SlideShare a Scribd company logo

Git dvcs and Information Security Review

Download as ODP, PDF
dchaffiol
dchaffiol

How to configure Apache, SSH and NGiNX for hosting Git repo *and* passing Information Security Reviews in a large company?

1 of 47
Download to read offline
Faites de votre projet un succès DVCS in big enterprise Security challenges
2 Contestants DVCS in Big Enterprise FIGHT!
3 Me (1/2) Daniel CHAFFIOL Softeam Cadextan (1999) DVCS in Big Enterprise BNP-Paribas Société Générale HSBC
4 Me (2/2) DVCS in Big Enterprise VonC Stack Overflow (2008) Git Hg – SVN - ClearCase Eclipse - Jenkins
5 Goal Installation Communication ISR DVCS in Big Enterprise
6 1 Installation : Git all alone DVCS in Big Enterprise
7 Git - Installation Step 1 Step 2 git config --global user.name myUsername Step 3 git config --global user.email my.user@email git config --global color.ui always git config --global alias.st status git config --global alias.lg git log --graph --online
8 Git - Result .git .git
9 Git - DefauLt .git .git ?
10
11 Git - LISTENER .git .git
12 Git – LISTENERS ? .git .git .git .git .git .git
13 Git – LISTENER SERVER .git .git .git .git .git
14 Git - RECAP
15
16 1 Listeners: Git not-so-easy DVCS in Big Enterprise 2
17 Git – MEET The LISTENERS
18 Git – Apache SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ git-core/git-http-backend/ <Location /git> Order deny,allow Allow from all </Location>
19 Git – Apache with authentication SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ git-core/git-http-backend/ <Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap </Location>
20 Git – Apache with AUTHORIZATION SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ .../gitolite-shell/ SetEnv GIT_HTTP_BACKEND .../git-http-backend <Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap </Location>
21 Git – Apache with AUTHORIZATION SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ .../gitolite-shell/ SetEnv GIT_HTTP_BACKEND .../git-http-backend <Location /git> Order deny,allow Require valid-user Require ldap-group xxx AuthType Basic AuthBasicProvider ldap </Location>
22 Git – SSH with GITOLITE command="[path]/gitolite-shell user1",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA 18S2t... command="[path]/gitolite-shell user2",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA rXtCT... ~/.ssh/authorized_keys
23 Git – Nginx with REVERSE PROXY ssl on; ssl_certificate .../itsvc.world.company.crt; ssl_certificate_key .../itsvc.world.company.key; location /git/ { proxy_pass https://Srv:8080/git/; } location /gitweb/ { proxy_pass https://Srv:8081/gitweb/; }
24 Git - RECAP
25
26 ISR ISR DVCS in Big Enterprise
27 ISR: Hell on Wheels ISR DVCS in Big Enterprise
28 1 ISR & Git: Hell on wheels DVCS in Big Enterprise 3
29
30 ISR infrastructure Application DVCS in Big Enterprise
31 ISR DVCS in Big Enterprise infrastructure
32 Git – INFRA (no cache) Http Cache control Options -Indexes CacheIgnoreHeaders Set- Cookie SetEnv no-cache SetEnv no-store SetEnv must-revalidate Header merge Cache-Control no-cache Header add Pragma no-cache Header merge Cache-Control no-store Header merge Cache-Control must-revalidate
33 Git – INFRA (no weak cipher) SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ... SSL Ciphers ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ...
34 Git – INFRA (ssh banner) Banner /path/to/.ssh.banner SSH Banners Big Bank Legal Notice This is a computer system owned by Big Bank Plc. All programs and data on this system are the property of or licensed by Big Bank Plc...
35 Git – INFRA (no service discovery) ServerTokens Prod Service discovery server_tokens off;
36 ISR Application DVCS in Big Enterprise
37 Git – Application (no XFS) Header always append X-Frame-Options DENY Cross-Frame Scripting (XFS) add_header X-Frame-Options DENY;
top.location=location 38 Git – Application (no XFS) Header always append X-Frame-Options DENY Cross-Frame Scripting (XFS) <script>if (top != self) </script> </body> add_header X-Frame-Options DENY;
39 Git – Application (no auto-completion) Gitweb: no auto-complete <script src="jquery.min.js" /> <script src="doc_ready.js" /> </body> doc_ready.js: $(document).ready(function() { $("input"). attr("autocomplete", "off"); });
40 Git – Application (gitweb : login page) Gitweb: limited login attempts <section class="container"> <h1>Login to App</h1> <form method="POST" action=""> <input type="text" name="httpd_username" value="" /> <input type="password" name="httpd_password" value="" /> <input type="submit" name="login" value="Login">
41 Git – Application (Apache: new directives) Gitweb: limited login attempts AP_INIT_TAKE1( "AuthFormAttempts", set_attempts, NULL, ACCESS_CONF, "Maximum number of login attempts."), AP_INIT_TAKE1( "AuthFormLockout", set_lockout, NULL, ACCESS_CONF, "Lockout time in seconds if number of login attempts is exceeded."), mod_auth_form.c
42 Git – Application (apache : login attempts & lockout) AuthFormAttempts 4 AuthFormLockout 180 Gitweb: limited login attempts
43 ISR: RECAP infrastructure Application DVCS in Big Enterprise
44 Let's just put Git in place... it will be easy!
45 Let's just put Git in place... It will be easy!
46 ISR: RECAP infrastructure Application DVCS in Big Enterprise
Faites de votre projet un succès 21, avenue Victor Hugo 75016 Paris www.softeam.fr 47 http://www.iconarchive.com/show/free-large-boss-icons-by-aha-soft.html http://www.iconarchive.com/show/delta-icons-by-aroche.html http://www.myfonts.com/fonts/haiku/insolent/licensing.html http://www.iconarchive.com/show/plump-icons-by-zerode.html http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land.html http://www.iconarchive.com/show/warm-toolbar-icons-by-avosoft.html http://www.avo-soft.com/ http://www.iconarchive.com/show/nuoveXT-icons-by-saki.html http://www.iconarchive.com/show/ios7-icons-by-icons8.html (http://icons8.com/) http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org.html http://www.iconarchive.com/show/despicable-me-2-icons-by-designbolts.html
Ad

