Raj Sarkar, Atlassian’s product marketing leader for BitBucket, said the company’s goal with BitBucket is to unleash the productivity of teams — whether they are software development, business or IT operations teams. The technology is broadly used, as Sarkar noted that there are more than six million developers using BitBucket and over a million teams using the product that features more than 300 integrations to support best-of-breed tools.
However, security has become a growing concern and a constantly evolving problem for BitBucket customers, said Rahul Chhabria, product leader for BitBucket.
According to Chhabria, the challenge for many developer teams is that leaders can tell their developers to protect their accounts and change to two-factor authentication, but many are going to see it as a nuisance and not do it.
“No matter how much focus is put on data security, it’s the end user that is ultimately the weakest link and can be vulnerable to password hacks,” said Alastair Wilkes, a product manager at Atlassian, in a blog post. “To avoid this, it’s more important than ever that you aren’t just securing your account with a password, but also taking measures like two-step verification to keep your private content on BitBucket, well… private.”
Two-step verification or two-factor authentication — also known as 2FA — ensures your data will continue to be protected even if someone else gets your password, Wilkes said
With this feature, a team admin can enforce two-factor authentication. They can make it so that anybody who wants to write to their repository has to enable two-factor authentication and log in with not only a password, but also a six-digit unique code that expires every 30 seconds, which is what Atlassian is now offering with BitBucket Cloud.
“This is great because now I can have a large distributed team and reduce the overhead of management by checking a single box and also know that my content is protected all the way down to the wikis that are private and issues that we’re using to track our progress are also private,” Chhabria said.
However, the 2FA feature requires a smartphone for users to receive that six-digit code and not many developers use a smartphone for work or even have a company phone, and many may just want to keep their personal life a little bit private. So Atlassian introduced IP whitelisting for customers with distributed workforces that require a solution that would only allow pre-screened IP addresses to access repositories.
“With IP whitelisting enabled, users will only be able to interact (view, push, clone, etc.) with your account’s private content if they are accessing BitBucket from an IP address you have selected and know is safe,” said Wilkes. “If a user tries to access any of your team’s repositories, issue trackers, wikis, snippets or team settings from an un-whitelisted IP, they’ll receive an error.”
The new security features will enable administrators to ensure that security controls are in place on a user’s device before the user can even get network access to private content. It also enables companies to lock down their VPN server for remote employees to access private content via authentication from their device. And for organizations with strict no work from home policies, whitelisting only office IP addresses would restrict users from accessing repositories from home.
“We’ve heard from several teams that using IP whitelisting with BitBucket will allow them to move off on-prem version control systems and enjoy the savings and convenience of hosting their code in the cloud,” Wilkes said.
Protect Your IP
Sydney, Australia-based specialty software development shop Limpid Logic is one such customer. Bachir El Khoury, founder and managing director at Limpid Logic, said IP whitelisting for BitBucket could not have come at a better time.
The company specializes in building custom software and most of their projects are research and development because it works with a lot of leading edge technologies like a lot of Internet of Things devices, wearables and things like the Microsoft HoloLens and other virtual reality systems.
Many large corporate customers hire Limpid Logic as development shop to build prototypes or specialized systems for them. And with some companies, particularly in the health care and banking and finance areas, Limpid Logic often deals with proprietary intellectual property and sensitive data.
“So, we have to set up our systems to address this sensitivity,” El Khoury told The New Stack. “For instance, whitelisting IP is a legal requirement in some cases. They need to control who accesses what and where.”
In a statement, El Khoury noted that “Our work often deals with sensitive intellectual property that requires limited geographic access to repos from a few specific IPs.”
Before the new IP whitelisting capability in BitBucket, Limpid Logic had to set up custom or hosted Git servers for clients with sensitive data and requirements. But the complexity became too much, he said.
“We set up multiple remote repositories, but we took on a lot of complexity — especially now where every company is a software company,” El Khoury said. “So, before this we were managing a lot of small, self-hosted repositories, which was very difficult to maintain because we couldn’t access their servers easily. There were a lot of barriers that created friction and it became really tedious and expensive to just get approved to get their IT guy to do something.”
Now, with IP whitelisting in BitBucket, El Khoury said he expects a lot of the friction to be reduced, if not go away altogether. His company will be able to provide access to its internal repositories to their clients directly without having to deploy or push to the clients’ servers.
“And internally for our staff we’ll be able to provide the ability and transparency to the client, showing them that firstly we use BitBucket, which is already respected,” he said. “It’s not like a self-hosted dodgy server in someone’s bedroom somewhere. And two, we’ll be able to show them who is logged in and where they can access things from. They can that control and knowledge that their IP is in a safe place.”
Both the 2FA feature and IP whitelisting are available in BitBucket’s Premium plan, which also includes merge checks, smart mirroring, 1,000 build minutes per month for BitBucket Pipelines and 10 GB/month of Git Large File Storage (LFS).
“This plan specifically aims to improve the experience for administrators of teams with lots of users and repos, complex business requirements (as a result of industry standards, etc.) or both, which we’ve found become more prevalent as a team grows,” Wilkes said.
All features in this plan are in a free trial until pricing changes take effect when the plan will be available for $5 per user per month.
Feature image via Pixabay.