← Back to Blog
5 min read

Investigating unauthorized access to GitHub-owned repositories

As a SaaS developer, your codebase is your crown jewel. It's where your intellectual property resides, and it's where you store sensitive user data. If this data falls into the wrong hands, it can have disastrous consequences for your users and your business. In this article, we'll explore the importance of securing your SaaS product, particularly when using GitHub-backed development.

GitHub-Backed Development: A Double-Edged Sword

GitHub is an essential tool for any developer, providing a platform for version control, collaboration, and code sharing. However, when it comes to SaaS development, relying solely on GitHub can create vulnerabilities. If an attacker gains access to your GitHub repository, they can potentially compromise your codebase and user data.

Consider the following scenario: your SaaS product uses a GitHub-backed development approach, where your entire codebase is stored on GitHub. An attacker discovers a vulnerability in your code and gains access to your repository. They can then modify your code to steal user data or install malware. In this scenario, your SaaS product is at risk of being compromised, and your users' data is vulnerable to theft.

Best Practices for Securing Your SaaS Product

To mitigate these risks, follow these best practices for securing your SaaS product when using GitHub-backed development:

1. Use Two-Factor Authentication (2FA)

Enable 2FA on your GitHub account to add an extra layer of security. This will prevent unauthorized access to your repository, even if someone obtains your password.

const github = new github.GitHub({
  token: process.env.GITHUB_TOKEN,
  username: process.env.GITHUB_USERNAME,
  password: process.env.GITHUB_PASSWORD,
  twoFactor: {
    code: process.env.GITHUB_2FA_CODE,
  },
});

2. Use Encrypted Communication

Use encrypted communication protocols, such as HTTPS or SSH, to protect data in transit. This will prevent eavesdropping and interception of sensitive information.

const https = require('https');

const options = {
  hostname: 'api.github.com',
  port: 443,
  path: '/repos/:owner/:repo',
  method: 'GET',
  headers: {
    'User-Agent': 'node',
  },
};

const req = https.request(options, (res) => {
  console.log(`statusCode: ${res.statusCode}`);
});

req.on('error', (error) => {
  console.error(error);
});

req.end();

3. Monitor Your Repository for Unusual Activity

Set up alerts and notifications to monitor your repository for unusual activity, such as unexpected commits or pushes. This will help you detect potential security breaches early on.

const github = require('@octokit/github.js');

const repo = github.repos.get({
  owner: process.env.GITHUB_USERNAME,
  repo: process.env.GITHUB_REPO,
});

repo.createHook({
  name: 'push',
  active: true,
  events: ['push'],
  config: {
    secret: process.env.GITHUB_HOOK_SECRET,
  },
}).then((hook) => {
  console.log(hook.id);
}).catch((error) => {
  console.error(error);
});

4. Use a Web Application Firewall (WAF)

Implement a WAF to protect your SaaS product from common web attacks, such as SQL injection and cross-site scripting (XSS). This will help prevent unauthorized access to your application.

const express = require('express');
const app = express();

app.use(express.static('public'));
app.use(express.json());
app.use(express.urlencoded({ extended: true }));

app.use((req, res, next) => {
  const url = req.url;
  const method = req.method;

  if (method === 'GET' && url === '/secret') {
    res.status(403).send('Forbidden');
  } else {
    next();
  }
});

Conclusion

Securing your SaaS product is an ongoing process that requires attention to detail and a commitment to best practices. By following the guidelines outlined in this article, you can protect your codebase and user data from potential security breaches. Remember to stay vigilant and adapt to emerging threats and vulnerabilities in the ever-changing landscape of cybersecurity.

Next Steps

At DiggaByte, we're committed to helping you build secure and scalable SaaS products. If you're using our Next.js + Prisma stack, be sure to enable 2FA and encrypted communication protocols to ensure the security of your codebase. Additionally, consider implementing a WAF to protect your application from common web attacks.

By taking these steps, you'll be well on your way to building a secure and reliable SaaS product that meets the needs of your users.

Want production-ready code for the patterns described here? Configure your stack at DiggaByte and download it in seconds — database, auth, payments, and deployment pre-wired.