GitHub and GitLab – two of the most popular source code management (SCM) platforms – are a modern marvel for developers, giving them a collaborative solution to centrally store, manage, and track changes to source code. Despite their advantages for development, it’s important to acknowledge that SCM solutions present significant security risks if not properly configured.
While many organizations have embraced ‘shift left security,’ they often focus solely on source code risks, overlooking significant threats related to the setup and configuration of their SCM platforms at both the organizational and repository levels.
For instance, disabled branch protections can allow threat actors to make unauthorized changes, compromising the integrity of the codebase. Unmaintained repositories increase the risk of known vulnerabilities and one-day attacks. Additionally, the default GitHub Actions configuration may allow workflows to approve pull requests, enabling attackers to bypass code reviews and inject malicious code into the software supply chain and ultimately into production. These examples highlight how inadequate configuration of source code management platforms can significantly elevate the risk of software supply chain attacks and other threats.
Today, Orca is pleased to announce that the Orca Cloud Security Platform now offers Source Code Management Posture Management (SCM-PM) capabilities. This new feature enables Orca customers to detect and remediate misconfigurations and security risks across their GitHub and GitLab accounts and repositories. The release expands on Orca’s Shift Left Security capabilities, providing a comprehensive solution for SCM-PM without the need for additional tools.
Why is Orca adding SCM-PM?
Both GitHub and GitLab offer relatively robust security features – which are especially valuable, considering 62% of organizations have severe vulnerabilities in their source code repositories, while 70% have unencrypted secrets, according to Orca’s 2024 State of the Cloud Security Report. Yet, most security teams are unaware of these native security features and lack visibility into or control over development environments, allowing vulnerabilities and security risks to grow unabated. This often leaves organizations unable to protect the infrastructure they depend on to deliver new applications to the cloud.
We’ve extended the Orca platform to secure GitHub and GitLab, enabling organizations to effectively address an important blind spot in their security posture.
What are Orca’s SCM-PM capabilities?
Orca seamlessly integrates with both GitHub and GitLab, empowering security teams to centrally manage and enhance the security posture of their SCM platforms. This complements Orca’s existing capabilities, such as secret detection, Infrastructure as Code (IaC) security, and vulnerability scanning (SCA). Organizations can manage repository enumeration, policy customization, and issue oversight through Orca’s comprehensive solution.
#1: Repository inventory
Challenge: GitHub’s and GitLab’s self-service and ephemeral nature allow developers to create repositories on-demand, increasing an organization’s attack surface and the potential for some repositories to become unmaintained and vulnerable, especially when not well configured.
Orca Solution: Orca’s GitHub App and GitLab App seamlessly integrate with your source code management platform(s) to automatically discover all repositories, including new additions. Through a unified dashboard, Orca offers your security teams complete visibility into your SCM platforms by presenting a detailed inventory of your repository instances.
#2: Going beyond code security
Challenge: Organizations often focus solely on source code risks while neglecting potential risks specific to account and repository configurations. This oversight can lead to neglected policies, configurations, and best practices, increasing risks and exposures over time.
Orca Solution: Orca leverages best practices from reputable sources like the Open Source Security Foundation (OPSSF) and Legitify, alongside other industry standards. Using these recommendations, Orca scans all GitHub and GitLab assets, identifying misconfigurations, security risks, and deviations from best practices. The Orca Platform integrates this analysis to contextualize detected risks, facilitating comprehensive risk management.
#3: Dynamic and context-aware alerts
Challenge: Orca’s Cloud Security Alert Fatigue Report reveals that nearly 60% of security practitioners receive more than 500 alerts daily, with 55% admitting their organizations miss critical alerts due to alert fatigue. This highlights a primary challenge – effectively prioritizing remediation efforts amid a flood of alerts.
Without contextual and prioritized alerts, security teams spend valuable time determining which risks require immediate attention. This results in overlooked critical alerts, slower remediation, and increased risk of burnout.
Orca Solution: Unlike other solutions, Orca dynamically assesses risk, prioritizing alerts based on risk severity, exploitability, business impact, and interconnected risks that may endanger high-value assets or lead to significant security incidents.
For example, Orca triggers alerts for changes in repository visibility from private to public. The alert severity is determined by factors such as repository age and the existence of sensitive data or secrets. A transition from private to public for a long-standing repository, which has always been set as private, implies anomalous activity and thus raises the alert’s severity, particularly if it contains sensitive information or secrets.
Orca’s risk prioritization gives security teams reliable and clear guidance to jumpstart remediation efforts, ensuring they can quickly focus on the 1% of risks that matter most.
#4: Extended repository insight
Challenge: Many security teams struggle with repository visibility and face challenges in quickly understanding the purpose and contents of multiple repositories across R&D.
Orca Solution: Orca enriches the understanding of repositories’ significance and purpose by gathering metadata from GitHub and GitLab, including details like creation date, description, topics, code languages, and more. This information is integrated into our Unified Data Model, providing a central location contextualizing all data sources to facilitate comprehensive security insights.
#5: Remediation and workflow integration
Challenge: DevSecOps emphasizes close collaboration between security and development teams, yet this remains a pain point for many organizations, leading to uncertainty about task ownership. The inefficiency in delegating remediation tasks to developers prolongs issue resolution, negatively impacting the overall security posture.
Orca Solution: Orca provides comprehensive remediation instructions for every alert, accelerating response times for both security and development teams. Additionally, Orca offers bidirectional integrations with ticketing systems like Jira and ServiceNow (among various integrations for notifications, SIEM, and SOAR systems). Such integrations streamline workflows by eliminating the need for developers to deviate from existing tools while enabling security teams to create and monitor tickets directly from the Orca Platform.
About the Orca Cloud Security Platform
Orca offers a unified and comprehensive cloud security platform that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Oracle Cloud, Alibaba Cloud, and Kubernetes. Using its patented SideScanning™ technology, Orca detects vulnerabilities, misconfigurations, malware, lateral movement, data risks, API risks, overly permissive identities, and much more.
Learn More
Curious about Orca’s SCM-PM capabilities? Schedule a personalized 1:1 demo, and we’ll demonstrate how your organization can effectively implement shift left security and harness the complete potential of SCM-PM.
