GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site must enable one or more forms of two-factor authentication (2FA) by the end of 2023. to continue using the platform.
The new policy was announced Wednesday in a blog post by Mike Hanley, Chief Security Officer (CSO) of GitHub, highlighting the role of the Microsoft platform in protecting the integrity of the software development process in the face of threats posed by malicious people who take over developers. ‘ bills.
“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”
While multi-factor authentication provides significant additional protection for online accounts, internal GitHub research shows that only about 16.5 percent of active users (about one in six) are currently enabling the enhanced security measures for their accounts — a surprisingly low number. rating given that the platform user base should be aware of the risks of password protection only.
By driving these users to a higher minimum standard of account protection, GitHub hopes to increase the overall security of the software development community as a whole, Hanley said. The edge†
“GitHub is in a unique position here, thanks to the vast majority of open source and creator communities living on GitHub.com alone, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar.” hygiene perspective,” said Hanley. “We feel it is truly one of the best ecosystem-wide benefits we can provide, and we are committed to ensuring that we overcome any challenges or obstacles to ensure a successful adoption.”
In response, GitHub has mandated two-factor authentication for administrators of the top 100 NPM packages starting February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.
Insights from this smaller trial will be used to facilitate the process of rolling out 2FA across the platform, Hanley said. “I think we have a great advantage of having already done this on NPM now,” he said. “We learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities we’ve talked to, and we had a very active dialogue about what’s good [practice] looks like with them.”
In general, this means setting a long lead time to make the use of 2FA site-wide mandatory, and designing a series of onboarding flows to encourage users to adopt well before the 2024 deadline, Hanley said. .
Securing open source software is still a pressing concern for the software industry, especially after last year’s log4j vulnerability. But while GitHub’s new policies will mitigate some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap is seen as a major problem for the tech industry as a whole.