Copyright infringement

GitHub will require all code contributors to use two-factor authentication

GitHub, a hosting code site used by tens of millions of software developers worldwide, announced today that all users entering the site code will need to be able to enable one or more authentication two-factor (2FA) by the end of 2023 to continue site use.

The new policy was announced on Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, who highlighted the role of the platform in Microsoft to maintain the integrity of the software development process at risk created by malicious actors taking over development accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developers’ accounts are a constant target for social engineering and account acquisition, and protecting developers from these types of attacks is the first and most important step in the supply chain.”

While verifying multiple issues provides additional protection for online accounts, GitHub’s in-house research shows that only about 16.5 percent of active users (about one in six) are now enabling actions Enhanced security of their accounts – a surprisingly low number is given that the Site user site should only be aware of the risks of password protection.

By directing these users to the lowest level of account protection, GitHub hopes to improve the overall security of the software development community as a whole, Hanley told Qarka.

“GitHub is in a unique position here, just because of the many open source and creative communities that live on, that we can have a positive impact on the security of the environment as a whole by improving the security of our hygiene vision,” Hanley said. said. “We feel it is really one of the best benefits of the whole ecosystem we can offer, and we are committed to making sure we work on any of the challenges or challenges to ensure there is a successful adoption. leh. “

GitHub has already set up an introduction for the forced use of 2FA with a small portion of platform users, testing it with contributors to popular JavaScript libraries distributed across the NPM package management program. Since widely used NPM packages can be downloaded millions of times a week, they make a very attractive target for gangs. In some cases, hackers have hacked into NPM contributing accounts publish software upgrades installed by secret thieves and crypto miners.

In response, GitHub made mandatory dual authentication for the 100 most popular NPM packages from February 2022. The company plans to extend the same requirements to contribute to the top 500 packages by the end of May. .

The insights from this small experiment will be used to simplify the 2FA process out of the site, Hanley said. “I think we have a great advantage in the fact that we have done this now with NPM,” he said. “We have learned a lot from that experience, given the feedback we have received from the developers and the creative communities we have spoken to, and we have had a very active conversation about what is good. [practice] like them. “

Generally speaking, this means setting a long lead time in making use of the entire 2FA, and designing more interest rates to guide users to adopt well before the deadline. 2024, says Hanley.

Securing open source software remains a major concern for the software industry, especially after last year’s log4j vulnerability. But while GitHub’s new policy will reduce some of the threats, systematic challenges remain: Many open source software projects are still held by unpaid volunteers, closing the funding gap was seen as the biggest problem in the technology industry in general.