Changes to existing authentication rules will be introduced as part of a platform-wide effort to secure the software ecosystem through improved account security, according to the Microsoft-owned code repository.
In April, Heroku, a cloud platform owned by Salesforce, announced a security breach. Following the loss of OAuth tokens, a section of its private git repositories was compromised, potentially allowing unwanted access to customer repos.
The software supply chain, according to GitHub, “begins with the developer,” and the company has tightened its restrictions in response, adding that developer accounts are “common targets for social engineering and account takeover.”
The recent issue of malicious packages being uploaded to GitHub’s npm repository has also raised concerns about software supply chain security.
However, the code repository has acknowledged that security and user experience might be mutually exclusive. As a result, the 2023 deadline will allow the organization to “optimize” the GitHub domain before the guidelines are finalized.
With only 16.5 percent of active GitHub users and 6.44 percent of npm users using at least one kind of 2FA, 2FA implementation may be becoming a major issue for GitHub.
Basic authentication, which relied solely on users and passwords, has already been phased out in favor of incorporating OAuth or Access tokens. When 2FA is not enabled, the company has also implemented email-based device verification.
The current aim is to continue rolling out mandatory 2FA on npm, starting with the top 100 packages and on to the 500, then those with more than 500 dependents or one million weekly downloads. The knowledge gained from this testbed will be applied to GitHub.
“While we are spending deeply throughout our platform and the broader industry to strengthen the overall security of the software supply chain, the value of that effort is fundamentally constrained if we do not address the persistent danger of account breach,” Hanley added. “Today, our commitment to create a greater supply chain security through safe practices for individual developers continues our response to this challenge.”, Mike Hanley, GitHub’s Chief Security Officer (CSO) said.
GitHub implemented a new scanning feature in April to protect developers and prevent them from disclosing secrets inadvertently. The business user feature is an optional check for developers to enable before launching a git push.
By the end of 2023, according to Hanley, any developer submitting code to the platform will be required to activate at least one type of 2FA.