Best security practices are the responsibility of all developers, recent surges in fraudulent login attempts are a good reminder that account security is the pillar to good organizational security practices.
As GitHub's Staff Security Analyst @sanjuanswan noted during a recent security Twitter space:
"your organization is only as secure as your least secure member"
It's our responsibility to promote good security practices, whether you are an individual contributor or team lead. Here are three steps you can take today to set an effective model of security practices.
1. 🛠 Enable MFA:
Enabling 2FA adds an extra layer of security when logging into your GitHub account. With 2FA, you have to log in with your username and password and provide another form of authentication that only you know or have access to. If you lose access to your selected authentication method, you can use the provided recovery codes to access your account. Don't forget to download and keep safe those recovery codes.
At the organizational level, owners can require that members, billing managers, and outside collaborators use two-factor authentication to secure their personal accounts. Set this standard at the organizational level.
2. 🔐 Keep your email accounts up to date and safe
GitHub protects your account by requiring you to click a link sent to your email address when you log in from a new device. If a potential attacker doesn't also have access to your email account, they can't ATO (account take over) your GitHub account.
Use a unique, and complex password for your email account; the best way to accomplish this is by using a password manager.
Don't share email addresses or login information with your team, and keep a recurring audit, or even better, add an off-boarding step so departing team members no longer has access to your repos.
3. 📱 Download the GitHub Mobile Application
You can use GitHub Mobile for 2FA when logging in to your GitHub account in a web browser. 2FA with GitHub Mobile does not rely on TOTP, and instead uses public-key cryptography to secure your account.
To get started with GitHub mobile for 2FA, if you’re not already using the mobile app, you can install it now and sign in to your account. And if you haven’t set up 2FA, set it up via your account security settings. You’ll need to set up 2FA with SMS or another time-based one-time password (TOTP) app first to start using Mobile 2FA. Once you have configured a TOTP application, or SMS, you can also use GitHub Mobile to authenticate.
Remember:
Most software vulnerabilities are mistakes, not malicious attacks. Do your part and secure the software you write today, starting with your GitHub account security.
Huge thanks to Jay Swan and Jessica Cano for participating in the security twitter space that inspired this post.
To learn more about automating security with GitHub, follow GitHub and me for more security content and future security focused event announcements.
Stay Safe!