Recommended

Brown bag sessions git workshop
Brown bag sessions git workshopBrown bag sessions git workshop
Brown bag sessions git workshop
Bishant Shrestha
 
Introduction to GIT versioning
Introduction to GIT versioningIntroduction to GIT versioning
Introduction to GIT versioning
Stackit Community
 
Git
GitGit
Git
Majid Hajiloo
 
Git Tricks
Git TricksGit Tricks
Git Tricks
Ivelina Dimova
 
Git Workshop : Git On The Server
Git Workshop : Git On The ServerGit Workshop : Git On The Server
Git Workshop : Git On The Server
Wildan Maulana
 
Enabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for ImplementationEnabling GitOps - Architecture for Implementation
Enabling GitOps - Architecture for Implementation
Huynh Thai Bao
 
沒有 GUI 的 Git
沒有 GUI 的 Git沒有 GUI 的 Git
沒有 GUI 的 Git
Chia Wei Tsai
 
Introduction to Git
Introduction to GitIntroduction to Git
Introduction to Git
Amit Mathur
 
Git хуки на страже качества кода
Git хуки на страже качества кодаGit хуки на страже качества кода
Git хуки на страже качества кода
Badoo Development
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
Jo Hoon
 
Un-split brain MySQL
Un-split brain MySQLUn-split brain MySQL
Un-split brain MySQL
Shlomi Noach
 
Git Flow and JavaScript Coding Style
Git Flow and JavaScript Coding StyleGit Flow and JavaScript Coding Style
Git Flow and JavaScript Coding Style
Bo-Yi Wu
 
Git advanced
Git advancedGit advanced
Git advanced
Peter Vandenabeele
 
CraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to gitCraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to git
craftworkz
 
Git: Git'ing the Basic
Git: Git'ing the BasicGit: Git'ing the Basic
Git: Git'ing the Basic
Gerald Villorente
 
Introduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training SessionIntroduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training Session
Anwarul Islam
 
Git: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commandsGit: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commands
th507
 
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShiftRed Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Jeremy Eder
 
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
Igalia
 
Git training
Git trainingGit training
Git training
Jérémy Gobet
 
WebKit and GStreamer
WebKit and GStreamerWebKit and GStreamer
WebKit and GStreamer
calvaris
 
Git github
Git githubGit github
Git github
Anurag Deb
 
Git 101 tutorial presentation
Git 101 tutorial presentationGit 101 tutorial presentation
Git 101 tutorial presentation
Terry Wang
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
James Gray
 
Advanted git
Advanted git Advanted git
Advanted git
Sahil Gupta
 
Git One Day Training Notes
Git One Day Training NotesGit One Day Training Notes
Git One Day Training Notes
glen_a_smith
 
