Are Code Repositories Safe for Your Source Code?

You must have heard about source code repositories at least once in your lifetime. These repos are simply shared storage locations among developers who update them with the latest code and fixes. Organizations tend to prefer these repositories for better management and collaboration when working on software projects, which reduces the risk of losing code or using outdated versions, so it is preferred to go for version control systems like – Git.

You might be wondering why you would trust another platform to securely store your code files, whether these repos are actually safe, and what to keep in mind when dealing with code repositories.

Using code repositories is an industry practice, but there have been a few cases that have made organizations more cautious when dealing with source code repository platforms. These repos have become an easy source of cyber frauds as sometimes attackers can find some sensitive information in codebases like passwords, API tokens, and much more. These code repositories can also lead to supply chain attacks, causing significant financial losses, reputation damage, and business operation disruption.

However, this exposure of code repositories to cyber frauds and threats can be avoided easily using code signing procedures and some industry-trusted practices. Read on to learn about the benefits and threats these repositories possess. You will know about several cases where the big players in this industry were compromised, what the consequences were, how code signing can help, and what the best practices are that you should follow when pushing your code to a source code repository. 

Introduction 

A code repository, or a version control repository, is a space where developers can store and manage their source code files. It allows multiple people to work on the project and tracks each developer’s changes. Code repositories benefit organizations working on projects, especially with large teams, as they act as a centralized hub to manage and review the codebase changes. However, without proper policies and security measures, these repos can become the target locations for a potential cyber-attack. 

You may think that your code doesn’t contain any personal information that could lead to an attack and is of less importance. However, this data, when combined with active scrutiny techniques, can be leveraged to target the user for something much bigger than imagined. These include credential theft, social engineering, infrastructural attacks, and many more. Then you might be thinking. Do you really need code repositories? Simply put, yes.

Code repositories are the best way to handle project files. They just require a safe, secure, and industry-followed approach. But before we discuss the best practices for using code repositories, let’s examine a few vulnerabilities that have occurred in the past when working with source code repos. 

Why shouldn’t you blindly trust a code repository? 

There are many code repo platforms available, each offering diverse features and capabilities, but your codebase’s security and safety depend on the choice you make for your repository platform. Developers across the world prefer these well-known and trusted platforms, such as GitHub, Bitbucket, GitLab, and many others. Still, even some of these reliable online hosts couldn’t prevent cyber-attacks in the past. For instance, in 2023, GitHub reported that an unauthorized user gained access to their system and stole three code signing certificates.

GitHub was quick on their part and revoked all the stolen certificates. Now, let’s think of what would happen if GitHub didn’t find the theft of these certificates. There could be numerous scenarios that would have affected customers worldwide, such as attackers could have misused the certificate to sign malicious software, or they could have created fraudulent certificates, and much more.

Another common practice followed by developers is installing packages from open-source code repositories. When a developer’s application requires a dependency, he can utilize the packages already created by others and use them in his application. But sometimes, attackers publish these code packages to infiltrate the user’s application. In a recent incident, trojanized jQuery packages were pushed on npm (Node Package Manager), GitHub, and jsDelivr code repos. These trojanized packages lead to dependency confusion attacks.

It is a type of software supply chain attack where attackers deploy infected code instead of legitimate software dependency. These modified dependency packages would then be installed and used by the developers, giving the attacker the freedom to do whatever he wants. Around 68 infected packages were published from May 26 to June 23, 2024. 

You should know every detail of the code or package when using it from a third-party platform. These repositories are a very easy point of target for an attack, and even though these code repository platforms provide the utmost security service to you, generally, it is the software developer’s mistake of using unknown codes available online that leads to devastating cyber incidents.

Methods of affecting a code repository 

These attacks can take place in several ways but can also be avoided if the user pays more attention to minor details and questions the authenticity of each repo. Every time a developer wants to access some code available on the internet, he should ask himself whether other developers are using the repo, when the last update was, and whether this repo was deleted before by the developer and then reinstated by some other programmer. 

Such basic questions can help you reduce the chances of using a vulnerable code in your project. Here are a few techniques through which the attackers disguise their code and gain access to your personal information.

1. Typosquatting Technique

   It is one of the most popular strategies for infiltrating a system. Here, the attacker registers a package or code repository name that is very similar to the famously used repos, only slightly altering the name. This technique has also worked on domain names. For example, attackers will just tweak the domain to “www.g00gle.com” instead of “www.google.com.”

   In a research conducted by JFrog’s security team on the PyPI (Python Package Index), which is a repo for software for Python language, the revival hijack technique can be used to hijack 22K current PyPI packages. How this works is that once a popular project repo is deleted from the PyPI platform, attackers can easily take that repo name and publish a new code for that package, and if the user doesn’t notice the change in the repo, he will be using an infected code for his software application.

