0

This is about pure-and-simple Git; NOT the security concerns of using third party services like Github or Gitlab.

While working on a closed source security project, during a meeting, one of the senior developers on a sister team implied that Git makes code less secure, especially with security-related products. This was pretty shocking for me to hear, and quite frankly, I don't believe it. (And yet this strange viewpoint from the senior developer was not met by clear and immediate incredulity by others present.) This senior developer did not comment further, and does not work in the same location as me; and is generally pretty unreachable. (I also don't want him to think I'm trying to discredit him, but rather seek to understand.)

And so I now question my understanding of the security of Git, however baseless it may be.

Is there one or more valid security concern(s), however obscure, about using Git?

schroeder
  • 129,372
  • 55
  • 299
  • 340
NonCreature0714
  • 117
  • 3
  • 4
    Git by itself does not make the code less secure. And the statement does not compare it to anything else, i.e. it is unclear if it was meant to be less secure compared to no source control at all or to a specific other source control. Ask for explanations. I propose to close the question as too broad since there is not really a usable statement to actually discuss here. – Steffen Ullrich May 29 '18 at 05:35
  • 1
    Thanks for clarifying, but it is now on the broad side of the equation. There are all kinds of security concerns with using git, and some of those concerns are shared by any version management system (storing passwords, keys, exposing your development process, highlighting where bugs are, etc.) or by open source, in general. – schroeder May 29 '18 at 15:21
  • 1
    "highlighting where bugs are" People reverse-engineer security fixes all the time in order to develop exploits, so that's by no means unique to having the source code available. – user May 29 '18 at 15:28

3 Answers3

5

Aside from the fact that git is a program, and any program can have bugs, the only issue I can think of is the fact that git uses SHA-1, which has been recently shown to be vulnerable to a collision attack, which has some impact on git. The transition away from SHA-1 to a more secure and modern algorithm is being discussed. However, collision attacks against SHA-1 are still incredibly difficult to achieve. Furthermore, existing collisions can be detected, as GitHub currently does.

Overall, I would say that the senior developer either does not know what he is talking about, or is of the opinion that git makes programmers "lazy" (a somewhat common but misled opinion). Or it's possible that he is under the incorrect impression that SHA-1 is vulnerable to preimage attacks.

Glorfindel
  • 2,265
  • 6
  • 20
  • 30
forest
  • 66,706
  • 20
  • 212
  • 270
  • 2
    Maybe the dev was arguing that (public) version control makes security patches more obvious. Some open source projects have difficulties hiding the fact that a particular commit is an important security fix until they officially release a patched version. – Arminius May 29 '18 at 06:20
  • 1
    @Arminius That's also certainly possible, though you can just not publish the revision history and still keep it open source. OP should really ask this guy for clarification. – forest May 29 '18 at 06:21
3

The only thing I can think of that can back up this statement is: boneheaded mistakes are more costly with git. For example, if someone commits a password or a private key to a git repository, the only way to remove these commits is by editing git history. Since git history is fully replicated with every clone, this means anyone who'd already cloned the repository previously would notice that the commit history has been edited the next time they do "git pull" -- and the curious ones can then easily figure out what was being removed.

This is not a very strong argument in any case, because such leaked credentials would need to be revoked immediately anyway.

mricon
  • 6,508
  • 25
  • 27
  • Worse still when those developers pull git will attempt to merge the edited history with the unedited history. This can easilly lead to a horrible mess. – Peter Green May 29 '18 at 15:23
0

This is all purely opinion but I would argue that git has an overall net security benefit. While in one sense it does add another threat vector and means for bad guys to access the code, it's far greater than the alternative (excluding competitors such as SVN which are likely to have their own security issues). Imagine the nightmare, both security and workflow, of trying to manage source code manually. Not to mention the added benefit of being able to track all changes within the code, and track down bugs.

I would be interested to hear his alternative.

Mik Lik
  • 31
  • 4