasonable control' - and it's not an actual guarantee, it's just a small credit against your next bill which is capped to be no more than a third of your bill. Basically very carefully worded marketing weasel words instead of any kind of commitment from them.)

Solution 2:

They've had major security incidents in the past: http://www.h-online.com/security/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html

Frankly, I wouldn't entrust code I want to keep private (or any other sensitive data) to the cloud unless it is encrypted and only I hold the key.

Related

Razor: No overload for method 'Write' takes 0 arguments
What's the "dot" for when registering an Activity
How to globally replace strings in lines NOT starting with a certain pattern
What does header('P3P: CP="CAO PSA OUR"'); do?
How to select multiple elements that are children of given element?
"Cannot GET /" with Connect on Node.js
python bindings, how does it work?
How to randomize Excel rows
Android App Restarts upon Crash/force close
Python curve_fit with multiple independent variables
Why doesn't JavaScript ES6 support multi-constructor classes?
Why do most asyncio examples use loop.run_until_complete()?