Coffee break #35. How to comply with GitHub security rules. Useful tips for quickly debugging Java code

How to stay secure on GitHub

Source: DZone GitHub is deservedly considered the most popular team development platform. According to data from last fall, more than 40 million programmers used this service. And since most of them use open source to create software, security when working on Github should be your top priority. Reusing code increases the risk of spreading vulnerabilities. This means that every GitHub user should pay maximum attention to creating a secure development environment. There are 8 rules you need to follow to keep your GitHub code secure.

Provide access control

Access control is one of the best ways to improve security not only on GitHub, but in any other environment where code protection is required. GitHub offers several ways to reduce risks in your work. First, make it a practice to grant least privilege—give repository users only the permissions they need to do their job. There are other access control methods that you should follow:

• limit the creation of repositories to prevent users from disclosing information about the organization in public repositories;
• enable branch protection and state checks so users can merge commits or manage branches securely;
• Allow or disable forking of private repositories to ensure that users do not disclose or share your code with others;
• revoke access for all inactive users who are no longer members of your community or employees of the company;
• Periodically check the access rights to your projects on GitHub;
• Ensure that users do not share GitHub account access or passwords with others;
• make sure that each repository user uses two-factor authentication in their account;
• Change personal access tokens and SSH keys periodically.

Never store access data in your GitHub files

Leaking access information to your GitHub repository through code, configuration files, or commit messages can be used for attacks. To prevent sensitive data from being added to your repository, use access control tools like git-secrets or vault . These tools scan your code base and change access whenever sensitive information is found in your code or configuration files. If you find sensitive information in your GitHub repository, you should delete it immediately. But because GitHub keeps a history of all the commits in your repository, deleting data alone is not enough. You will need to delete files from your GitHub repository history. An important step to improve security will be the replacement of all passwords and tokens that were previously publicly available.

Enable alerts for vulnerable dependencies

As GitHub users work on more projects, it becomes increasingly difficult to control the growing number of dependent objects. Luckily, GitHub provides automatic alerts for vulnerable dependencies found in the repository. These alerts are based on the National Vulnerability Database (NVD), GitHub Security Advisories , and the WhiteSource vulnerability database, which supports more than 200 programming languages. GitHub alerts make it easier and safer to use open source libraries.

Check apps added from GitHub

The GitHub Marketplace contains hundreds of applications written by third-party developers and companies. Therefore, it is important to carefully review each application you add to your repository. When installing applications from the GitHub Marketplace, follow these guidelines:

• Enforce the principle of least privilege. Never give applications more access rights than they require;
• Always question access rights or permissions requested by an application. Think about the damage this could cause with this level of access;
• Verify that the company or app developer actually exists before granting them access to your GitHub repository;
• Check the functionality and security of the application. If it contains vulnerabilities, you may become a victim of hacking;

The security of an application is judged by its weakest part. This also applies to GitHub repositories. So before you give an app access to your storage, make sure you trust it and that it matches the level of access it requests.

Check all code imported from GitHub

Developers often use other people's code. Every time you copy part of someone else's code into your project, conduct a full review of it. This may seem like a waste of time, especially for small projects, but there is a chance that by neglecting this rule you will introduce a vulnerability into your repository. Another risk associated with imported code is that it may contain sensitive information such as access data. If they are stored in GitHub files, this creates another security risk. Auditing the code before copying it helps to identify such loopholes. Don't assume that someone else's code is safe because it was in a private repository. It could very well harm your codebase.

Use automatic static source code analysis for your repositories

There are several third-party tools you can use to analyze your repository for vulnerabilities. One of them is WhiteSource Bolt , a free tool from the GitHub Marketplace. WhiteSource Bolt scans your repositories for vulnerabilities in all exposed code. It also provides detailed information about vulnerabilities and suggests remediation options.

Use the GitHub plan that suits your needs

Many companies have policies that prevent developers from posting code on platforms like GitHub. These restrictions are especially common in government departments and financial institutions. If you work in a highly regulated environment, use GitHub Enterprise , an enterprise plan that allows you to host repositories on a local server. This provides a higher level of security because it allows the company's developers to have access to all projects without worrying about unauthorized GitHub users.

Follow a comprehensive security policy in your projects

Safety is a collective responsibility. If you work in a team, it is important to establish safety rules that all stakeholders must follow. Ideally, you should bring the cybersecurity and development teams together during the planning phase to ensure they are working in sync. This will make it easier to ensure protection during the development process. If one of your team members is careless about storing passwords or other sensitive information, it could put the entire repository at risk. To avoid this, clearly document the safety procedure that all your colleagues must follow.