Git tutorial
Git tutorialGit tutorial
Git tutorial
Elli Kanal
 
Git meanings of -distributed-
Git meanings of -distributed-Git meanings of -distributed-
Git meanings of -distributed-
dchaffiol
 
DVCS in big corporation
DVCS in big corporationDVCS in big corporation
DVCS in big corporation
dchaffiol
 
Free nest architecture
Free nest architectureFree nest architecture
Free nest architecture
narsuman
 
Ad

More Related Content

What's hot (19)

Git хуки на страже качества кода
Git хуки на страже качества кодаGit хуки на страже качества кода
Git хуки на страже качества кода
Badoo Development
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
Jo Hoon
 
Un-split brain MySQL
Un-split brain MySQLUn-split brain MySQL
Un-split brain MySQL
Shlomi Noach
 
Git Flow and JavaScript Coding Style
Git Flow and JavaScript Coding StyleGit Flow and JavaScript Coding Style
Git Flow and JavaScript Coding Style
Bo-Yi Wu
 
Git advanced
Git advancedGit advanced
Git advanced
Peter Vandenabeele
 
CraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to gitCraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to git
craftworkz
 
Git: Git'ing the Basic
Git: Git'ing the BasicGit: Git'ing the Basic
Git: Git'ing the Basic
Gerald Villorente
 
Introduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training SessionIntroduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training Session
Anwarul Islam
 
Git: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commandsGit: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commands
th507
 
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShiftRed Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Jeremy Eder
 
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
Igalia
 
Git training
Git trainingGit training
Git training
Jérémy Gobet
 
WebKit and GStreamer
WebKit and GStreamerWebKit and GStreamer
WebKit and GStreamer
calvaris
 
Git github
Git githubGit github
Git github
Anurag Deb
 
Git 101 tutorial presentation
Git 101 tutorial presentationGit 101 tutorial presentation
Git 101 tutorial presentation
Terry Wang
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
James Gray
 
Advanted git
Advanted git Advanted git
Advanted git
Sahil Gupta
 
Git One Day Training Notes
Git One Day Training NotesGit One Day Training Notes
Git One Day Training Notes
glen_a_smith
 
Git tutorial
Git tutorialGit tutorial
Git tutorial
Elli Kanal
 
Git хуки на страже качества кода
Git хуки на страже качества кодаGit хуки на страже качества кода
Git хуки на страже качества кода
Badoo Development
 
The myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetesThe myths of deprecating docker in kubernetes
The myths of deprecating docker in kubernetes
Jo Hoon
 
Un-split brain MySQL
Un-split brain MySQLUn-split brain MySQL
Un-split brain MySQL
Shlomi Noach
 
Git Flow and JavaScript Coding Style
Git Flow and JavaScript Coding StyleGit Flow and JavaScript Coding Style
Git Flow and JavaScript Coding Style
Bo-Yi Wu
 
Git advanced
Git advancedGit advanced
Git advanced
Peter Vandenabeele
 
CraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to gitCraftCamp for Students - Introduction to git
CraftCamp for Students - Introduction to git
craftworkz
 
Git: Git'ing the Basic
Git: Git'ing the BasicGit: Git'ing the Basic
Git: Git'ing the Basic
Gerald Villorente
 
Introduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training SessionIntroduction to Gitlab | Gitlab 101 | Training Session
Introduction to Gitlab | Gitlab 101 | Training Session
Anwarul Islam
 
Git: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commandsGit: An introduction of plumbing and porcelain commands
Git: An introduction of plumbing and porcelain commands
th507
 
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShiftRed Hat Summit 2018 5 New High Performance Features in OpenShift
Red Hat Summit 2018 5 New High Performance Features in OpenShift
Jeremy Eder
 
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
GStreamer-VAAPI: Hardware-accelerated encoding and decoding on Intel hardware...
Igalia
 
Git training
Git trainingGit training
Git training
Jérémy Gobet
 
WebKit and GStreamer
WebKit and GStreamerWebKit and GStreamer
WebKit and GStreamer
calvaris
 
Git github
Git githubGit github
Git github
Anurag Deb
 
Git 101 tutorial presentation
Git 101 tutorial presentationGit 101 tutorial presentation
Git 101 tutorial presentation
Terry Wang
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
James Gray
 
Advanted git
Advanted git Advanted git
Advanted git
Sahil Gupta
 
Git One Day Training Notes
Git One Day Training NotesGit One Day Training Notes
Git One Day Training Notes
glen_a_smith
 
Git tutorial
Git tutorialGit tutorial
Git tutorial
Elli Kanal
 

Viewers also liked (6)

