Serg Nvns - Fotolia
Should I use GitHub's new private repositories?
Is GitHub's new private repositories service robust enough to serve the needs of enterprises? Nick Lewis examines what works -- and what doesn't.
Microsoft recently announced that GitHub will now offer unlimited private code repositories for free. Will more private repositories help improve security for enterprises and limit things like accidental credential exposures on GitHub?
Nothing on the internet, or really anywhere in life, is free. There's always a cost somewhere or some sort of limitation.
Some supposedly free services are actually paid for via advertising or by selling user data, which can have a significant impact on privacy. Some software may be open source and free, but there could be an implementation cost. Other companies offer software and services free of charge to prospective customers, but, in many cases, these versions are limited in functionality.
After acquiring GitHub in 2018, Microsoft recently launched a new GitHub Free service that includes unlimited private code repositories and other features, as well as free public usage of the site. But it includes some restrictions, too.
Although these new capabilities are offered free of charge, Github Free repositories are limited to three developers. Despite this constraint, the new offering might be attractive enough to induce a small team or an individual to consider using GitHub Free.
For some companies, the private repositories service represents a significant improvement, enabling them to test out the functionality without having to use public repositories. For others, however, this restriction might be significant enough to keep them from using the service.
Private repositories are intriguing because they offer security protections that public repositories don't, such as ensuring that sensitive data like passwords, SSH keys, API keys and other information isn't accidently exposed. This sensitive information is best stored in a private repository with a publishing process in place to make the appropriate data public as needed.
Given the limitations of GitHub Free, it's unlikely most enterprises will be able to take advantage of the private repositories service. While it may be possible to share GitHub accounts to overcome the three-developer restriction, this tactic could lead to many different problems and, more importantly, it could violate good security practices.
Dig Deeper on Application and platform security
Related Q&A from Nick Lewis
What are port scan attacks and how can they be prevented?
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Explore benefits and challenges of cloud penetration testing
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
What are the best criteria to use to evaluate cloud service providers?
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading