Bitbucket = The Crown Jewels of your environment
Bitbucket, like other Git Repositories are fundamental to your software development. But in fact, it’s so much more. To many organizations, Bitbucket is the source of your IP and all of the configurations critical to running your infrastructure. Here are some core use cases:
- Version Control: They provide a robust version control system, allowing teams to track changes, collaborate efficiently, and roll back to previous versions if needed.
- Collaboration: They enable multiple developers to work on the same project simultaneously, merging changes and resolving conflicts.
- Code Review: Features like pull requests facilitate code review processes, improving code quality and knowledge sharing.
- CI/CD Integration: They integrate seamlessly with CI/CD pipelines, automating build, test, and deployment processes.
Threats to your IP, Source Code, and Configurations
The data and configurations stored in Bitbucket power your organization. It is about storing and managing your source and most of your DevOps and infrastructure configurations. For example, where do you think your YAML files for your Lambda functions are stored? Or your Terraform templates? Losing or corrupting your data in Bitbucket can:
- Compromise your IP and source code.
- Require your organization to rebuild configurations across your entire infrastructure and application lifecycle.
- Impact customer experiences
- Destroy developer productivity.
Common scenarios that lead to data loss in Bitbucket
You can categorize these scenarios by accidental data loss, misconfigurations, and as always, Murphy’s Law.
Accidental data loss. This is the most common scenario by far and one you can pretty much guarantee will happen in your organization. Whether it’s an admin or a user, people make mistakes. Here are some examples:
- Accidental deletions (you can always count on this one)
- Overwrites
- Misconfigurations
Cyber-attacks or insider threats. Your Git repos, whether Bitbucket or Github, are your organization's crown jewels. This makes it a lucrative target for cybercriminals to hold ransom, leak, or espionage. Here are some recent examples of this:
- Injecting malicious code directly into exposed libraries
- Attacking Git Repositories for credential theft of your API keys, passwords, and cryptographic keys.
- Malicious contributions/commits. The team at Checkmarx Zero exposed how in July 2023, they detected suspicious commits in several repos.
- Submitting fraudulent pull requests
Recommendations: Ensuring tenant-level security, compliance, and business continuity of Bitbucket
Since most organizations use Bitbucket in Atlassian Cloud, it can be confusing to understand the scope of your responsibility. In another article, we summarize the scope of responsibility between a vendor (Atlassian Cloud) and the tenant (your organization). Here is a checklist of your organization's fundamental actions when using Bitbucket or any other cloud repository.
- Enable Multi-Factor Authentication (MFA) for all users and use Single-Sign-On (SSO)
- Implement least privilege policies for access rights.
- Limit and monitor access/permissions, especially if your organization uses contractors or third-party development agencies. Learn about how Atlassian Guard plans to support organizations with this.
- Enable branch protection rules and set up branch restrictions.
- Avoid storing API keys, passwords, and tokens In Bitbucket
- Review merge process and contributions.
- Regularly search for cloned repositories.
- Automate backups with a daily backup frequency (at minimum)
- Keep offsite copies of your repository, via your backups, in immutable storage (ex. Amazon S3 bucket with object-lock enabled)
- Regularly test recoveries of repositories to simulate a cyber event.
To learn more about how to secure and protect your Git Repositories, watch this on-demand discussion between HYCU product leaders: GitHub Security: Merging Data Protection with your DevOps Workflow
Interested in learning more?
- For more details, sign up for a Demo
- Elevate your capabilities with R-Cloud
- Unlock the potential of R-Graph with a comprehensive test
Get the newest insights and updates
.png){kind=small}