Git meanings of -distributed-
Git meanings of -distributed-Git meanings of -distributed-
Git meanings of -distributed-
dchaffiol
 
DVCS in big corporation
DVCS in big corporationDVCS in big corporation
DVCS in big corporation
dchaffiol
 
Free nest architecture
Free nest architectureFree nest architecture
Free nest architecture
narsuman
 
DVCS Presentation
DVCS PresentationDVCS Presentation
DVCS Presentation
krcrouse
 
DevTalk: Extending Open Source Projects
DevTalk: Extending Open Source ProjectsDevTalk: Extending Open Source Projects
DevTalk: Extending Open Source Projects
Perforce
 
Docker architecture rework case study
Docker architecture rework case studyDocker architecture rework case study
Docker architecture rework case study
dchaffiol
 
Git meanings of -distributed-
Git meanings of -distributed-Git meanings of -distributed-
Git meanings of -distributed-
dchaffiol
 
DVCS in big corporation
DVCS in big corporationDVCS in big corporation
DVCS in big corporation
dchaffiol
 
Free nest architecture
Free nest architectureFree nest architecture
Free nest architecture
narsuman
 
DVCS Presentation
DVCS PresentationDVCS Presentation
DVCS Presentation
krcrouse
 
DevTalk: Extending Open Source Projects
DevTalk: Extending Open Source ProjectsDevTalk: Extending Open Source Projects
DevTalk: Extending Open Source Projects
Perforce
 
Docker architecture rework case study
Docker architecture rework case studyDocker architecture rework case study
Docker architecture rework case study
dchaffiol
 
Ad

Similar to Git dvcs and Information Security Review (20)

Git training
Git trainingGit training
Git training
adm_exoplatform
 
Introduction to Git and Github
Introduction to Git and GithubIntroduction to Git and Github
Introduction to Git and Github
Somkiat Puisungnoen
 
Git
GitGit
Git
Hanokh Aloni
 
GIT from n00b
GIT from n00bGIT from n00b
GIT from n00b
Supachai Vorrasing
 
Github By Nyros Developer
Github By Nyros DeveloperGithub By Nyros Developer
Github By Nyros Developer
Nyros Technologies
 
Git Ninja KT (GitHub to GitLab)
Git Ninja KT (GitHub to GitLab)Git Ninja KT (GitHub to GitLab)
Git Ninja KT (GitHub to GitLab)
Ashok Kumar
 
Git, YouTrack and TeamCity - DDDSydney 2011
Git, YouTrack and TeamCity - DDDSydney 2011Git, YouTrack and TeamCity - DDDSydney 2011
Git, YouTrack and TeamCity - DDDSydney 2011
thinkddd
 
Git Distributed Version Control System
Git Distributed Version Control SystemGit Distributed Version Control System
Git Distributed Version Control System
Victor Wong
 
Git & GitHub
Git & GitHubGit & GitHub
Git & GitHub
SangJung Woo
 
Git
GitGit
Git
Gayan Kalanamith Mannapperuma
 
GIT_In_90_Minutes
GIT_In_90_MinutesGIT_In_90_Minutes
GIT_In_90_Minutes
vimukthirandika
 
Crash course in git and github
Crash course in git and githubCrash course in git and github
Crash course in git and github
Mithun Shanbhag
 
git github PPT_GDSCIIITK.pptx
git github PPT_GDSCIIITK.pptxgit github PPT_GDSCIIITK.pptx
git github PPT_GDSCIIITK.pptx
AbelPhilipJoseph
 
Git - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCSGit - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCS
Matthew McCullough
 
Git - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCSGit - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCS
Matthew McCullough
 
Intro to Git DevOps Tally Presentation 101615
Intro to Git DevOps Tally Presentation 101615Intro to Git DevOps Tally Presentation 101615
Intro to Git DevOps Tally Presentation 101615
Brian K. Vagnini
 
Git & G
Git & GGit & G
Git & G
SangJung Woo
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
defcon_kz
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 
Introduction to git
Introduction to gitIntroduction to git
Introduction to git
Ahmed Fathallah
 
Git training
Git trainingGit training
Git training
adm_exoplatform
 
Introduction to Git and Github
Introduction to Git and GithubIntroduction to Git and Github
Introduction to Git and Github
Somkiat Puisungnoen
 
Git
GitGit
Git
Hanokh Aloni
 
GIT from n00b
GIT from n00bGIT from n00b
GIT from n00b
Supachai Vorrasing
 
Github By Nyros Developer
Github By Nyros DeveloperGithub By Nyros Developer
Github By Nyros Developer
Nyros Technologies
 
