Software improvement platform GitHub named former Cisco govt Mike Hanley its first chief safety officer as a part of efforts to safe the software program provide chain.
“GitHub has always been leading the way in helping developers create secure software — from our early adoption of bug bounties to the acquisitions of Dependabot and Semmle, the launch of the Security Lab, and more,” a GitHub spokesperson instructed VentureBeat. “Hiring Mike as CSO is the next natural step in continuing to drive security both inside GitHub and for developers on the platform.”
As GitHub’s first CSO, Hanley has promised the corporate will spend money on safer coding instruments to assist builders discover and repair vulnerabilities and to introduce extra security measures defending venture repositories from malicious actors.
“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but a responsibility,” Hanley instructed VentureBeat.
Better safety instruments
GitHub, which Microsoft acquired for $7.5 billion in 2018, just lately launched a number of options to assist builders “shift left” or detect and repair safety vulnerabilities earlier within the improvement cycle. Secret scanning seems for delicate info, reminiscent of encryption keys, entry tokens, and passwords checked into the Git repository. Once discovered, these secrets and techniques are revoked earlier than somebody makes an attempt to make use of them maliciously. Code scanning, powered by the CodeQL evaluation engine, seems for safety vulnerabilities within the codebase. Developers then obtain info to repair these points. Dependency assessment checks whether or not the venture is utilizing susceptible variations of third-party libraries and elements and supplies details about the newer variations.
“Arming developers with features like code scanning that can help them prevent a vulnerability from ever escaping into production code can help avoid massive impact and expense managing the fallout of vulnerabilities that are discovered — in many cases, years after they’re shipped,” Hanley mentioned.
The firm additionally launched passwordless authentication final 12 months to encourage builders to undertake authentication strategies reminiscent of entry tokens and biometrics as a substitute of counting on passwords. These various strategies scale back the potential for unauthorized people stealing or guessing passwords and accessing the software program code.
“Continuing to invest in security technologies that are easy for developers to adopt and use, all within the native experience they know and love, raises the general security posture across the community,” Hanley mentioned.
Former VP of safety Shawn Davenport led many of those preliminary efforts, which Hanley known as “an incredible foundation.”
Raising the bar
GitHub claims to have greater than 56 million builders on the platform and to assist “many more” via upstream dependencies. It is in GitHub’s curiosity, due to this fact, to ensure developer accounts are protected against unauthorized entry as a result of somebody has guessed or stolen login credentials. Back in 2017, Uber announced a major data breach that uncovered the non-public information of hundreds of thousands of riders and drivers. It turned out unauthorized actors have been in a position to entry Uber’s GitHub account as a result of multi-factor authentication was not turned on.
Many firms host the supply code for his or her inside functions on GitHub, which additionally hosts lots of the third-party elements and open supply libraries builders depend on. GitHub can defend these organizations by ensuring there aren’t any uncovered credentials or susceptible code within the repositories. In that very same Uber breach, the unauthorized actors have been in a position to entry Uber’s Amazon Web Services occasion containing consumer information as a result of they found Uber’s AWS keys contained in the codebase.
Last 12 months, the corporate introduced the Security Lab, a bounty program to assist builders and researchers discover and report vulnerabilities in crucial open supply tasks. As the host of one of many world’s largest collections of open supply tasks, GitHub is in a “remarkably unique position to empower the developer community with these tools at massive scale,” Hanley mentioned.
As the previous chief info safety officer of Cisco, Hanley centered on the networking big’s inside safety program, together with defending workers and techniques and constructing and securing functions. The expertise confirmed him that it was potential to maneuver quick when growing functions with out compromising software program safety.
“[Good] security and the speed of the business are not opposing concepts when met with thoughtful design and a customer-centric approach,” Hanley wrote in a company blog post. “I believe that security done well allows us to go further, faster, and more confidently than ever before.”
VentureBeat’s mission is to be a digital city sq. for technical decision-makers to achieve data about transformative know-how and transact.
Our web site delivers important info on information applied sciences and methods to information you as you lead your organizations. We invite you to turn out to be a member of our neighborhood, to entry:
- up-to-date info on the themes of curiosity to you
- our newsletters
- gated thought-leader content material and discounted entry to our prized occasions, reminiscent of Transform
- networking options, and extra