While DevOps drives innovation and simplifies collaboration, it also comes with its own set of risks and vulnerabilities. Developers rely on Git-based platforms like GitHub, Azure DevOps, Bitbucket, or GitLab to work on code.
Repositories usually contain mission-critical data, and with growth, teams expand and their workflows get more complex — all leading to more potential risks that could affect your data.
The Shared Responsibility model
The division of duties in regards to SaaS data protection is outlined using platform-specific shared responsibility models. You, as a customer, are responsible for the data stored on your SaaS accounts. Platforms like GitHub are not obligated to help you with data recovery.
The service provider is responsible for the uptime of their service, while the users’ duty is the security of data, accounts, and devices.
That means users must implement strict access controls, protect credentials, and leverage automated backups; all to secure data against ransomware attacks, human errors like accidental deletions, and service disruptions. Moreover, SaaS platforms themselves advise their users to implement their own backups.
Security differences between platforms
The leading distributed VCS platforms, like GitLab, offer built-in security features. These can help with building a cyber defence strategy. The specific controls and tools differ in each platform and range from PATs to access controls and regular reviews.
GitHub
In GitHub, users get native controls that include secret scanning, push protection, code security features like dependency review, and Dependabot alerts.
Push protection is on by default for new public repos, and it is blocking known secrets at push. Secret scanning is also enabled for all public repos and can be extended to private ones.
It is advised to enforce MFA and branch protection across all projects.
Bitbucket
Bitbucket has hierarchical access, with team/group controls. Also, project-level permissions apply to all repos in that project unless they are tightened.
Security largely depends on admins regularly reviewing group scopes and repo privacy. Bitbucket Secret Scanning feature helps with monitoring commits and pushes for exposed credentials.
Make sure to configure pipeline variables and avoid exposing sensitive data. It’s worth noting that Bitbucket integrates with the suite of Atlassian tools and services, such as Jira.
GitLab
GitLab comes as a comprehensive DevSecOps platform, covering source code management, CI/CD, and security testing.
Risks mainly come up in self-managed deployments where admins are responsible for hardening, patching, and backups.
GitLab’s guidance in their documentation assigns patching and host security to self-managed customers. Be sure to implement strict role segregation and keep runners isolated.
Azure DevOps
Microsoft’s Azure DevOps integrates with identity management via Microsoft Entra ID (SSO, MFA, Conditional Access).
A strong security posture for Azure DevOps data requires correctly configuring service connections and layered project/organization permissions.
Microsoft emphasizes customer responsibility for Azure DevOps configuration according to the Shared Responsibility Model.
Common DevOps security gaps & challenges
The data, along with configurations, stored in platforms like Bitbucket, are essential for modern software development. Therefore, your source code is a great target for cyber attacks or insider threats. These bad actors demand ransom as they gain access to your data that business continuity and security rely on.
It’s important to shift security to the left and address the industry-known vulnerabilities.
Common vulnerabilities include:
Weak access control
Improper repository permissions and configurations
No multi-factor authentication (MFA) or single sign-on (SSO)
Outdated systems & workflows
No automated backup (or treating GitHub, GitLab, Azure DevOps, or Bitbucket as backup)
Lack of tested disaster recovery strategies
Non-compliance with industry regulations
For example, there was a supply-chain attack targeting a popular GitHub Action called ‘tj-actions/changed-files’. The attackers published a malicious update under the same package name that was used across thousands of repositories, potentially exposing repository data and CI/CD secrets.
Attacks vectors
There are different ways attackers can exploit vulnerabilities to access your data. They range from phishing and credential theft to ransomware attacks. Ransomware encrypts or erases your data — but how it is done depends on the platform:
Platform
How it is abused
Why it enables ransomware
Preventive measures
GitHub
Stolen PATs/OAuth tokens, malicious GitHub Actions, compromised CI runners
Tokens & malicious Actions can write/delete repos, push malicious commits, poison dependencies, or encrypt artifacts
Fine-grained PATs, SSO & MFA, allowlist Actions, ephemeral runners, secret scanning, off-platform immutable backups
GitLab
Compromised self-managed runners or admin accounts, insecure runners execute arbitrary jobs
These compromised runners/admins allow attackers to delete or alter repos, alter CI, or remove local backups stored on the same nodes
Ephemeral/isolation for runners, restrict who can register runners, strict role separation, timely patching, external immutable backups (including config & metadata)
Bitbucket
Excessive project permissions, leaked pipeline variables, abused integrations/service hooks
Cloud credentials or pipeline secrets let attackers access artifact stores, mirrors, or cloud backups to encrypt/delete
Tighten project/repo permissions, rotate keys, use variables properly, restrict third-party apps, external immutable backups
Azure DevOps
Compromised Entra (Azure AD) accounts, over-privileged service connections, misconfigured pipelines
Service connections & Azure resource access enable encryption of artifacts, deletion of backups, and destructive pipeline jobs at scale
Enforce conditional access & MFA, least-privilege service connections, restrict pipeline identities, segregate backup storage outside tenancy
Accidental deletion
Another risk is the potential for accidental deletions and malicious insiders doing damage from within the organization. This can be as simple as a mistyped command or excessive privileges leading to project deletion, but it can be devastating in the long run without backup or flexible recovery options.
Malicious insiders can intentionally disrupt operations or disable logging. Both cases can result in lost repo history, costly recovery, erased & lost data, as well as paused business operations.
Service outages
Software development teams face service outages of critical platforms they rely on. Downtime means no access to important repositories and CI/CD pipelines, which could completely stop business operations. The consequences range from missed deadlines and a lack of customer trust to wasted resources.
How to improve the security of your DevOps data
To address all of the abovementioned risks and secure data on git-hosting platforms, organizations must shift security left, and adhere to compliance requirements of industry regulations. It is important to remember that secrets should never be stored in repositories.
Access management
Strict access control means implementing RBAC (Role-based access control) and following the principle of the least privilege.
This way, permissions are adjusted specifically to each role and assigned accordingly, with no excessive access given to any user. All permissions should be verified regularly and inactive accounts revoked.
Backup and disaster recovery
A third-party backup and disaster recovery solution such as GitProtect is like a safety net. When choosing a solution, seek full coverage for your DevOps stack (project data, repositories, and all the metadata). Ideally, backups should be automated, encrypted, geo-redundant, and stored in WORM-compliant, immutable format.
This should be completed by a flexible recovery arsenal: granular restore, cross-over recovery, point-in-time restore, and full data recovery.
When backup and disaster recovery solutions check those boxes, you guarantee ransomware protection, compliance with industry standards, and adherence to the 3-2-1 backup rule. Other critical aspects include monitoring and audit preparedness, an intuitive user interface, along with alerts, notifications, and clear logs.
Ensure compliant DevOps backup and recovery with a 14-day trial of GitProtect. No credit card required!
Sponsored and written by GitProtect.
