A deep dive into GitHub's security strategies
Github counts more than 100 million developers. More than 400 million open-source contributions have been written in about 500 languages (JavaScript is the most popular). It brings in tens of millions of visitors every month from all over the globe. Far from being a hangout joint for independent developers, over 90 percent of the Fortune 100 use it, and it generates recurring revenue of $1 billion. No wonder Microsoft paid more than $7 billion to acquire it.
In the 15 years since its inception, GitHub has become the place where open-source developers go to share code. It has earned a reputation as a convenient place to store, track and collaborate on software projects while also providing networking opportunities.
Phishing simulations & training
Popularity breeds contempt
As the old saying goes, popularity breeds contempt. In the case of IT, it should be rephrased: popularity breeds attempts (to hack). In the heyday of Windows 95/98/2000 desktop OS popularity, Microsoft systems were subjected to viruses in unprecedented volume. Yes, there were abundant security issues to fix. But its overwhelming dominance in PCs and servers painted a cyber-target on its back.
Github now shares a similar fate. By attracting so many users who develop software that is incorporated into systems worldwide, breaching Github has become a high-value asset for cybercriminals. Examples of security issues unearthed in recent years include developers unknowingly sharing SSH keys in public repositories, trojans placed inside downloads and malicious code getting injected into legitimate code.
That said, Github has gone to great lengths to combat breaches. It has assembled a large team focused on building machine learning models and creating tools to detect and combat abuse in near real time to handle the scale of the threat actors out there. It also provides tools to developers such as Dependabot and secret scanning that have security features baked in. They are part of GitHub advanced security subscriptions.
“One of the biggest threats we see on a regular basis is a threat actor getting access to source code that had secrets stored in it and taking those secrets to access infrastructure or other SaaS tools and causing more damage from there,” said Jacob DePriest, Vice President and Deputy Chief Security Officer at GitHub. “Secret hygiene is an important aspect of keeping threat actors out of code.”
It should be understood that many developers using Github are not security experts. But they are protected by constant scanning of repositories for secrets and the platform’s security tools being turned on by default. Additionally, there is a bug bounty program as well as detailed guides offering security hardening tips for developers.
Phishing simulations & training
Code Spaces is another handy security feature. Think of Code Spaces as a hosted and secure clean room in which to do compute. It eliminates the need for developers to build a secure environment on a workstation or in the cloud. A new tier of Code Spaces was recently released that provides 60 hours a month for free.
When people are using an open-source tool and find something they think might be a security issue, they have several choices. They can post it publicly, but that has not proven to be the best disclosure method as bad actors can also see the posting and act on it – often before patches are issued or misconfigurations are addressed. Private Vulnerability Reporting is the latest security upgrade within Github. It allows the many open-source maintainers on GitHub to accept private vulnerability reports from researchers, developers and users so they can be triaged by maintainers.
Implementing security fundamentals
Security fundamentals apply to both the developers creating software in Github as well as the customers licensing its various tools. This includes multi-factor authentication (MFA), single sign-on (SSO), vulnerability scanning and other basics. If users take the time to ensure things are secure at their end, they will enjoy a much more secure Github experience.
The application of fundamentals also applies on the career front. Yes, there are positions where a very specific background and experience is a necessity. But many roles in security benefit from a broader view. A varied technical experience translates everywhere. Free classes in Azure, free training in GitHub, Linux programming, networking, and in many other non-traditional disciplines mean you have people on the team who think differently and who've experienced different things from a variety of professions. They bring new ideas to the table.
By all means, learn about tools such as ChatGPT as well as the latest technologies. Security people, these days, need to understand container and software-defined architectures, after all. But it is an impossible proposition to keep up with the breakneck pace of cloud technology evolution. Therefore, a thorough knowledge of underlying fundamentals and security best practices are just as important.
“Chasing the latest JavaScript framework or new cool tool can be fun,” said DePriest. “But the core principles of both software development and security stay the same.”
ChatGPT training built for everyone
Security and development in unison
The actions being taken within Github to provide a more secure environment for developers and users of open-source software are part of a broader initiative to bake security into the development process. Instead of adding security safeguards after the fact, platforms like Github seek to incorporate cybersecurity into the software development process at the earliest possible point along the development pipeline.
Watch our full interview with Jacob DePriest of GitHub on Infosec's "Cyber Work Podcast" website.
ChatGPT training
In this Series
- A deep dive into GitHub's security strategies
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization