Set up a GitHub Organization or Enterprise

ACM.477 Add additional security to your account with an upgraded GitHub account

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Application Security | Secure Code | Github Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In my last post in this series I was trying to remember where I left off after dealing with a whole myriad of issues.

AWS Deployment Framework — Where was I?

ACM.476 A summary of where I left off an am picking up and working on next after stepping a way for a bit

medium.com

One of the things I did as a result of potential system compromise was to completely reset one of my laptops. That led to wanting to deploy my startup script on it which led me to the fact that I really want to get that script into GitHub.

And so I’m back logging into the new GitHub account I set up and I need to configure some things on that as well to increase security. I also had some clients asking me about this recently so as always, I write about whatever I happen to be working on at the moment.

One of the first things you should do if you’re setting up a new GitHub repository that you don’t want to lose control of or that has sensitive data in it is to set up an organization and probably an Enterprise within GitHub. But how do you do that?

To understand what you get when you create an organization go through the steps to set one up and you’ll see the different features available to you.

Click the icon at the top right of the screen once you are logged in.

Click on your organizations.

Choose to turn your account into an organization.

You will see various warnings:

Note here that you can somehow keep your user account and create a separate organization account which is something I’ve got on my other account. But for this account, I’m going to turn the account itself into an organization. We’ll see how that works out.

With my other account, I can log into my personal account and then switch to my organization, which at times can be confusing. In this case, I’ll have an organization account and add users to it instead.

Fill out the information on the next screen and click Create organization.

If I create a business account, then I have to select the owner and I can choose my personal account as shown.

Well, I set up this account I’m turning into an organization with a different email address. What if I don’t want to associate my existing personal account with this organization?

Back up to the prior screen. Click on New organization instead.

With this option you keep your personal user account and then separately you have an organization account for which you are the owner.

This is all a bit convoluted to me but that’s how it works.

On the next screen you’ll see the options for creating an organization, features, and costs.

Scroll down to compare features:

There are a whole bunch of features here that are not applicable to my use case. I don’t use actions for reasons explained in other posts. I mainly care about security features. Scroll down for those.

One of the main things I care about is the IP Allow List since, if I don’t run my own GitHub server, I have no way to control the IP addresses that can access my account. That option is only available with the Enterprise version:

I also might explore Okta integration and I was using SAML, which is only available with the Enterprise version.

Repository rules is an interesting feature I might write about more later which also requires the Enterprise version.

The top three features are very useful but they include something called Advanced Security. Classic Microsoft — everything must have a complicated license structure and add-ons. What is Advanced Security?

Here are the add-ons you can pay for on top of the above features with Advanced Security coming in at $49 per month per use — ouch.

What are all those other options?

Copilot is supposed to help you write code but the chat features and so on don’t appeal to me. I’ve never had luck with code generators and I doubt they apply to a lot of the things I’m doing right now, but it may be helpful for newer developers using specific languages.

Codespaces is essentially a container in which you can write your code per my understanding and a place to store your code. I don’t need that since I host everything on AWS and find this option more expensive than the way I operate. Ironically the name of this service is the name of a company that I like to say got deleted in the cloud. They were hosting everything on AWS and someone got ahold of their administrative credentials and all their customers lost their work that was stored in that system. I personally wouldn’t have selected that name. 😆

Large File Storage sounds pretty self-explanatory.

GitHub Advanced Security looks pretty cool. Of all the add-ons this is the one that appeals to me the most. This service claims to remediate vulnerabilities 7x faster than without it. 2.4x more precise. How do you even measure these things? I don’t know. It’s supposed to help keep vulnerabilities out of your code.

Now, I suppose you’re wondering if it really works? Well, I’m going to give this one a try and see if it is useful. Mind you, the vulnerabilities will be specific to the languages and software programs I use so you should really test it in your own environment. But I’ll sign up at least for a bit and test it out and see if it proves to be useful and report back on this blog.

