Your version control system holds your organization’s most valuable assets: Source code, designs, artwork, media, business documents, and more. A multi-tiered approach to security is crucial to protect this intellectual property (IP).
| 1 | Require User Authentication | The first level of any IP security strategy is to verify that users are who they say they are. Integrate authentication with enterprise AD/LDAP services. Use multi-factor authentication, if possible. |
| 2 | Manage User Authentication | Control who is allowed to do what, where, and when. Don’t give everyone full access to all files — this creates risks and too much noise. Use groups to simplify management. |
| 3 | Establish File-Level Protection | Manage who is allowed to change specific file types — e.g., developers can update source code but not released executables. Some tools (e.g., Git) provide access to the entire repo. In such cases, carefully split up repos but beware of the problems this may cause. |
| 4 | Protect Branches and Streams | Manage who is allowed to change what in development versus release branches or streams — just as you would to protect file types. Production, operations, and development streams usually need different access rights. |
| 5 | Assess Encryption | Consider the need to encrypt files at rest (i.e., while in the repository) and in transit (i.e., when moving files between the user’s desktop and the master repo). |
| 6 | Record Activity | Ensure that your version control tool keeps an immutable history of changes. Such records enable developers to see what happened in the past and help you meet regulatory requirements. |
| 7 | Detect Insider Threats | Use your audit trails to spot risky behavior. Audit logs tend to be big, so use a tool that includes behavioral analytics to weed out the noise and flag only real risks. |
| 8 | Keep Everything Together | The more stores or repositories are in use, the harder it is to manage security. Aim to put all assets — source code, documents and built executables — in a single repository. |
