A deep dive into GitHub's security strategies
Github counts more than 100 million developers. More than 400 million open-source contributions have been written in about 500 languages (JavaScript is the most popular). It brings in tens of millions of visitors every month from all over the globe. Far from being a hangout joint for independent developers, over 90 percent of the Fortune 100 use it, and it generates recurring revenue of $1 billion. No wonder Microsoft paid more than $7 billion to acquire it.
In the 15 years since its inception, GitHub has become the place where open-source developers go to share code. It has earned a reputation as a convenient place to store, track and collaborate on software projects while also providing networking opportunities.
Should you pay the ransom?
Popularity breeds contempt
As the old saying goes, popularity breeds contempt. In the case of IT, it should be rephrased: popularity breeds attempts (to hack). In the heyday of Windows 95/98/2000 desktop OS popularity, Microsoft systems were subjected to viruses in unprecedented volume. Yes, there were abundant security issues to fix. But its overwhelming dominance in PCs and servers painted a cyber-target on its back.
Github now shares a similar fate. By attracting so many users who develop software that is incorporated into systems worldwide, breaching Github has become a high-value asset for cybercriminals. Examples of security issues unearthed in recent years include developers unknowingly sharing SSH keys in public repositories, trojans placed inside downloads and malicious code getting injected into legitimate code.
That said, Github has gone to great lengths to combat breaches. It has assembled a large team focused on building machine learning models and creating tools to detect and combat abuse in near real time to handle the scale of the threat actors out there. It also provides tools to developers such as Dependabot and secret scanning that have security features baked in. They are part of GitHub advanced security subscriptions.
“One of the biggest threats we see on a regular basis is a threat actor getting access to source code that had secrets stored in it and taking those secrets to access infrastructure or other SaaS tools and causing more damage from there,” said Jacob DePriest, Vice President and Deputy Chief Security Officer at GitHub. “Secret hygiene is an important aspect of keeping threat actors out of code.”
It should be understood that many developers using Github are not security experts. But they are protected by constant scanning of repositories for secrets and the platform’s security tools being turned on by default. Additionally, there is a bug bounty program as well as detailed guides offering security hardening tips for developers.
ChatGPT training built for everyone
Code Spaces is another handy security feature. Think of Code Spaces as a hosted and secure clean room in which to do compute. It eliminates the need for developers to build a secure environment on a workstation or in the cloud. A new tier of Code Spaces was recently released that provides 60 hours a month for free.
When people are using an open-source tool and find something they think might be a security issue, they have several choices. They can post it publicly, but that has not proven to be the best disclosure method as bad actors can also see the posting and act on it – often before patches are issued or misconfigurations are addressed. Private Vulnerability Reporting is the latest security upgrade within Github. It allows the many open-source maintainers on GitHub to accept private vulnerability reports from researchers, developers and users so they can be triaged by maintainers.
Implementing security fundamentals
Security fundamentals apply to both the developers creating software in Github as well as the customers licensing its various tools. This includes multi-factor authentication (MFA), single sign-on (SSO), vulnerability scanning and other basics. If users take the time to ensure things are secure at their end, they will enjoy a much more secure Github experience.
The application of fundamentals also applies on the career front. Yes, there are positions where a very specific background and experience is a necessity. But many roles in security benefit from a broader view. A varied technical experience translates everywhere. Free classes in Azure, free training in GitHub, Linux programming, networking, and in many other non-traditional disciplines mean you have people on the team who think differently and who've experienced different things from a variety of professions. They bring new ideas to the table.
By all means, learn about tools such as ChatGPT as well as the latest technologies. Security people, these days, need to understand container and software-defined architectures, after all. But it is an impossible proposition to keep up with the breakneck pace of cloud technology evolution. Therefore, a thorough knowledge of underlying fundamentals and security best practices are just as important.
“Chasing the latest JavaScript framework or new cool tool can be fun,” said DePriest. “But the core principles of both software development and security stay the same.”
Phishing simulations & training
Security and development in unison
The actions being taken within Github to provide a more secure environment for developers and users of open-source software are part of a broader initiative to bake security into the development process. Instead of adding security safeguards after the fact, platforms like Github seek to incorporate cybersecurity into the software development process at the earliest possible point along the development pipeline.
Watch our full interview with Jacob DePriest of GitHub on Infosec's "Cyber Work Podcast" website.