Just a reminder I don’t get paid by any company explicitly to write good things about their products. Even if a company does provide me some kind of compensation, that doesn’t mean I write glowing fake reviews. I don’t — even when I am paid. I write about things that I actually want to use in my own work as a security researcher, developer, and penetration tester and I write about them here on my blog just because I happen to be using them.

Back to the comparison page, I click on Start Enterprise trial.

Fill out the form to sign up:

This screen is interesting because it’s asking me to create an organization or sign up without an organization:

So what I just did was create an enterprise without an organization and I could add an organization to it.

As I mentioned in a prio post, you should be aware that the organization and the Enterprise can have different settings. Something enforced at the organization level may not be enforced at the enterprise level such as IP address restrictions.

To try out Github Advanced Security, click on:

Settings > Enterprise licensing > GitHub Advanced Security > Start free trial

Now, in order to use this feature I need an organization.

Click on Organizations on the left and Add Organization.

Click Create an Organization.

Once again we have to invite an owner:

Because I did not convert my personal account to an organization, now I can select that user as an owner of my new organization, right? Nope.

That’s because my user is automatically an owner of the organization by default.

I don’t invite anyone else and click Finish. (Though you really should have more than one owner of any critical account!)

Next I click the icon at the bottom to peruse security features. There are a lot of interesting features here we can take a look at to see how they can help our organization.

At the very bottom there’s a link to the rulesets feature which any organization should probably take a look at to add governance to their GitHub repositories.

A ruleset is a named list of rules that applies to a repository, or to multiple repositories in an organization. You can create rulesets to control how people can interact with selected branches and tags in a repository. You can control things like who can push commits to a certain branch and how the commits must be formatted, or who can delete or rename a tag. For example, you could set up a ruleset for your repository’s feature branch that requires signed commits and blocks force pushes for all users except repository administrators.

You can check out the available rules for rulesets here:

Available rules for rulesets - GitHub Enterprise Cloud Docs

Learn which rules you can add to a ruleset to protect specific branches and tags in a repository.

docs.github.com

Successful management of a GitHub repository is really a full time job in a large organization, along with the related DevOps tools you can use to ensure your deployments are secure and compliant with internal and external rules your organization wishes to or must follow.

The security features are some of the reasons I would still use GitHub even though I like the ability to enforce MFA on commit and keep repositories on private networks better when using AWS Code Commit.

AWS Code Commit vs. GitHub — Why Not Both?

ACM.259 Architecting a solution to protect and secure code by leveraging multiple products and services

medium.com

I personally choose not to use GitHub actions with the cloud version of GitHub due to the risks of external access.

Note that now I have a personal account (2nd Sight Lab Research) and if I want to get to my organization account I have to click on my user icon and choose Your organizations from the menu. For some reason this totally confused me at first.

All the repositories I started to create are in my personal account associated with my email. Separately, you can create organization repositories which belong to the organization.

The rules you create for your organization do not apply to personal repositories.

You can read about different types of GitHub accounts here:

Types of GitHub accounts - GitHub Docs

Accounts on GitHub allow you to organize and control access to code.

docs.github.com

Now that I have a GitHub organization and enterprise GitHub setup, I can add IP restrictions to who can see and commit to private repositories. I can try out the enterprise and security features and will report back on how those work out, presuming I have time to use them!

You can find the related GitHub posts I mentioned above here:

Git, GitHub, and AWS CodeCommit Security

Stories about securing git, GitHub, and your code

medium.com

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab

Summarize

Set up a GitHub Organization or Enterprise

ACM.477 Add additional security to your account with an upgraded GitHub account

AWS Deployment Framework — Where was I?

ACM.476 A summary of where I left off an am picking up and working on next after stepping a way for a bit

Available rules for rulesets - GitHub Enterprise Cloud Docs

Learn which rules you can add to a ruleset to protect specific branches and tags in a repository.

AWS Code Commit vs. GitHub — Why Not Both?

ACM.259 Architecting a solution to protect and secure code by leveraging multiple products and services

Types of GitHub accounts - GitHub Docs

Accounts on GitHub allow you to organize and control access to code.

Git, GitHub, and AWS CodeCommit Security

Stories about securing git, GitHub, and your code