Git Ninja KT (GitHub to GitLab)
Git Ninja KT (GitHub to GitLab)Git Ninja KT (GitHub to GitLab)
Git Ninja KT (GitHub to GitLab)
Ashok Kumar
 
Git, YouTrack and TeamCity - DDDSydney 2011
Git, YouTrack and TeamCity - DDDSydney 2011Git, YouTrack and TeamCity - DDDSydney 2011
Git, YouTrack and TeamCity - DDDSydney 2011
thinkddd
 
Git Distributed Version Control System
Git Distributed Version Control SystemGit Distributed Version Control System
Git Distributed Version Control System
Victor Wong
 
Git & GitHub
Git & GitHubGit & GitHub
Git & GitHub
SangJung Woo
 
Git
GitGit
Git
Gayan Kalanamith Mannapperuma
 
GIT_In_90_Minutes
GIT_In_90_MinutesGIT_In_90_Minutes
GIT_In_90_Minutes
vimukthirandika
 
Crash course in git and github
Crash course in git and githubCrash course in git and github
Crash course in git and github
Mithun Shanbhag
 
git github PPT_GDSCIIITK.pptx
git github PPT_GDSCIIITK.pptxgit github PPT_GDSCIIITK.pptx
git github PPT_GDSCIIITK.pptx
AbelPhilipJoseph
 
Git - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCSGit - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCS
Matthew McCullough
 
Git - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCSGit - Intro to the Basics of DVCS
Git - Intro to the Basics of DVCS
Matthew McCullough
 
Intro to Git DevOps Tally Presentation 101615
Intro to Git DevOps Tally Presentation 101615Intro to Git DevOps Tally Presentation 101615
Intro to Git DevOps Tally Presentation 101615
Brian K. Vagnini
 
Git & G
Git & GGit & G
Git & G
SangJung Woo
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
defcon_kz
 
Delivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOpsDelivering Quality at Speed with GitOps
Delivering Quality at Speed with GitOps
Weaveworks
 
Introduction to git
Introduction to gitIntroduction to git
Introduction to git
Ahmed Fathallah
 
