Software improvement platform GitHub named former Cisco executive Mike Hanley its initial chief safety officer as component of efforts to safe the software program provide chain.
“GitHub has always been leading the way in helping developers create secure software — from our early adoption of bug bounties to the acquisitions of Dependabot and Semmle, the launch of the Security Lab, and more,” a GitHub spokesperson told VentureBeat. “Hiring Mike as CSO is the next natural step in continuing to drive security both inside GitHub and for developers on the platform.”
As GitHub’s initial CSO, Hanley has promised the firm will invest in more safe coding tools to enable developers obtain and repair vulnerabilities and to introduce more safety options guarding project repositories from malicious actors.
“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but a responsibility,” Hanley told VentureBeat.
Better safety tools
GitHub, which Microsoft acquired for $7.5 billion in 2018, lately introduced many options to enable developers “shift left” or detect and repair safety vulnerabilities earlier in the improvement cycle. Secret scanning appears for sensitive details, such as encryption keys, access tokens, and passwords checked into the Git repository. Once discovered, these secrets are revoked ahead of an individual attempts to use them maliciously. Code scanning, powered by the CodeQL evaluation engine, appears for safety vulnerabilities in the codebase. Developers then acquire details to repair these problems. Dependency critique checks no matter whether the project is utilizing vulnerable versions of third-party libraries and elements and offers details about the newer versions.
“Arming developers with features like code scanning that can help them prevent a vulnerability from ever escaping into production code can help avoid massive impact and expense managing the fallout of vulnerabilities that are discovered — in many cases, years after they’re shipped,” Hanley stated.
The firm also introduced passwordless authentication final year to encourage developers to adopt authentication procedures such as access tokens and biometrics alternatively of relying on passwords. These option procedures minimize the possibility of unauthorized folks stealing or guessing passwords and accessing the software program code.
“Continuing to invest in security technologies that are easy for developers to adopt and use, all within the native experience they know and love, raises the general security posture across the community,” Hanley stated.
Former VP of safety Shawn Davenport led several of these initial efforts, which Hanley known as “an incredible foundation.”
Raising the bar
GitHub claims to have more than 56 million developers on the platform and to help “many more” by way of upstream dependencies. It is in GitHub’s interest, as a result, to make certain developer accounts are protected from unauthorized access for the reason that an individual has guessed or stolen login credentials. Back in 2017, Uber announced a big information breach that exposed the private information of millions of riders and drivers. It turned out unauthorized actors had been capable to access Uber’s GitHub account for the reason that multi-issue authentication was not turned on.
Many firms host the supply code for their internal applications on GitHub, which also hosts several of the third-party elements and open supply libraries developers rely on. GitHub can safeguard these organizations by creating certain there are not any exposed credentials or vulnerable code in the repositories. In that similar Uber breach, the unauthorized actors had been capable to access Uber’s Amazon Web Services instance containing user information for the reason that they found Uber’s AWS keys inside the codebase.
Last year, the firm announced the Security Lab, a bounty system to enable developers and researchers obtain and report vulnerabilities in crucial open supply projects. As the host of one of the world’s biggest collections of open supply projects, GitHub is in a “remarkably unique position to empower the developer community with these tools at massive scale,” Hanley stated.
As the former chief details safety officer of Cisco, Hanley focused on the networking giant’s internal safety system, which includes guarding personnel and systems and developing and securing applications. The knowledge showed him that it was probable to move rapid when building applications with no compromising software program safety.
“[Good] security and the speed of the business are not opposing concepts when met with thoughtful design and a customer-centric approach,” Hanley wrote in a firm weblog post. “I believe that security done well allows us to go further, faster, and more confidently than ever before.”