Uncategorized
GitHub Actions & Security: Best practices 
Rob Bos 06 Feb, 2021
Share 
Supply chain security describes the need to protect your company from hackers trying to compromise software as early as the production stage.
Until recently, software being compromised during production did not pose a risk of note — hackers were still focused on other ways to break into systems. Now they’re becoming more imaginative and finding new ways to attack.
Imagine you’re building a website in WordPress. You start selecting plug-ins, assuming they are safe to use. But what if they aren’t? Software is in a constant state of decay — I refer to this as . So, if the last time the developer checked on the software was a year ago, it’ll most likely be unusable now. You have to perform updates every day,” says Marcel de Vries, CEO of Xpirit. “Do you remember when we used to say, ‘if it ain’t broken, don’t fix it?’ Well, you can’t get away with that anymore.
Supply Chain Security in Practice
The reason why supply chain security is on the rise is twofold: we’re all becoming increasingly dependent on software, and at the same time, hackers are becoming more creative (and skilled). As we improve our security, they look for new ways to penetrate.
For example, let’s say you’re about to build a website or an application and start by selecting a package of software components that includes 1500 dependencies. A quick scan will reveal that this set of features will expose you to 23 vulnerabilities. If this is something you’re not aware of and you don’t take the right action, that number will easily double in a week.
So, this is a message to all software developers: 2023 is the year to change your modus operandi! Instead of thinking that it’s okay to update once a year, you should put a constant improvement loop in place. And if you ask us, DevOps is the perfect first step in that direction.
Microsoft Dev Box and GitHub
Hackers will continue to look for new ways in. If it’s not the application itself, it’s the development environment. We’ve seen companies respond to that by restricting developers’ permissions — often resulting in them being unable to do their job. So, as a last resort, they’ll start to work from personal laptops, which is even riskier.
So, why not try Microsoft Dev Box or GitHub CodeSpaces? In short, these brand-new developer workstations in Azure and GitHub will make the life of your developers a lot easier and their products a lot safer. Another possibility to boost your software security is by scanning software for vulnerabilities in GitHub Actions or Azure DevOps pipelines.
What Could Happen if You Ignore This Advice?
If you think your website being down is the worst thing that can happen to your business, think again! If we sit back now, bad things will happen. It’s just a matter of time, especially now that most of the items we use are connected to the internet. Just imagine your car’s software being hacked! Security is no longer a benefit or a USP, it’s a hygiene factor. If you don’t have all your ducks in a row here, that’s a serious dissatisfier.
In a nutshell, we advise every software developer to check their software, map known vulnerabilities, and automate updating and testing wherever they can.
For all end users who want to get an idea of their level of exposure, ask yourself these two questions: How was your software created? And to what extent is it subject to internet connectivity? If you or your business didn’t develop the application, and it’s connected to the internet, we recommend you (at least) perform frequent security checks.