Ad

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 

Git dvcs and Information Security Review

  • 1. Faites de votre projet un succès DVCS in big enterprise Security challenges
  • 2. 2 Contestants DVCS in Big Enterprise FIGHT!
  • 3. 3 Me (1/2) Daniel CHAFFIOL Softeam Cadextan (1999) DVCS in Big Enterprise BNP-Paribas Société Générale HSBC
  • 4. 4 Me (2/2) DVCS in Big Enterprise VonC Stack Overflow (2008) Git Hg – SVN - ClearCase Eclipse - Jenkins
  • 5. 5 Goal Installation Communication ISR DVCS in Big Enterprise
  • 6. 6 1 Installation : Git all alone DVCS in Big Enterprise
  • 7. 7 Git - Installation Step 1 Step 2 git config --global user.name myUsername Step 3 git config --global user.email my.user@email git config --global color.ui always git config --global alias.st status git config --global alias.lg git log --graph --online
  • 8. 8 Git - Result .git .git
  • 9. 9 Git - DefauLt .git .git ?
  • 10. 10
  • 11. 11 Git - LISTENER .git .git
  • 12. 12 Git – LISTENERS ? .git .git .git .git .git .git
  • 13. 13 Git – LISTENER SERVER .git .git .git .git .git
  • 14. 14 Git - RECAP
  • 15. 15
  • 16. 16 1 Listeners: Git not-so-easy DVCS in Big Enterprise 2
  • 17. 17 Git – MEET The LISTENERS
  • 18. 18 Git – Apache SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ git-core/git-http-backend/ <Location /git> Order deny,allow Allow from all </Location>
  • 19. 19 Git – Apache with authentication SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ git-core/git-http-backend/ <Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap </Location>
  • 20. 20 Git – Apache with AUTHORIZATION SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ .../gitolite-shell/ SetEnv GIT_HTTP_BACKEND .../git-http-backend <Location /git> Order deny,allow Require valid-user AuthType Basic AuthBasicProvider ldap </Location>
  • 21. 21 Git – Apache with AUTHORIZATION SetEnv GIT_PROJECT_ROOT /.../... SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ .../gitolite-shell/ SetEnv GIT_HTTP_BACKEND .../git-http-backend <Location /git> Order deny,allow Require valid-user Require ldap-group xxx AuthType Basic AuthBasicProvider ldap </Location>
  • 22. 22 Git – SSH with GITOLITE command="[path]/gitolite-shell user1",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA 18S2t... command="[path]/gitolite-shell user2",[more options] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA rXtCT... ~/.ssh/authorized_keys
  • 23. 23 Git – Nginx with REVERSE PROXY ssl on; ssl_certificate .../itsvc.world.company.crt; ssl_certificate_key .../itsvc.world.company.key; location /git/ { proxy_pass https://Srv:8080/git/; } location /gitweb/ { proxy_pass https://Srv:8081/gitweb/; }
  • 24. 24 Git - RECAP
  • 25. 25
  • 26. 26 ISR ISR DVCS in Big Enterprise
  • 27. 27 ISR: Hell on Wheels ISR DVCS in Big Enterprise
  • 28. 28 1 ISR & Git: Hell on wheels DVCS in Big Enterprise 3
  • 29. 29
  • 30. 30 ISR infrastructure Application DVCS in Big Enterprise
  • 31. 31 ISR DVCS in Big Enterprise infrastructure
  • 32. 32 Git – INFRA (no cache) Http Cache control Options -Indexes CacheIgnoreHeaders Set- Cookie SetEnv no-cache SetEnv no-store SetEnv must-revalidate Header merge Cache-Control no-cache Header add Pragma no-cache Header merge Cache-Control no-store Header merge Cache-Control must-revalidate
  • 33. 33 Git – INFRA (no weak cipher) SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite ... SSL Ciphers ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ...
  • 34. 34 Git – INFRA (ssh banner) Banner /path/to/.ssh.banner SSH Banners Big Bank Legal Notice This is a computer system owned by Big Bank Plc. All programs and data on this system are the property of or licensed by Big Bank Plc...
  • 35. 35 Git – INFRA (no service discovery) ServerTokens Prod Service discovery server_tokens off;
  • 36. 36 ISR Application DVCS in Big Enterprise
  • 37. 37 Git – Application (no XFS) Header always append X-Frame-Options DENY Cross-Frame Scripting (XFS) add_header X-Frame-Options DENY;
  • 38. top.location=location 38 Git – Application (no XFS) Header always append X-Frame-Options DENY Cross-Frame Scripting (XFS) <script>if (top != self) </script> </body> add_header X-Frame-Options DENY;
  • 39. 39 Git – Application (no auto-completion) Gitweb: no auto-complete <script src="jquery.min.js" /> <script src="doc_ready.js" /> </body> doc_ready.js: $(document).ready(function() { $("input"). attr("autocomplete", "off"); });
  • 40. 40 Git – Application (gitweb : login page) Gitweb: limited login attempts <section class="container"> <h1>Login to App</h1> <form method="POST" action=""> <input type="text" name="httpd_username" value="" /> <input type="password" name="httpd_password" value="" /> <input type="submit" name="login" value="Login">
  • 41. 41 Git – Application (Apache: new directives) Gitweb: limited login attempts AP_INIT_TAKE1( "AuthFormAttempts", set_attempts, NULL, ACCESS_CONF, "Maximum number of login attempts."), AP_INIT_TAKE1( "AuthFormLockout", set_lockout, NULL, ACCESS_CONF, "Lockout time in seconds if number of login attempts is exceeded."), mod_auth_form.c
  • 42. 42 Git – Application (apache : login attempts & lockout) AuthFormAttempts 4 AuthFormLockout 180 Gitweb: limited login attempts
  • 43. 43 ISR: RECAP infrastructure Application DVCS in Big Enterprise
  • 44. 44 Let's just put Git in place... it will be easy!
  • 45. 45 Let's just put Git in place... It will be easy!
  • 46. 46 ISR: RECAP infrastructure Application DVCS in Big Enterprise
  • 47. Faites de votre projet un succès 21, avenue Victor Hugo 75016 Paris www.softeam.fr 47 http://www.iconarchive.com/show/free-large-boss-icons-by-aha-soft.html http://www.iconarchive.com/show/delta-icons-by-aroche.html http://www.myfonts.com/fonts/haiku/insolent/licensing.html http://www.iconarchive.com/show/plump-icons-by-zerode.html http://www.iconarchive.com/show/vista-hardware-devices-icons-by-icons-land.html http://www.iconarchive.com/show/warm-toolbar-icons-by-avosoft.html http://www.avo-soft.com/ http://www.iconarchive.com/show/nuoveXT-icons-by-saki.html http://www.iconarchive.com/show/ios7-icons-by-icons8.html (http://icons8.com/) http://www.iconarchive.com/show/oxygen-icons-by-oxygen-icons.org.html http://www.iconarchive.com/show/despicable-me-2-icons-by-designbolts.html

