We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
GitHub Advanced Security: Helping Developers Secure the World’s Software • Karl Krukow • GOTO 2023
"Learn how GitHub's Advanced Security features, including Dependabot and CodeQL, empower developers to understand, remediate, and prevent security vulnerabilities in open-source software, reducing noise and improving the development workflow."
- Dependabot helps developers identify and fix vulnerable dependencies at the earliest stage, reducing the cost of remediation.
- Open-source software is a big target for attacks, and vulnerabilities are often expected to be discovered in open-source dependencies.
- 98% of dependencies are indirect transitive, making it crucial to analyze and inspect dependencies thoroughly.
- The ovarian report highlights that 90% of repos on GitHub.com use open-source dependencies, emphasizing the importance of securing them.
- CodeQL query language allows developers to write custom queries for finding vulnerabilities and can be used to find patterns in code.
- Simplified experience for developers means less noise and more effective remediation, allowing them to prioritize and address vulnerabilities quickly.
- Multi-repo variant analysis helps identify vulnerabilities across multiple repositories, making it more powerful for secure development.
- GitHub’s secret scanning helps detect and prevent secrets like API tokens and private keys from being accidentally committed to public repositories.
- Supply chain attack provides a clear example of how vulnerabilities can propagate through dependencies, making it essential to inspect and analyze dependencies thoroughly.
- EventStream, a popular open-source JavaScript library, was used in a malware attack, highlighting the importance of security.
- Code scanning is integrated into the developer workflow, making it easier to identify and remediate vulnerabilities.
- GitHub’s advanced security features aim to empower developers to understand, remediate, and prevent security vulnerabilities, making software security more collaborative.
- The goal is to create a low false-positive rate, reducing noise and improving the developer experience.
- GitHub’s mission is to secure the world’s software, leveraging their expertise and experience to make developers more productive and secure.
- Dependabot’s approach to managing dependencies helps developers focus on their priorities, making it more likely that they will adopt a secure development practice.