GitHub CSO pledges more security tools, features for developers

Software development platform GitHub named former Cisco executive Mike Hanley its first chief security officer as part of efforts to secure the software supply chain.

“GitHub has always been leading the way in helping developers create secure software — from our early adoption of bug bounties to the acquisitions of Dependabot and Semmle, the launch of the Security Lab, and more,” a GitHub spokesperson told VentureBeat. “Hiring Mike as CSO is the next natural step in continuing to drive security both inside GitHub and for developers on the platform.”

As GitHub’s first CSO, Hanley has promised the company will invest in more secure coding tools to help developers find and fix vulnerabilities and to introduce more security features protecting project repositories from malicious actors.

“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but a responsibility,” Hanley told VentureBeat.

Better security tools

GitHub, which Microsoft acquired for $7.5 billion in 2018, recently introduced several features to help developers “shift left” or detect and fix security vulnerabilities earlier in the development cycle. Secret scanning looks for sensitive information, such as encryption keys, access tokens, and passwords checked into the Git repository. Once found, these secrets are revoked before someone attempts to use them maliciously. Code scanning, powered by the CodeQL analysis engine, looks for security vulnerabilities in the codebase. Developers then receive information to fix those issues. Dependency review checks whether the project is using vulnerable versions of third-party libraries and components and provides information about the newer versions.

“Arming developers with features like code scanning that can help them prevent a vulnerability from ever escaping into production code can help avoid massive impact and expense managing the fallout of vulnerabilities that are discovered — in many cases, years after they’re shipped,” Hanley said.

The company also introduced passwordless authentication last year to encourage developers to adopt authentication methods such as access tokens and biometrics instead of relying on passwords. These alternative methods reduce the possibility of unauthorized individuals stealing or guessing passwords and accessing the software code.

“Continuing to invest in security technologies that are easy for developers to adopt and use, all within the native experience they know and love, raises the general security posture across the community,” Hanley said.

Former VP of security Shawn Davenport led many of these initial efforts, which Hanley called “an incredible foundation.”

Raising the bar

GitHub claims to have more than 56 million developers on the platform and to support “many more” through upstream dependencies. It is in GitHub’s interest, therefore, to make sure developer accounts are protected from unauthorized access because someone has guessed or stolen login credentials. Back in 2017, Uber announced a major data breach that exposed the personal data of millions of riders and drivers. It turned out unauthorized actors were able to access Uber’s GitHub account because multi-factor authentication was not turned on.

Many companies host the source code for their internal applications on GitHub, which also hosts many of the third-party components and open source libraries developers rely on. GitHub can protect these organizations by making sure there aren’t any exposed credentials or vulnerable code in the repositories. In that same Uber breach, the unauthorized actors were able to access Uber’s Amazon Web Services instance containing user data because they discovered Uber’s AWS keys inside the codebase.

Last year, the company announced the Security Lab, a bounty program to help developers and researchers find and report vulnerabilities in critical open source projects. As the host of one of the world’s largest collections of open source projects, GitHub is in a “remarkably unique position to empower the developer community with these tools at massive scale,” Hanley said.

As the former chief information security officer of Cisco, Hanley focused on the networking giant’s internal security program, including protecting employees and systems and building and securing applications. The experience showed him that it was possible to move fast when developing applications without compromising software security.

“[Good] security and the speed of the business are not opposing concepts when met with thoughtful design and a customer-centric approach,” Hanley wrote in a company blog post. “I believe that security done well allows us to go further, faster, and more confidently than ever before.”