Editor's Notes

  • #2: This is about the cognitive dissonance between: - a Decentralised tool (with light authentication scheme and no or little authorization) - a Centralized environment (with strong authentication and authorization constraint)
  • #3: When a decentralised tool communicates information When Information Security Review has a look into said decentralised tool … Fight. &amp;lt;number&amp;gt;
  • #4: Mainly large banking companies since 1999 Full resume: http://careers.stackoverflow.com/vonc &amp;lt;number&amp;gt;
  • #5: On Stack Overflow since Stack Overflow exists (Sept. 2008) http://stackoverflow.com/users/6309/vonc &amp;lt;number&amp;gt;
  • #6: Installing is easy Communication between Git repos is harder Being compliant with ISR (Information Security Review) is really hard. &amp;lt;number&amp;gt;
  • #7: Installing Git on a developer&amp;apos;s PC. Easy
  • #8: &amp;lt;number&amp;gt; Grab an archive (.7z) on https://github.com/msysgit/msysgit/releases/ Unzip and you are up and running in no time.
  • #9: &amp;lt;number&amp;gt; No processes involved: Git is purely a filesystem manager. However, it is only useful if you can replicate the Git repo to another PC.
  • #10: &amp;lt;number&amp;gt; Git daemon (non-standard port) is prohibited. And enterprise doesn&amp;apos;t allow shared folders (which has limited authorization anyway)
  • #11: So, with Git alone, you end up all alone. Stranded on your PC.
  • #12: &amp;lt;number&amp;gt; What you need, for any service communication, is: Authentication (encrypted) Authorization ACL (Access Control Level) Audit Monitoring
  • #13: &amp;lt;number&amp;gt; Obviously, you can&amp;apos;t deploy a listener to each node That would be a mess to maintain.
  • #14: &amp;lt;number&amp;gt; You need one centralized server, dedicated for Git repos hosting, with a unique listener able to provide the features needed.
  • #15: &amp;lt;number&amp;gt; And those features are: Authentication (encrypted) Authorization ACL (Access Control Level) Audit Monitoring For Git repos hosting.
  • #16: So... How do we get there? How do we implement a listener with all those features?
  • #17: Communication between clients and a dedicated server. The not-so-easy part.
  • #18: &amp;lt;number&amp;gt; Listeneners (Apache, ssh) ensure the encrtypted authentication part. Gitolite does the ACL and audit part. NgiNX provides one unique url with reverse proxy to: Git GitWeb
  • #19: &amp;lt;number&amp;gt; Git is made to be called by Apache: every Git distro shops with a perl script able to interpret an http query: git-http-backend. However, there is no authentication.
  • #20: &amp;lt;number&amp;gt; Adding authentication means, in a big company, requiring validation from an LDAP database. But, you still don&amp;apos;t have authorization: all the repos are available, without restriction.
  • #21: &amp;lt;number&amp;gt; Calling gitolite instead of git-http-backend allows you to add ACL between your listener and your data (the Git repo). That will provide fine-grained ACL, up to the branch or file level for writing. Note that reading remains at the repo level: if you can access a repo, you can access all its content.
  • #22: &amp;lt;number&amp;gt; Even before calling ACL, the first control is an LDAP one If you are not in a specific LDAP group, you don&amp;apos;t have access to anything. https://github.com/VonC/compileEverything/commit/6944b7855ebf9756c300e51c000e1eda1ba1c83b
  • #23: &amp;lt;number&amp;gt; An ssh listener must not provide an interactive secure shell: non-interactive access only. The forced command feature from ssh (nothing to do with Git or gitolite) will make that non-interactive session calling gitolite (with your name and the repo you want to access) See http://stackoverflow.com/a/13320256/6309
  • #24: &amp;lt;number&amp;gt; NGiNX provides: secure access (SSL: Secure Socket Layer), a cryptographic protocol designed to provide communication security over the Internet.http://en.wikipedia.org/wiki/Transport_Layer_Security Reverse proxy to various http services (Gti, GitWeb, Gerrit), but also other services (Jenkins, Nexus, SVN, Jira, …)
  • #25: &amp;lt;number&amp;gt; So here you have the moving parts to put in place in order to provide a listener in a big enterprise: reverse proxy SSL Apache http (web access) SSH ACL (Gitolite, with audit)
  • #26: Those are your “Guardians of the Git”
