SOFTWARE SUPPLY CHAIN

A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub

Nir Valtman
CEO & Co-Founder
October 17, 2023
Nir is an experienced information & application security leader, most recently as VP security at Finastra and CISO at Kabbage. Nir is a frequent public speaker at leading conferences globally, including Black Hat, Defcon, BSides, and RSA.

TL;DR

This article explores the trade-offs between managing GitHub users as individual users or enterprise managed users. Individual users provide flexibility, code attribution, and open-source engagement; however, they lack centralized control by the enterprises and, therefore, may pose security risks. On the other hand, managed users offer enhanced security, access management, and privacy controls; however, they may be perceived as developer-unfriendly in some cases. Striking a balance between developer-friendly practices and robust security is crucial, and organizations should carefully evaluate their specific needs and priorities when deciding on a user management strategy for GitHub.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Secure User Management on GitHub: A Balance Between Security and Developer Experience?

In modern software development, GitHub has emerged as one of the most popular platforms for hosting and managing code repositories and open-source projects. The git hosting platform fosters amazing collaboration among its users, and GitHub profiles have become the de facto portfolio and resumé for many software engineers

However, there is a consequential decision to make for engineering leaders when it comes to managing users in GitHub. Organizations are presented with two distinct options for user access management: enterprise managed users or individual GitHub users. Each approach has its own set of advantages and drawbacks that companies must consider carefully. 

This article will explore the pros and cons of enterprise managed users versus individual GitHub users to help organizations make informed decisions about their user management strategy.

The Stakes: Application Security vs. Developer Autonomy

When considering a user management strategy, the core issue at play is the tension between an organization being seen as “developer-friendly” versus maintaining a strong security posture with solid access control and user management. 

Using individual GitHub users is often perceived as more developer-friendly, allowing contributors to showcase their work and gain visibility through attributed code contributions and visualizations. Conversely, managed enterprise users offer enhanced security measures and centralized control, facilitating access management and reducing risks in scenarios such as employee attrition.

Choosing between these approaches is a complex decision that requires a balancing act between providing a developer-friendly environment and ensuring robust security. While individual GitHub users offer flexibility and autonomy, the lack of centralized control or access management guardrails can pose security risks. Conversely, managed enterprise users provide better security and access control but may restrict developers and limit their autonomy. For example, enterprise users cannot create or comment on gists, and they are also prevented from following public GitHub users, which may be needed to keep the developers up to date on their area of expertise and interest. 

Taking the developer-friendly approach to user management: individual users 

Code attribution & reputation

Developers value code attribution on their public profiles, as it enables them to showcase their work, connect with other developers, and participate publicly in open-source projects. This ability to present their work and contributions on their public profiles helps build their reputation within the developer community.

Figure 1: GitHub contribution visualization. (Source: GitHub.com)

GitHub provides powerful visualization tools that allow developers to gain insights into their coding activity, even within the enterprise code repositories, which is anonymized from the public view The contribution graph above, for instance, visually represents a developer's daily code commits, demonstrating their engagement and productivity. These visualizations not only provide a sense of accomplishment but also act as a tangible record of a developer's activity over time. 

Open-source engagement 

Public profiles on GitHub facilitate seamless involvement in open-source communities, enabling developers to access repositories, submit pull requests, report issues, and engage in meaningful discussions. These contributions help build credibility within the community.

In contrast, enterprise managed users aren’t able to take advantage of these benefits since their user identities are managed by an upstream identity platform and are thus not expressed as public user profiles on GitHub. The only alternative for these code contributors is to maintain a separate user profile, which will not provide a complete picture of the developer’s daily coding activities and achievements.

What does it all mean? 

While it could be argued that providing interesting projects and a healthy work culture are also developer-friendly benefits, it’s as important as ever to focus on developer experience and relations, especially as it relates to hiring and retaining top software engineering talent. Many of the most talented developers are highly active in the technology and open-source communities, and they will ultimately view an organization that supports that participation as an ideal place to work.

Taking the security-focused approach: Enterprise managed users 

The security-focused benefits of the managed user model are often framed as “developer-unfriendly”:

  • The developer’s primary coding activity is not visible on public GitHub.
  • Enabling access to third-party tooling, such as marketplace actions or apps, may require additional permissions and configuration from an enterprise.

However, despite this perceived unfriendliness, there are serious security advantages in managing GitHub users internally. 

Access management controls 

When a developer leaves a company, access and authorization controls are much easier to manage. Authorization and policy controls can additionally be enforced top-down with enterprise tools, ensuring developers are automatically given appropriate access levels to the correct repositories. 

In contrast, without enterprise managed users, developer access can sometimes be maintained even after an employee leaves a company. This may be due to negligence, a broken process, or system failure. Regardless, it means a non-employee may now have access to proprietary data and intellectual property. 

It is worth mentioning that if the enterprise has SSO enabled and enforced, individual users can be removed from the enterprise by the same approach. However, not all enterprises have the mapping between the provisioned individual user account names and the corporate emails. Interestingly, Arnica observes the historical git behavior of each individual user and builds this mapping for you, regardless if there is an SSO/SCIM integration with the enterprise. 

Privacy controls & single sign-on

The ubiquitousness of the internet and social media has blurred the line for many users on what exactly separates public from private information. It is common practice to publicly display basic information, such as an email address. However, even simple pieces of data can represent a threat to an organization’s operational security, potentially providing just enough leverage for an attack vector. 

Privacy is a paramount concern for many software engineering organizations. For instance, exposed usernames or emails might allow an attacker to infer a valid regex for other company email addresses, enabling them to engage in spamming campaigns or execute targeted phishing campaigns. 

Enterprise managed users offer significant advantages in terms of privacy controls, especially in protecting the identities of users working for specific companies. With enterprise accounts, usernames associated with an organization are not exposed publicly, helping to maintain the confidentiality of employees' affiliations.

Focusing on application security doesn't necessarily mean being developer unfriendly

Achieving the proper balance between security and developer-friendly practices is crucial in modern software development. A strong security posture is a must, but building a solid software product requires employing capable engineers that often highly value being able to engage with the open-source community. 

The good news is that there are ways to achieve the best of both worlds. Organizations can implement automated least-privilege controls without burdening developers with cumbersome enterprise access controls. By automating access management, developers are not required to navigate lengthy approval processes for elevated access, ensuring a streamlined workflow while maintaining a strong security posture.

It's important to recognize that being developer-friendly can have a positive impact on morale and attract talented developers to an organization. Creating an environment that fosters developer visibility, encourages code attribution, and allows participation in open-source projects can greatly enhance the organization's reputation and appeal. This focus on developer-friendly practices is essentially an investment in the long-term success of the organization.

Conclusion

In modern software development, organizations should ultimately be able to let their developers take advantage of their public profiles while still providing the security and management features typically reserved for the enterprise.

Community-driven products will likely benefit more from developer relations, community engagement, and the use of public GitHub profiles. Still, larger organizations, or those with exposure to regulatory or compliance concerns may want to focus more on security, ensuring they remain compliant and protect critical customer data and intellectual property. 

To determine the most suitable user management strategy, organizations should assess their specific needs and priorities. The size of the organization, the nature of its projects, and the sensitivity of the data involved are just a few of the factors that should guide the decision-making process.

THE LATEST UPDATES

More from our blog

The Essential Guide to SCA and SAST
The Essential Guide to SCA and SAST
September 6, 2024
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
March 25, 2024
SBOM For Your Software Supply Chain: Added Visibility or Security Risk?
SBOM For Your Software Supply Chain: Added Visibility or Security Risk?
March 25, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}