The fundamentals of GitHub

Jacob DePriest, GitHub’s VP, deputy chief security officer, talks about what GitHub is, how it works and what to do with it once you start to understand it.

0:00 - GitHub fundamentals

1:30 - What is GitHub?

2:11 - How did GitHub get so popular?

3:15 - Where to start at GitHub

4:15 - How to search GitHub

5:52 - Evaluating GitHub materials

7:47 - GitHub shortcuts for security professionals

9:03 - Outro

About Infosec

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

[00:00:00] Chris Sienko: For today's Cyber Work hack, we're going to take you by the hand and lead you through the magical land of Oz. Nope. GitHub. Jacob DePriest, the VP Deputy Chief Security Officer at GitHub, we'll walk you right through the front door of this massive open source tool and code sharing site with over 100 million developers and tell you how and where to get started.

If you've previously put off getting to know GitHub, now is your chance to explore with a newfound sense of purpose, one that could have only come from a Cyber Work hack.

[00:00:37] CS: Welcome to a new episode of Cyber Work Hacks. The purpose of the spinoff of our popular Cyber Work podcast is to take a single fundamental question and give you a quick, clear and actionable solution.

Today's guest is GitHub’s VP Deputy Chief Security Officer, Jacob DePriest. Jacob and I had an excellent conversation over on the Cyber Work podcast. And if you haven't seen it yet, I definitely suggest you check it out next.

Jacob has been part of GitHub’s initiative to make security a top priority for its site and its users alike. But if you're just getting into the field, or you're technically challenged, like me, you might have probably heard of GitHub or maybe even visited GitHub a little bit. But you might not really know what GitHub is, or how it works, or what to do with it, once you start to understand it. So, if that's you, stick around, and let's learn together. Thanks for joining me, Jacob.

[00:01:26] Jacob DePriest: Thanks for having me, Chris. It's great to be here.

[00:01:30] CS: So, let's start with the simplest of simple questions. What is GitHub? How long has it been around? And why did it become such a massively important tool for developers?

[00:01:40] JDP: Yes. So, GitHub is a software collaboration platform where developers all over the world develop their code, test their code, manage it, do continuous integration, build, and security, and a variety of other things. We have over 100 million developers on the platform now, 90% of the Fortune top 100, and 3.5 billion total contributions. In many ways, it is one of the central pillars of the software development ecosystem in the world.

[00:02:11] CS: Yes. There's a feeling of like, if GitHub didn't exist, GitHub would invent it, or something like that. It just seems so integral to the process. Now, I'm curious if you have a sense of how that happened? How it became like, like you said, it's just like, like the spine of the entire thing.

[00:02:29] JDP: Yes. I mean, open source has been around, GitHub has been around for 15 years. Open source has been around for longer, but I think, in many ways, GitHub provided this central, both catalyst and rallying point for the world's open source developers to come together. And then, in addition, we have some really great enterprise tools that companies need to build. It's great, because so many developers do open source early on in their careers, whether it's in school, or as a hobby, and then they go work for companies, and they're like, “Hey, I want to use the same tools that I'm using on the weekend to build these things.” So, it's really kind of this, it's turned into both professional and open source way to just do software development for the world.

[00:03:12] CS: Love it. If you were talking to an absolute rank beginner, what would be your advice to about where to start when checking out GitHub? Are there any search tools that you think don't get enough use? Or any sort of like tips for like – you've walked in the front door, and now what do you look at?

[00:03:29] JDP: Yes. I always point, especially kind of folks who were not super familiar with GitHub, or git, even who joined the company, to skills.github.com. We have a great training program that is interactive. You can kind of walk through it and do a bunch of projects and tutorials, right on the platform itself. We have a ton of free capabilities, free open source hosting, free code spaces, for like a developer platform, free tier of almost everything we do. So, it's just a great way to kind of walk a new developer through that.

The other thing I would point out, too, is free Azure training. So, a lot of folks are interested in cloud development, as well as sort of general development, and there's a lot of – I mean, just hundreds and hundreds of hours of free Azure training that's available as well.

[00:04:14] CS: Oh, cool. Okay. So, that's a great starting place. Let's move one level up the newbie food chain. Let's say it's your first day on the job, you're a new developer, you've done a bit of hands on work in your studies, maybe you've done some stuff on the weekends, but you have a very fast and steep learning curve, once you start your first real job in the field. Your supervisor maybe gives you a project and some vague requests to find some materials on GitHub or figure them out for yourself. Do you have a basic search routine personally, in your mind when you need to find something on GitHub?