  • #27: &amp;lt;number&amp;gt; But... that listener still needs to pass the ISR (Information Security Review)
  • #28: &amp;lt;number&amp;gt; And that process can becomes “Hell on Wheels”
  • #29: Those are the challenges set by ISR for making the listeners compliant.
  • #30: It refers to the Union Pacific Railroad and its surveyors, laborers, prostitutes, mercenaries, and others who lived, worked and died in the mobile encampment called &amp;quot;Hell on Wheels&amp;quot; that followed the railhead west across the Great Plains. First transcontinental railroad in North America. ~1866
  • #31: &amp;lt;number&amp;gt; Infrastructure: set of interconnected structural elements that provide a framework supporting an entire structure of development Application software: Set of programs providing the features allowing access to a service.
  • #32: &amp;lt;number&amp;gt; How the structural elements need to be configured to be compliant with ISR. This isn&amp;apos;t about Git, but about those elements themselves.
  • #33: &amp;lt;number&amp;gt; More details with: https://github.com/VonC/compileEverything/commit/64290cc4c4b902eb3c65fb551710708b93b1fc69 http://stackoverflow.com/q/10314174/6309 Pragma is the HTTP/1.0 implementation and cache-control is the HTTP/1.1 implementation of the same concept. They both are meant to prevent the client from caching the response.
  • #34: &amp;lt;number&amp;gt; In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. More details with: https://github.com/VonC/compileEverything/commit/5c35daf9aabd921c70e74e95c30fbef6db816fd4 https://github.com/VonC/compileEverything/commit/bdafe2407bc3f1e5770b248735410e148fdf4323
  • #35: &amp;lt;number&amp;gt; More details with: https://github.com/VonC/compileEverything/commit/95a9ccfc8c1cf2848e9580b4704cd0cea07ab6cf Plc: Public Limited Company It is a limited (liability) company whose shares may be freely sold and traded to the public.
  • #36: &amp;lt;number&amp;gt; More details with: https://github.com/VonC/compileEverything/commit/ff5bd054f2d4fc33d7df439e1a9ec47630aed900
  • #37: &amp;lt;number&amp;gt; Application is about the features that the aforementioned pieces need to provide in order to access your service (here, the Git repos)
  • #38: Cross-Frame Scripting (XFS) is client-side attack related to Cross-site Scripting (XSS) The attacker&amp;apos;s page loads your vulnerable page inside an HTML frame; and JavaScript executing in the attacker&amp;apos;s page steals the victims data from your page https://github.com/VonC/compileEverything/commit/4782d7b0f1d2c58c5df8a0248819694a1030ccce &amp;lt;number&amp;gt;
  • #39: Here you start forking, managing a personal version of an application (in this instance, gitweb) https://github.com/VonC/compileEverything/commit/2d6f8924510e1390fa76fb86e4ce6cd73db646e3 &amp;lt;number&amp;gt;
  • #40: Again forking, Gitweb: https://github.com/VonC/compileEverything/commit/96f297892cf3a9d63a1fa28a45b20b87f9290706 https://github.com/VonC/compileEverything/commit/45bcb94cd5378266723ed3d28077927562a113fc &amp;lt;number&amp;gt;
  • #41: Add login.html for gitweb: https://github.com/VonC/compileEverything/commit/445c98b9eb003e3a5dd04dd6c7eb1d6356280108 &amp;lt;number&amp;gt;
  • #42: &amp;lt;number&amp;gt; More details with C code within Apache: https://github.com/VonC/compileEverything/commit/5c6e55a221387fb757914a516c219fb0c6b9bf45
  • #43: Those two directives in httpd.conf do not exist.They are the result of a new code within mod_auth_form.c https://github.com/VonC/compileEverything/commit/6f5525005da953ab2f89f4fea7a247665beefbfb &amp;lt;number&amp;gt;
  • #44: &amp;lt;number&amp;gt; Infrastructure: The structural elements are not configured by default to be compliant with ISR Application software: Basic security features are missing, especially for web applications
  • #45: If you are not satisfied with your Version Control System of the moment, and decide to “just install Git”... It is easy for the client (developer)
  • #46: … But putting a Distributed Version Control System in a large enterprise, used to centralized processes and controls, that is no picnic.
  • #47: &amp;lt;number&amp;gt; Infrastructure: Listeners and reverse proxy Application software: Authentication (with login management), authorization (with ACL) and audit That involves a lot of configuration (infra) and forking (specific development, application) Any question?
  • #48: Here are the picture, fonts and icons references, for licence.