Setting up Github to Make SOC 2 & ISO 27001 Suck Less

September 24, 2021
If you're a developer, or just a sane person, audits suck. We integrated Control and Github to make them better.

Unfortunately for devops teams everywhere, auditors are starting to catch onto how applications are made and deployed rapidly in the cloud. If you're like me, you can remember the first time you fully grasped how overwhelming an audit was about to be. I was handed a 250 row spreadsheet of controls and asked by our compliance team, "do we do these things and could you send screenshots for them?" To make things worse, our legal team preemptively hired a consultant to provide pointless commentary every step of the way. This event drives us to create Control. We want to automate the auditors out of the way, so you can get back to the cool stuff.

Unfortunately for devops teams everywhere, auditors are starting to catch onto how applications are made and deployed rapidly in the cloud. If you're like me, you can remember the first time you fully grasped how overwhelming an audit was about to be. I was handed a 250 row spreadsheet of controls and asked by our compliance team, "do we do these things and could you send screenshots for them?" To make things worse, our legal team preemptively hired a consultant to provide pointless commentary every step of the way. This event drives us to create Control. We want to automate the auditors out of the way, so you can get back to the cool stuff.

Seven Github Practices to Pass an Audit

Below you'll find the seven Github security practices that matter to auditors. Before you implement them, you should integrate your GitHub account with Control because we monitor these settings and pull the evidence for you.

1. Turn on Dependabot and Send Alerts Somewhere

Dependabot is a recent addition to Github. Long story short, it's a free security scanner that looks for security issues in the dependencies your app relies on. Is it good? Debatable. Is it better than nothing? Yes. More importantly, does it pass an audit? Yes. As you grow as a company, you'll definitely want to consider integrating a more robust security scanner into your CI/CD. A couple of good options are WhiteSource, Snyk, and SonarCloud (I'll throw in Kiuwan to be a security hipster). They'll do a better job, but definitely check the box by turning on Dependabot to get started.

2. Setup Different Access Levels for your Repos

Go through your members list and make sure your permissions levels are right. You usually want just one or two admins, your biggest brained developers as maintainers, your lesser brained devs as write, product guys as triage, and customer support with read only. The goal here is logic based access. Ask yourself, do you trust this person with the level of access they have? If not, downgrade it.

3. Turn on Protected Branches

Protected branches make pushing code slightly more painful, but vastly more secure and stable. Protected branches are not only good for security, but for uptime. These are the things you should do with them:

  • Require Status Checks to Pass Before Merging
  • Require Pull Request Reviews before Merging
  • Require Review from Code Owners

4. Run Integration, Unit, Security, and QA Testing with Every Merge to Master

CircleCI is a great additional tool to run your test phases on, but you can also use GitHub Actions for this. There are a ton of ways to run these tests, do what makes sense for your organization, here are some things I've seen: hosting your own EKS runners, using CircleCI, or using Gitlab. I didn't say Jenkins for a reason. Shots fired. Please just don't use Azure Pipelines.

5. Deploy Infrastructure as Code for all Kinds of Cool Security Benefits

One of the coolest things DevOps teams are doing is deploying infrastructure as code. There are actually a ton of security benefits here: backups don't matter (much), you can security scan your code, and you can handle uptime easily. Control still pulls all this in and checks off the relevant controls for doing so. We've even had auditors skip reviewing the actual infrastructure because they audit the terraform instead. This is dope stuff that our competitors aren't doing.

6. Think About Your Access Keys & Secrets

Encrypted secrets are super important for preventing major data breaches. Manage your secrets in the settings page, not in plain text in your repo. If you use Github Actions, pull the encrypted secret in as a variable from the settings page. When you deploy, make sure you're injecting secrets through something like AWS Secrets Manager or Hashicorp Vault, not just lock and loading the variable in plain text from your repo. Also, remember that your dev's access is just as good as their secret key access: make sure you're clearly communicating how to store and rotate their keys.

7. Turn on MFA!

Go to your org settings and require 2 factor authentication to access your repos. MFA is the easiest one click security measure that drastically increases your real security. MFA was the secret behind when Gabe Newell gave his password away in 2011 and no one could hack his account, this same secret can be yours today. No, as FireEye just learned, MFA does not make you unhackable, but it sure does help.

Make Compliance Work For You.

Get Started

8. Nerdy stuff for enterprise security

Here are just some cool things you should look into doing if you have a dedicated security team and are really trying to push the frontier on git security:

  • Host your own git so you can pipe the logs into a SIEM and write content for it.
  • Use multiple security tools to scan during the CI/CD process and make it so if an error code pops, the build gets blocked.
  • Use security scanners on your K8s nodes that are container aware so they're actually doing something meaningful (i.e. not AWS Inspector). Prisma Cloud is cool, but Palo bought this product so it's expensive now.

How Does VGS Control Help?

Here are some takeaways: This stuff is hard, and we have teams of engineers focused on it full time, so you should use us for guidance. Configuring all of this is one thing, but monitoring for it and collecting evidence for it is an ongoing nightmare, so let us do that for you. We're here to help you get through the audit, and provide real security, not just security theater.

“We want to automate the auditors out of the way, so you can get back to the cool stuff.” - Jonathan Cordeau, Head of Product

Start with Security Foundations for free and automate everything you've read in this article, plus:

  • Prescriptive Tasks so you know where to start.
  • Cloud infrastructure and SaaS security scanning.
  • Automated security policy creation.
  • Automated evidence collection for future audits.

Ready to Get Started?

Subscribe to one of our SOC 2, ISO 27001 or PCI subscriptions and instantly get access to the tools you need to achieve fast compliance and data protection in less than 10 minutes. Schedule your personalized SOC 2 or ISO27001 demo today!

Jonathan Cordeau Headshot Jonathan Cordeau

Control Head of Product

Share

You Might also be interested in...

Zero to One Building for SOC 2 Compliance

Building for SOC 2 Compliance: A Primer

Stefan Slattery May 7, 2021

VGS Control Resource Card

VGS Control for SOC 2

Scalable, Sensible, Security Foundations — For Free

Scalable, Sensible, Security Foundations — For Free

Stefan Slattery January 1, 2021