Security Posture Management for GitHub: spotting and fixing risks in your GitHub organization just got a lot easier

Wiz SPM for version control systems helps you find and fix risks in your GitHub instance.

3 minutes read

A few months ago, Wiz introduced Wiz Code, a leap forward in enabling developers and security teams to shift security left — enabling positive security outcomes from the first lines of code through to production and bolstering cloud detection and response. That was just the beginning.

Today, Wiz is extending its approach to secure the very components that make up the software development lifecycle (SDLC) — and we're starting with the version control system (VCS). Customers can enhance the security of their development environments and reduce their attack surface by identifying and mitigating risks from misconfigured GitHub organizations, repositories, or branches.

As part of this release, customers can also proactively measure their posture against the Source Code Management Best Practices Guide by the Open-Source Security Foundation (OpenSSF). Wiz's security for VCS embraces a comprehensive approach that goes beyond traditional compliance assessment. Wiz takes a comprehensive view that includes the evaluation of multiple risk factors (misconfigurations, identity, and secrets), along with cloud context, to prioritize the most critical attack paths impacting your VCS and the cloud environment where your code is deployed. 

From backdoors to data leaks: why version control system security matters  

A version control system is like a second home to developers. It’s where distributed engineering teams contribute to code, perform reviews, automate testing, deploy workflows, and more.  

Traditionally, the security team’s focus has always been on the code itself; but this can cause potential security risks from misconfigurations in the VCS to be overlooked. Attackers, however, are increasingly shifting their attention to developers (seen as “overprivileged” users inside an organization) and the tools they use.

For example, a compromised developer account on GitHub can create opportunities for an attacker, such as exfiltrating source code. Attackers can then use this code to steal intellectual property or identify security flaws that help them plan their attack steps. Furthermore, attackers who gain access to hardcoded secrets in developer accounts can use those secrets to move from the VCS to cloud accounts.

In the absence of branch protection rules, or if a repository is configured to allow GitHub Actions workflows to automatically approve Pull Requests (PRs), attackers can also inject malicious code, driving a supply chain attack that may potentially reach all downstream users of an application.  

Given the crucial and sensitive role of the VCS in modern software development, the outcomes are always severe, regardless of the scenario. Recent high profile attacks have further highlighted the need for secure posture management for source code systems. 

Security posture management for GitHub  

Wiz takes a comprehensive approach to securing your GitHub instance by combining multiple risk factors — such as public exposure, lateral movement, and cloud context — to prioritize the most critical attack paths affecting your GitHub instances. It also takes account of who made changes and when, which team owns the project, and the cloud environment where the code is deployed.

For example, when Wiz identifies secrets in your repositories, it determines whether the repository is publicly exposed and what impact the leaking of that secret could have on your cloud environment. Then Wiz illustrates the potential attack path created by the leaked secret. 
 
An example of this is shown below, where Wiz provides a visualization of a public version control system repository with cleartext cloud keys granting high privileges. 

Additionally, customers can gauge their alignment with the OpenSSF’s Source Code Management Best Practices. These guidelines are designed to enhance the security and integrity of software development processes; they provide a framework for managing source code, ensuring secure coding practices, and safeguarding against potential misconfigurations. The framework covers various aspects of software development, including source code management posture, access controls, and audit trails. Wiz checks the individual settings of your GitHub organizations, repositories, and branches against 30+ configuration rules to help you assess and improve your development environment’s security posture.

Next steps

Securing the software development lifecycle (SDLC) is a multifaceted effort, and Wiz is just getting started. Wiz is extending its posture management capabilities beyond cloud apps to the infrastructure used to build cloud apps. Wiz is planning to expand coverage to other VCS platforms to ensure ongoing support for developer tools. 

These new capabilities will help Developers, DevOps, and Security teams detect and reduce the risk of misconfigured GitHub instances and remain compliant. To get started, understand how this feature works, and much more, read the latest Wiz docs and release notes. Questions? We’d love to hear from you. Reach out, and our team will be glad to assist.

Continue reading

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management