<a href="https://colab.research.google.com/github/wjtopp3/CSIT-2033/blob/main/CSIT_2033_Week_2.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Multi-Factor Authentication
- GitHub supports Multi-Factor Authentication (MFA) to enhance account security by requiring users to provide an additional verification factor beyond their password (Settings > Password and authentication)
- MFA can be enabled via:
  - Time-based one-time passwords (TOTP) generated by authenticator apps like Google Authenticator, Authy, or the GitHub mobile app
  - Security keys that support FIDO2/WebAuthn
  - SMS-based authentication (less recommended due to security concerns).
- Once enabled, MFA is required during login and when performing sensitive actions, such as modifying account settings or accessing repositories with heightened security policies.
- Additionally, GitHub allows organizations to enforce MFA for members, ensuring stronger protection for repositories and codebases.

# Role-Based Access Control (RBAC)
- RBAC is a security model that restricts system access based on predefined roles assigned to users, ensuring they have only the necessary permissions to perform their tasks.
- Instead of granting individual permissions directly, RBAC assigns permissions to roles, which are then assigned to users, simplifying access management and reducing security risks.
- Originally formalized by NIST, RBAC is widely used in enterprise environments, databases, operating systems, and cloud platforms to enforce least privilege and improve compliance with security policies.
- It helps organizations efficiently manage user access, streamline administrative tasks, and minimize the risk of unauthorized actions
- GitHub uses RBAC by assigning predefined roles (like Read, Write, Admin) at the repository, organization, and enterprise levels to control user access, enabling least-privilege permissions and scalable access management.

# Student Repositories
- Access control must be balanced with collaborative learning when using GitHub in a classroom environment.
- The goal is to promote collaboration while maintaining the integrity of the repository and preventing accidental or unauthorized modifications.
- Instructors can assign Read access to students who only need to view a repository, Write access for those contributing code without merging, and Maintain or Admin roles for team leads or advanced students managing repository settings.
- Branch protection rules allows instructors to ensure students follow proper version control workflows, such as requiring pull requests and code reviews before merging.
- GitHub Classroom allows use of private (template) repositories to generate private forkable repos for students to support academic integrity.

# Branch Protection Rules
- Branch protection rules in GitHub help enforce version control best practices by restricting direct changes to important branches. To set them up:
  - In the repository on GitHub, click on the "Settings" tab.
  - In the left sidebar, under "Code and automation", click "Branches".
  - In the "Branch protection rules" section, click "Add rule".
  - In the "Branch name pattern" field, enter the branch name you want to protect (e.g., main, develop, or use wildcards like feature/*).
  - Select Protection Options. GitHub provides several protection rules you can enable:
    - Require pull request reviews before merging: set a required number of approvals (e.g., at least one review).Block self-reviews to enforce team feedback.
    - Require status checks to pass before merging: ensure automated tests (CI/CD) pass before merging.Select specific checks (e.g., Linting, Unit Tests, Build).
    - Require commit signatures: enforce cryptographic signatures to verify commit authenticity.
    - Restrict who can push to the branch: allow only instructors or specific team members to push directly.
    - Require branches to be up to date before merging: prevent merging outdated branches to avoid conflicts
    - Prevent branch deletion: stop accidental or malicious deletion of protected branches.
  - Save the Rule
    - Review the settings.
    - Click "Create" to apply the protection rule.

### Branch Protection Rules for GitHub Projects

---

#### 1. Require Pull Request Reviews Before Merging  
*Prevents direct commits to the main branch and enforces a code review process.*

**Example Rule:**
- Require at least one approved review before merging.  
- Prevent self-approval (someone else must review the changes).  
- Dismiss stale approvals if new commits are added.

---

#### 2. Require Status Checks to Pass Before Merging  
*Prevents merging unless automated tests (CI/CD pipelines) pass.*

**Example Rule:**
- Require GitHub Actions tests to pass before merging.  
- Block merging if tests fail.

---

#### 3. Restrict Who Can Push to a Branch (intro courses)
 *Limits who can make direct changes to critical branches.*

**Example Rule:**
- Only instructors can push directly to main.  
- Students must use feature branches and open pull requests.