[00:04:47] JDP: Sure. I think, kind of two things come to mind. One is, any search engine out there, feels like is almost inextricably linked to GitHub code at this point. I think a lot of people just we'll go to their favorite search engine and start to find kind of what they need and how to do. We have search built into the platform as well, which is really compelling if you have more specific thing you're looking for.

One thing that I think is really interesting now, too, is once you've kind of narrowed down the thing you want to do as a developer, but maybe you're not as familiar with the language or the syntax or whatever, we have a new AI powered development system called Copilot, which will do essentially, AI powered auto completion for developers. If you haven't seen the tutorials, or the videos on that, I mean, it's absolutely mind blowing. I use it every day. It's really incredible. So, I think that is a bit of a game changer in getting folks up to speed as well, particularly as they land in a new area, and maybe don't have familiarity with all the tools that are involved there.

[00:05:47] CS: That's great to know. What was the name of that again?

[00:05:49] JDP: Copilot.

[00:05:49] CS: Copilot. Okay. So, we're speaking from a security standpoint, what tips do you have for evaluating the quality or feasibility or use of materials that you find on GitHub? What should people be looking for, as they're picking and grabbing open Source things?

[00:06:04] JDP: That's an interesting question. First of all, I don't think there's a universal answer to this. So, I think a lot of this comes from leveraging the best practices of this, the security teams that developers are working with every day. Some of the things that may go into those decisions would be things like the number and frequency of contributions to an open source project. How active is it? Does it have multiple people contributing to it and fixing things and an opening pull requests on it? Does it have star – we have a way to star a project. So, how many stars does it have? And then, you can look at the security tab of an open source project and see a little bit of insight into how they're approaching the security tools and integrations as well.

[00:06:48] CS: I have a curiosity, would there be any benefit if – I don't know if there's like something that's low rated on a star basis that you could look through, and sort of use that as like a personal exercise in your head to figure out what's going on with that? Or is it really just like, stick to the five star –

[00:07:07] JDP: Well, I think it's really complex with open source, right? Because, just because something may not have as many stars as another project, it may just mean that there's less people in the world who are interested in that particular piece of technology. Maybe the quality is really high. So, I think there is – it does take a nuanced view, depending on what's the need that developer is trying to solve the teams trying to solve, and what are the security requirements around it. So, I think, there's also the opportunity that if it's maybe not got everything they need, or maybe doesn't have as much activity, become a contributor and start opening up pull requests, and build that open source community around that project. So, I think that's a really cool way to deal with some of these things as well.

[00:07:47] CS: Moving up to the sort of next level, I'm sure a lot of the actual experts have turned this off by now because they feel like I'm playing in the sandbox. But if you're a developer security professional, who's going to be spending a lot of time on GitHub, do you have any shortcuts or organizational tips for regular users, especially with – we mentioned in the other program about some of the shortcuts that people use to do passwords and keys and stuff, so they don't fall out of flow. But do you have any organizational tips in that regard for people who are on GitHub pretty much all the time?

[00:08:17] JDP: Sure. I mean, I can tell you what a lot of our engineering teams do every day, all day. So, they use code spaces with built in configuration so that whether it's a new person, or a seasoned engineer joins the team, or is on the team, they can spin up a code space that's got a very specific, and well known, and repeatable development environment. So, that's how we develop our core GitHub platform. And then, almost everybody's using Copilot now as well. Our AI powered developer system. And then, there's a lot of kind of shortcuts that we build in for developers. A lot of developers don't like their hands to leave the keyboard. So, you can actually navigate most of GitHub just through shortcut keys, and moving around that way, as well. There's a lot of fun things there.

[00:09:02] CS: That's a pretty good overview there. So, one last question. If our listeners have any further questions about getting started on GitHub, or any other questions for you, Jacob, where should they look?

[00:09:11] JDP: On GitHub, we have great documentation. Getting started, a lot of the getting started on GitHub links for any search engine. We’ll point you to some really great tutorials on our site. For me personally, I'm @JacobDePriest on most of the social media platforms. And then, for GitHub Security, follow us on Twitter in the GitHub blog. We keep those very up to date and post regularly.

[00:09:34] CS: Beautiful. Jacob DePriest. Thank you for walking us through the basics of GitHub today. It's so much fun.

[00:09:39] JDP: Thanks for having me. I enjoyed it.

[00:09:40] CS: Thank you all for watching this episode. If this video helped you, please share it with colleagues or forums or on your social media accounts. And definitely subscribe to our podcast feed and YouTube page. Just type in Cyber Work in any of them and you're on your waves. There's plenty more to come and if you have any topics that you want us to cover, drop them in the comments. Until then we will see you next time. Take care.

[00:09:40] CS: Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of the security roles so you can choose your study with confidence. I'll see you there.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.