Conclusion

Securing your code on GitHub is easy. You just need to ensure proper access control, taking advantage of GitHub's built-in security features. If you are interested in maximum protection, integrate additional tools that will increase code security at all stages of development. We also recommend reviewing the GitHub Security for Business and Free Users sections of the documentation . This way you can get additional information about code security and protection.

Useful tips for quickly debugging Java code

Source: Hackernoon Apart from writing efficient code, getting better at debugging is one of the most useful things you can do to make your life easier as a Java developer. This is especially important in modern software development conditions, where the software world is actively moving towards distributed architectures and asynchronous code. While software errors are inevitable, they are becoming increasingly difficult to detect and fix in complex builds. And when moving to the product release stage, the debugging process becomes an even more serious problem. Unfortunately, there is no way to avoid this - debugging is necessary. To help you, I decided to share some useful tips for debugging Java applications at different stages of development.

Use control points

Let's start with breakpoints, an obvious but very important point that underlies any debugging process. Checkpoints allow you to stop the execution of an application so you can analyze the state of the program and figure out why the code is not working correctly. Each debugger offers several breakpoint options, including conditional breakpoints, exception breakpoints, watchpoints, and tracepoints. Learning how and when to use different types of breakpoints can make the debugging process smoother. It's worth mentioning that some modern tools support checkpoints without interrupting the application. This makes it possible to set points in your code and collect debugging data without stopping program execution.

Show logical structure

The show logical structure feature is very useful when monitoring content in Java classes. If this feature is enabled, the variable list shows an array, which is much more useful in a debugging context. This is very convenient, especially if your code lacks toString() methods for objects. Variable views also allow you to directly change the values ​​of your variables while debugging. This can save a significant amount of time by not having to restart the debugging session with changed input data.

Learn to navigate the codebase

Any Java debugger can use several functions that allow you to navigate through different sections of code while debugging. Some of them include "run to line", "step over", "step into" and "step into". In addition to these, consider two more options:

1. Drop to frame - This function is used to return to a point in your stack frame. If you missed a point and need to go back, just use the Drop to frame function.
2. Step filtering - allows you to skip certain packets during debugging. You don't have to navigate through all the classes in the JDK system when you can simply filter out the types you don't need.

To improve your code navigation speed, you need to master the function key combinations:

• F5 - for “stepping into”.
• F6 - for “stepping over”.
• F7 - for "step return".
• F8 - to run to the next checkpoint.

Although the hotkeys may vary between IDEs, if you remember them, it will save you from having to use the mouse more often.

Learn to Avoid Deadlocks

A deadlock scenario occurs when two or more threads block after forming a circular dependency. Since a set of Java threads are usually waiting for another resource, this can cause the application to stop completely. Debugging jstack deadlocks can be quite difficult since they do not show problem indicators such as memory spikes, CPU load, etc. There are various approaches to troubleshoot a jstack deadlock situation. First, you can capture multiple thread dumps in your JVM cluster to infer thread patterns. In this case, analyzing a static thread dump may not be enough. Depending on the size of the JVM cluster, it may be necessary to trawl multiple files, which is often a labor-intensive and time-consuming process. It's best to use an application monitoring solution that provides the JV layer and code layer needed to isolate thread deadlocks. Fortunately, there are innovative tools that can help with this situation, including some modern debuggers as well as commercial APM tools. These tools increase the transparency of your Java code while identifying errors.

Leverage the power of production debuggers

The typical debugging process that most developers typically follow involves replicating the environment, isolating the error, and then fixing it. However, this does not apply in all cases. If this is the situation, the developer should use powerful production debuggers. Rookout is one such tool. It allows you to collect debugging data from applications without changing its state or flow control. With Rookout, you can set non-breaking breakpoints to obtain a full stack trace, capture live variables, or any other application data needed for debugging. So, instead of using high-overhead monitoring solutions for production debugging, simply use Rookout, which provides everything you need to debug applications without redeploying or writing new code. Whether you're working on server-side or containerized applications, Rookout is a great addition to your debugging arsenal.

Don't forget about remote debugging

The vast majority of IDEs, such as NetBeans, Eclipse, IntelliJ IDEA, and Visual Studio, support remote debugging, a technique that allows you to fix Java code located on another computer. This is especially important in situations where your system does not support local debugging, or when your computer does not have enough resources to run debuggers. To perform remote debugging, you must provide configuration information that the debugger will use to connect to the remote port. Remote debugging is also useful in troubleshooting situations where off-site developers need to connect to the application to fix a bug. Remember that sometimes debugging can take longer than the actual implementation. As you hone your Java debugging skills, always strive to write clean, efficient code—it pays off when it comes to fixing bugs. If you feel like things are getting out of control, it's always a good idea to take a break. A bug is a programming puzzle, and many programmers have managed to solve this problem without being anywhere near their computer. Use the strategies described above to get rid of Java debugging problems. Happy coding!