---

#### 4. Prevent Deletion of Protected Branches  
*Stops accidental or malicious deletion of important branches.*

**Example Rule:**
- Prevent deletion of the main and develop branches.


# 🛠️ Hands-On: Explore Branch Protection Rule in a GitHub repo

In this exercise, we will explore branch protection rules for our previous GitHub repository.

---

- Modifying these rules is a common practice in professional workflows.

1. Go to your repository on GitHub.
2. Click the Settings tab (you must have admin access to see this option).
3. In the left sidebar, select Branches.
4. Under Branch protection rules, click **Add classic branch protection rule**
5. In Branch name pattern, type **main**
6. Verify **Allow deletions** is unchecked — this prevents the branch from being deleted.
7. Other rules you can set:
  - Require pull request reviews before merging
  - Require status checks (e.g. automation tool checks) to pass before merging
8. Click Create or Save changes at the bottom.

# Managing Sensitive Data (Secrets)
## Never Commit Secrets!
- API keys, credentials, and other sensitive data should never be committed to version control systems like Git because they can easily be exposed to unauthorized users, especially if the repository is public or shared across teams.
- [Don't be like Dropbox!](https://blog.gitguardian.com/dropbox-breach-hack-github-circleci/)
- Once exposed, these  values can be used by attackers to gain access to protected systems, steal data, abuse services (e.g., triggering rate limits or incurring unexpected costs), or compromise application security.
- Even in private repositories, accidental leaks are possible through forks, backups, or misconfigured access controls.
- Best practices dictate storing secrets in environment variables or secure vaults, and using .gitignore to exclude local configuration files that contain sensitive information.

# Tools for Protecting Secrets
- Tools like [git-secrets](https://github.com/awslabs/git-secrets) and [truffleHog](https://trufflesecurity.com/trufflehog) are designed to detect and prevent the accidental leakage of secrets—such as API keys, passwords, and tokens—into Git repositories.
- These tools scan commit messages, staged files, and repository history for patterns that resemble sensitive information, helping developers catch issues before they are pushed to remote servers.
-- **git-secrets** can be integrated as a pre-commit hook to block commits containing known secret patterns using regular expressions for detection.
  - A common example of a known secret pattern is an AWS Access Key ID, e.g.,

```
          AKIAIOSFODNN7EXAMPLE
```

  - detected by the regex

```
          AKIA[0-9A-Z]{16}
```

- **truffleHog** performs deep scans for high-entropy (highly random) strings that may indicate keys or credentials.


# Static Analysis and Dependency Scanning of Code "at Rest"
- Static analysis and dependency scanning in Python are essential practices for identifying code issues and securing third-party packages early in the development cycle.
- **Static analysis** analyzes code without executing it in order to detect potential errors, code smells (signs of poor design or maintainability issues), security vulnerabilities, and other issues.
- Static analysis tools like [pylint](https://pypi.org/project/pylint/), [flake8](https://flake8.pycqa.org/en/latest/), and [bandit](https://bandit.readthedocs.io/) examine Python code without executing it, flagging syntax errors, code style violations, and potential security flaws such as use of unsafe functions or insecure imports.
- **Dependency scanning** automatically identifies and evaluates third-party libraries used in a project to detect known security vulnerabilities, outdated packages, and other issues.
- Dependency scanning tools like [pip-audit](https://pypi.org/project/pip-audit/), [safety](https://www.getsafety.com/cli), or GitHub's built-in [Dependabot](https://docs.github.com/en/code-security/dependabot) check packages configured packages for known security vulnerabilities.

# Jupyter Notebooks and Google Colab
- Jupyter Notebooks and Google Colab provide flexible, interactive environments for secure coding practices, enabling developers to test and refine security-focused scripts in isolated, controlled settings.
  - Support for Python and various security-related libraries, making them useful for tasks like penetration testing, secure coding education, and cryptographic implementations.
  - Built-in execution controls, users can safely run code in segmented cells, reducing the risk of unintended operations.
- Colab’s cloud-based execution adds an extra layer of security by sandboxing processes away from local machines, preventing potential malware execution.
- Both platforms facilitate reproducibility and collaboration, allowing security teams to document vulnerabilities and share insights while maintaining strict access controls.