A mouthful of a title but in this blog, I’ll try to answer this question based on my own understanding and experiences deploying WebAuthn.
Firstly, if you don’t know what Web Authentication is (commonly referred to as WebAuthn), it might be worth having a quick read of my previous blog post as the WebAuthn standard is the foundational building block for passkeys.
In this post, I will be going through some of the essential Branch Protection Rules you should have on all* of your GitHub repositories. GitHub is constantly releasing new updates all the time but my recommendations stand as of January 2022.
I’ve also added some gotchas I’ve tripped over discovered whilst deploying such rules across nearly a thousand repositories.
*Assuming we’re talking about corporate GitHub organisations… and by all, I mean ALL. Branch protection Rules should be the rule, not the exception. Have exceptions if you need them (you will!) but otherwise apply it everywhere.
Web Authentication, or WebAuthn is a standard for strong user authentication and is a core part of the FIDO2 specification. I’m not going to go into too much technical detail about the spec in this blog because there already exists a plethora of awesome documents and demonstrations which explain WebAuthn better than I ever could; I’ll include those in the Additional Reading section below.
I want to start by saying that this article is not only for security professionals. If you have the power to influence positive change at your organisation then this article is for you. With that said, let’s begin…
Take a minute to visit your corporate website and look for a “security” or “responsible disclosure” page or link. Go on, do it now and continue reading after you’ve had a look.
…
Don’t see one? Maybe you have one but it’s obscured and requires a little bit of clicking and button pressing. If so, keep reading…
I wrote this blog to help organisations better prepare for and run successful bug bounty programs. The blog touches on my personal experiences as a program owner of both good and badly run programs as well as being on the other side of the fence as a bug bounty hunter.
This blog ended up being a lot longer than I thought it would be. I hope it’s a worth-while read especially to those of you who are considering running or already run a bug bounty program. At the very worst it might help you get to sleep at night 🙂