GitHub Advanced Security: Helping Developers Secure the World’s Software • Karl Krukow • GOTO 2023

"Learn how GitHub's Advanced Security features, including Dependabot and CodeQL, empower developers to understand, remediate, and prevent security vulnerabilities in open-source software, reducing noise and improving the development workflow."

Key takeaways
  • Dependabot helps developers identify and fix vulnerable dependencies at the earliest stage, reducing the cost of remediation.
  • Open-source software is a big target for attacks, and vulnerabilities are often expected to be discovered in open-source dependencies.
  • 98% of dependencies are indirect transitive, making it crucial to analyze and inspect dependencies thoroughly.
  • The ovarian report highlights that 90% of repos on use open-source dependencies, emphasizing the importance of securing them.
  • CodeQL query language allows developers to write custom queries for finding vulnerabilities and can be used to find patterns in code.
  • Simplified experience for developers means less noise and more effective remediation, allowing them to prioritize and address vulnerabilities quickly.
  • Multi-repo variant analysis helps identify vulnerabilities across multiple repositories, making it more powerful for secure development.
  • GitHub’s secret scanning helps detect and prevent secrets like API tokens and private keys from being accidentally committed to public repositories.
  • Supply chain attack provides a clear example of how vulnerabilities can propagate through dependencies, making it essential to inspect and analyze dependencies thoroughly.
  • EventStream, a popular open-source JavaScript library, was used in a malware attack, highlighting the importance of security.
  • Code scanning is integrated into the developer workflow, making it easier to identify and remediate vulnerabilities.
  • GitHub’s advanced security features aim to empower developers to understand, remediate, and prevent security vulnerabilities, making software security more collaborative.
  • The goal is to create a low false-positive rate, reducing noise and improving the developer experience.
  • GitHub’s mission is to secure the world’s software, leveraging their expertise and experience to make developers more productive and secure.
  • Dependabot’s approach to managing dependencies helps developers focus on their priorities, making it more likely that they will adopt a secure development practice.