New integration allows security and identity teams to secure access to sensitive data on GitHub and meet compliance requirements

Veza, the authorization platform for identity-first security, today announced an integration with GitHub, the software collaboration platform that is home to over 100 million developers and 330 million repositories worldwide. With this integration, Veza customers who use GitHub can now keep company IP out of the hands of threat actors by managing access permissions to the organization’s codebase.

Identity-related attacks continue to be the top culprit behind data breaches. Once a threat actor gains unauthorized access to source code, they can inject malicious code into a project, unchecked by engineers and security teams. With just one-time access, a threat actor can download code for offline viewing, giving them ample time to look for exploits, find customer data, and harvest credentials and API keys. An incident at Okta, reported in December, showed how hackers could retrieve source code by gaining unauthorized access to GitHub repositories.

Source code is valuable IP and an attractive target for theft. However, it can be challenging to maintain appropriate access permissions across all the organization members, outside collaborators, teams working in GitHub. It’s common for internal employees to collaborate with external contributors, so there is no single identity provider to track all users and ensure MFA (multi-factor authentication) is being used. Moreover, developers often use their personal GitHub identity across multiple jobs, making it difficult to distinguish internal from external contributors. While GitHub’s out-of-the-box permissions management system offers fine-grained access control, organizations struggle to understand those permissions. The challenge grows with the number of contributors.

“For many of our customers, GitHub repositories contain the crown jewels of the company, so we’re giving them the power to find and fix inappropriate access,” said Tarun Thakur, co-founder and CEO at Veza. “When threat actors are working everyday to find vulnerabilities, it’s no longer an option to rely on quarterly access reviews. Veza makes it easy to achieve continuous compliance.”

“To secure our customers’ data and stay compliant with global regulations, it’s critical to maintain the integrity and confidentiality of our source code,” said Frank Dellé, Head of Global Compliance, Nozomi Networks. “Veza enables us to monitor and enforce our access policies across GitHub and other data systems, allowing us to manage role-based access control at scale. With Veza, we can understand the combined effect of our access control layers to maintain least privilege.”

With Veza’s integration for GitHub, identity and security teams go beyond role-based access control to understand what actions users can take (read, write, delete). Veza customers can automatically find excessive permissions and take steps to remediate. For teams that work on IAM, security assurance, and compliance, Veza accelerates access reviews and certifications with automated workflows.

Key features of the integration with GitHub:

• Perform access reviews and remediation for any GitHub repository
• Visualize access across internal and external collaborators
• Architect least privilege access controls
• Audit orphaned or inactive local GitHub accounts to eliminate unnecessary access
• Configure alerts for changes in permissions to highly sensitive code, such as Infrastructure as Code repositories

The GitHub integration is available to all Veza customers now. This is one of many enterprise integrations available to help organizations secure data across the enterprise. To learn more, please visit our integrations page.

About Veza

Veza is the authorization platform for identity-first security. Identity and security professionals use Veza to modernize access governance for the new data landscape. By automating the work of finding and fixing excessive permissions on a continuous basis, Veza helps organizations achieve Least Privilege. Veza’s unique approach ingests metadata from any app or data system, organizes it as an authorization graph, and makes it searchable in real-time. Global enterprises like Blackstone, Wynn Resorts, and Expedia trust Veza to protect sensitive data and automate access reviews. Founded in 2020, Veza is headquartered in Los Gatos, California, and is funded by Accel, Bain Capital, Ballistic Ventures, GV, Norwest Venture Partners, and True Ventures. Visit us at veza.com.