GitHub, the code hosting platform used by tens of millions of developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023. for continue to use the platform.
The new policy was announced on Wednesday in a blog post by GitHub chief security officer (CSO) Mike Hanley, who highlighted the role of the Microsoft-owned platform in protecting the integrity of the software process from threats posed by malicious actors taking over developers’ accounts.
“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are common targets for social engineering and account transfer, and protecting programmers from these types of attacks is the first and most critical step in securing the supply chain.”
Although multi-factor authentication is provided important additional protection to online accounts, GitHub’s internal research shows that only about 16.5 percent of active users (about one in six) currently enable enhanced security measures on their accounts – a surprisingly low figure since the user base of the platform should be aware of the risks of a password. -only protection.
By directing these users to a higher minimum account protection standard, GitHub hopes to strengthen the overall security of the software community as a whole, Hanley said. The Edge.
“GitHub is in a unique position here, only because of the vast majority of open source and creative communities living on GitHub.com, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar of security. Hygiene perspective,” said Hanley. “We feel it is truly one of the best ecosystem-wide benefits we can provide, and we are committed to ensuring that we address some of the challenges or obstacles to ensuring that adoption is successful.”
GitHub has already set a precedent for the mandatory use of 2FA with a smaller subset of platform users, tested it with contributors to popular JavaScript libraries distributed by the NPM package management software. Because widely used NPM packages can be downloaded millions of times a week, they make it a very attractive target for malware gangs. In some cases, hackers compromised NPM contributors and used them release software updates that have installed password thieves and crypto miners.
In response, GitHub made two-factor authentication mandatory for the caretakers of the 100 most popular NPM packages since February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.
Insights from this smaller test will be used to smooth out the 2FA development process across the platform, Hanley said. “I think we have a big advantage of the fact that we’ve already done that now at NPM,” he said. “We learned a lot from that experience, based on feedback we received from developers and creators we talked to, and we had a very active dialogue about what was good. [practice] looks like them. ”
Overall, this means setting a long lead time to make the use of 2FA mandatory across the web, and designing a range of input streams to push users to adoption well before the 2024 deadline, Hanley said.
Securing open source software continues to be an urgent concern for the software industry, especially after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate some threats, challenges remain: many open source software projects are still being maintained by unpaid volunteers, and closing the financial gap has been seen as a major problem for the technology industry overall.