   By leveraging typosquatting and similar strategies, attackers take advantage of the developers’ trust. This makes it so crucial and important to verify the authenticity of any code or packages retrieved from the internet, especially when these closely resemble established names or have been reintroduced after deletion.

2. Credential Theft

   One of the easiest ways to get a cyber-attack is if a developer serves the authentication data on the code repository. This might seem like a minor, obvious thing to avoid, but it can slip from the user’s mind very easily. Any type of credentials, tokens, or API keys can be used to attempt unauthorized access to the developer’s environment.

   If you think your account doesn’t have very important information that the attacker will not be able to take advantage of, you are wrong! He will use this password to know more about you and try to guess the passwords of your other, more important, accounts like bank profiles, social media profiles, and more. To prevent such attacks, GitHub has provided powerful repo-scanning tools like TruffleHog and Git-Secrets. These tools detect and prevent secrets from being uploaded to a git code repository.

3. Cloning and Modifying repositories

   While these code repositories provide centralized access to everyone, public repos also allow developers to contribute their code by creating pull requests. If the repo owner doesn’t properly check the code in the request and merges it, users can be blind-sighted and will be sitting ducks when they use that repository code or files in their applications.

   Code review policies should include thorough processes to ensure effective evaluation and approval of code changes. These should include clear guidelines on procedures like rework and resubmission, version control practices, documentation requirements, and much more.

   It was reported in early 2024 that over 100,000 GitHub repositories were infected with malicious code. You can automate code analysis on pull requests by implementing solutions like SonarQube. It is an open-source platform that will help you improve the quality of your code.

There can be many other techniques that are still undiscovered by researchers and are in play, but if you have simple, basic knowledge of the preventive measures when deploying your codebases in the code repository, these attacks can be easily avoided. 

Best Practices

Whether simply storing files in code repositories or implementing CI/CD pipelines, everything on the web requires the utmost security measures and procedures. Here are some of the best practices that a developer must follow to protect his code repository from being infected. 

1. Code repository hosts provide many security features like dependency scanning, automated vulnerability scanning, and more to protect your codebase. A developer should enable such features that will provide him with an alert or notification when sensitive information is uploaded to the repo or an untrusted dependency is being used in the code. 
2. Every organization must enable strong authentication methods like 2FA on all the repository accounts. This will provide an extra layer of protection, even if the credentials are exposed to an unauthorized user.  
3. Keep up with dependency updates and regularly check your code files to maintain code integrity. 
4. When working in a team on a project, limit access to the code repository to track the modifications made to the repo. 
5. Do not store environment or config files in a code repository. Developers should clearly understand which data is private and which can be made public. 
6. Developers should implement repository scanning tools like TruffleHog and Git-secrets to find existing secrets and prevent future commits with sensitive information. 
7. Always enforce code signing for commits to ensure the code’s authenticity. Every repo owner must look for the cryptographic signature when a developer tries to push a new code to a repo. These signatures simply tell the users that this software file is released by an authorized and credible organization that can be trusted to use. 
8. Every organization or code repository owner should have an incident response plan. Such a plan will help reduce the impact of a cyber-attack on your organization and your customers. 

These practices will help prevent attackers from gaining access to your code repositories. But what if you can check your code before publishing it in a repo? What if the developer can check and scan his code for vulnerabilities? What if he can check that his code on the repository is not already infected? Encryption Consulting’s CodeSign Secure will provide all these features that will reduce your efforts and save time verifying each aspect of your code. 

Encryption Consulting’s CodeSign secure

CodeSign Secure is a platform designed to digitally sign your files and attach an authentic stamp to your software. Its features, such as reproducible build and pre/post hash validation, will help you verify that your code in the repository has not been modified by an unknown user. CodeSign Secure seamlessly integrates with many CI/CD pipelines such as Azure DevOps, Jenkins, GitLab, TeamCity, Bamboo, and many more to automate the process of code signing, which is very useful when working on large projects with multiple developers.

CodeSign Secure also provides features like vulnerability scanning, including static code analysis (SAST) and dependency scanning (SCA), which reports all the anomalies in your codebase, scans all the dependencies used, and only allows you to sign your files when no vulnerabilities exist. These scans are preventive measures that ensure the developer that safe code is being pushed to a code repository. CodeSign Secure will enhance your organization’s software security, build trust with your users, and help you become compliant with industry practices and regulations. 

Conclusion 

Despite many security incidents with code repositories, it is still considered the best-working and industry-preferred method. Code repos are vulnerable to cyber-attacks only when the developers don’t pay attention to what is being uploaded and stored in these repositories. These attackers can only take advantage when you allow them to do so. If you follow the best security measures, perform routine code scanning, and only deploy safe, signed code, you can easily avoid thefts on your source code repo.