Developer caught up with Mathew Payne, Principal Field Security Specialist at GitHub, to discuss the platform’s security strategies and how they aim to strike a balance between robustness and a seamless user experience.
At the heart of GitHub’s security philosophy lies a commitment to safeguarding user code. Payne emphasised that a major focus is on securing the code created by both users and developers.
“The first thing that we focus on at GitHub is the security of our users,” says Payne. “My focus has always been on securing the code that my users and customers write.”
Balancing security features with user experience is a challenge GitHub acknowledges. Payne highlighted the significance of reducing false positives, which can discourage developers from using security tools.
“If I’m producing too many [false] results from my tool, my developers are going to start really pushing back,” explains Payne. “And we want to be partners with those developers, not against them.”
GitHub’s integration of security processes into developers’ daily activities helps streamline the experience. This includes automatically detecting vulnerabilities during pull requests and promptly communicating potential issues before they reach production.
Addressing emerging security threats, GitHub acknowledges the escalating concern over the software supply chain. Payne gives the example of the Moq library, which drew criticism earlier this month for including the data-collecting ‘SponsorLink’ in its latest release.
GitHub remains vigilant against unauthorised access to repositories and the inadvertent exposure of sensitive data. By the end of this year, GitHub will require all developers to enable one or more forms of 2FA after compromised accounts led to package takeovers.
“You want to make sure you haven’t hard-coded secrets into your repository because let’s say your repository does get compromised, you want to make sure they don’t have your keys to your Azure or AWS instances,” Payne advises.
Regarding incident response and recovery, GitHub relies on a range of tools—including, of course, their in-house CodeQL and Dependabot. Last year, GitHub announced that it will begin automatically sending Dependabot alerts when it detects vulnerable GitHub Actions.
“For CodeQL, let’s say we’re having a new attack – maybe it’s an XSS or SQL injection or something like that – we want to detect it with that tool,” says Payne. “Make sure that we don’t perform regressions as well so we don’t reintroduce that vulnerability.”
“That’s a big thing for some of my customers: they want to detect that vulnerability but make sure it doesn’t reoccur. There might be a reason why the developer added this XSS, so we want to make sure that next week they don’t reintroduce it accidentally.”
GitHub’s participation in the upcoming Cybersecurity and Cloud Expo Europe will focus on the theme of simplifying security for developers. GitHub aims to share insights into security tool adoption and processes, addressing the challenges faced by their users.
You can watch the full interview with Mathew Payne below:
GitHub is a key sponsor of this year’s Cyber Security & Cloud Expo Europe, which is being held in Amsterdam between 26-27 September 2023. Check out Mathew Payne’s day one keynote and swing by GitHub’s booth at stand #96 to hear more directly from the platform’s experts.