Phone icon +45 45 34 44 00
Book meeting

Documentation

4. Source Code Management

Regardless of the project’s size, it is strongly recommended to use a source code version control tool, such as a version control system, to track its different versions over time.

Set Up Your Version Control System Effectively with Focus on Security

  • A version control system is a program that allows you to save all your source code and related files, while preserving the timeline of all changes. A simple FTP server is not a version control system.

  • Configure your environment correctly by utilizing the features your version control system offers. It is recommended to implement strong authentication and/or authentication with SSH keys from the beginning of your project.

  • Additionally, assign access levels to users of your version control system, and define for each level the corresponding rights (for example, a “guest” level with limited read rights, a “developer” level with write permissions, etc.).

  • Make regular backups of your version control system. Remember especially to back up your main server where all changes are saved.

  • Implement development procedures so the team can work effectively even when multiple people are developing simultaneously. You can for example choose not to work directly on the primary branch (master), but instead create feature-based branches that are merged into the main branch as development progresses. Such strategies are well-documented, e.g., Git Flow. Additionally, some version control systems offer the option to set up protected branches that prevent unauthorized changes to files on these branches.

Pay Attention to the Content of Your Source Code

  • Implement code quality measurement tools that scan your code as soon as it is committed, to ensure it meets quality requirements. You can also add scripts to check these metrics in version control system configuration, so a commit is automatically rejected if the source code does not meet quality requirements.

  • Keep secret keys and passwords out of your source code repository:

    • in separate files that are not committed. Remember to use the version control system’s special files (such as .gitignore for Git) so you don’t commit sensitive files by mistake.
    • in environment variables, but make sure environment variables are not accidentally logged or displayed in case of an application error.
    • by using specialized software for secret or configuration management.

    If you still need to include such data in your repository, you should consider automatic encryption/decryption of files using a plugin for your version control system (e.g., git-crypt).

  • If a commit contains personal data or other sensitive information, remember to clean your repository completely, as the data may still be accessible in the repository’s history, even after changes.

  • Be careful before publishing your source code online. Review all its content, including the change history, to ensure there is no personal information, passwords, or other secrets in the code.

Examples of Tools

  • Unlike tools like Subversion, which require a central server, the most popular version control systems (Git, Mercurial etc.) are decentralized.

  • Most of these tools offer a web interface and related features (bug reporting, wiki for documentation, etc.). These solutions can either be publicly accessible via the internet (GitHub, Bitbucket etc.) or hosted on your own servers.

Need a penetration test?

Contact us for a no-obligation conversation about your security needs.

Contact us