Collaboration is part of the foundation of developing code in a DevOps environment. The ability to share code or leverage snippets from open-source projects enables developers to be more productive and efficient—creating better software, faster. Sharing code with others doesn’t necessarily mean you want it exposed to the public, though, which is why Atlassian recently introduced some new security controls for Bitbucket.
A platform like Bitbucket has a number of advantages in terms of collaboration and efficiency, but many organizations are reluctant (if not adamantly opposed) to putting potentially sensitive code out in the cloud. Atlassian added IP whitelisting and two-step verification to help organizations limit access to code. The IP whitelisting allows customers to restrict access to code to only designated IPs, while the two-step verification ensures it will take more than a simple password compromise for an unauthorized user to gain access to code.
Security policies obviously vary from company to company and industry to industry, but some organizations have a strict policy against working from home or require specific security controls or a secure VPN connection to allow users to connect. The IP whitelisting feature of the Bitbucket Premium plan gives companies the ability to designate which IPs can connect and limit access.
“For Limpid Logic customers, remote access and IP whitelisting are sometimes a legal requirement, especially for clients in highly regulated industries such as finance and health care. Our work often deals with sensitive intellectual property that requires limited geographic access to repos from a few specific IPs,” said Bachir El Khoury, managing director at Limpid Logic. “IP whitelisting is exactly what we need within our business and we’re thrilled to see this security feature in Bitbucket.”
The second new security feature is two-step verification. The problem with the traditional access control of a username and password is that it is easily compromised. Usernames often follow a simple and predictable pattern, and passwords have been shown in data breach after data breach to be a poor security control. They’re often far too easy to guess or crack, and even “strong” passwords are not invulnerable. That’s where a second layer of authentication can help.
Atlassian introduced the option for administrators to require two-step verification in Bitbucket. A Bitbucket blog post explains, “When you enable this option for your team, users will need to have two-step verification enabled in order to interact (view, push, clone, etc.) with your account’s private content: repositories, team settings, issue trackers, wikis, and snippets. If a user doesn’t have two-step verification enabled at the time of access, they’ll see instructions on how to enable two-step verification in the UI and continue.”
Both of the new security features are part of the Bitbucket Premium plan. The features are available as a free trial pending upcoming price changes. Once the changes are implemented, the cost for Bitbucket Premium will be $5 per user per month. You can sign up for Bitbucket here, and learn more about how to configure and use IP whitelisting and two-step verification here.