Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
142 views

3 Secure Development With GitHub Slides

This document provides an agenda and overview for a GitHub security workshop. The workshop covers code security, supply chain security, and governance topics. For code security, it demonstrates secret scanning and code scanning capabilities in GitHub. For supply chain security, it demonstrates dependency graph, dependency review, and Dependabot features. For governance, it shows the security center dashboard in GitHub. The workshop aims to educate about securing development with native GitHub security tools and reducing the dev-sec-ops divide.

Uploaded by

Jorge Useche
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
142 views

3 Secure Development With GitHub Slides

This document provides an agenda and overview for a GitHub security workshop. The workshop covers code security, supply chain security, and governance topics. For code security, it demonstrates secret scanning and code scanning capabilities in GitHub. For supply chain security, it demonstrates dependency graph, dependency review, and Dependabot features. For governance, it shows the security center dashboard in GitHub. The workshop aims to educate about securing development with native GitHub security tools and reducing the dev-sec-ops divide.

Uploaded by

Jorge Useche
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

GitHub

AVAL WorkShop #3 -
Secure Development with GitHub

Michael Cantú, @mcantu


Solutions Engineer
Agenda ; kick-off @ 5:03pm
• State of Security
* Please mute your mics
• GitHub Security Overview:
* I will provide the slide deck after the
• Code Security
session
• Secrets Scanning Demo

• Code Scanning Demo


* Session will be recored and shared
after
• Supply Chain Overview

• Dependency Graph Demo


* Due to the size of the audience, Q&A
will be only via chat and at the end
• Dependency Review Demo

• Governance

• Security Center Demo


Workshop #3 AVAL Holding Workshop
State of Security
Siloes escalate the dev-sec-ops divide

Dev Sec Ops

Deploy: Deploy: Deploy:


Code/Test CI
Dev/QA/IST Pre-Prod Prod

bcvbcvb
Deliver features on time and budget Assure security & compliance
bcvbcvb Run reliably
bcvbcvb
“DevSecOps”
2015
More code = more technical debt & exposure

Flaws in
applications are
consistently the
#1 attack vector
for breaches
Source: GitHub Data Science Team analysis of 70 million lines of code in major OSS projects added Source: Verizon Data Breach Investigations reports
over a 5 year period 2016, 2017, 2018, 2019 and 2020.
GitHub delivers 1. Developer-first
complete
2.  Native
application
security 3. Automated
GitHub secures your complete software lifecycle

Supply Chain Code Development Lifecycle


Dependency graph Secret scanning Branch protection
View your dependencies Find API tokens or other Enforce requirement for
secrets exposed anywhere in pushing to a branch or merging
Advisory database your git history PRs
Canonical database of
dependency vulnerabilities Code scanning Commit signing
Static analysis of every git Enforce requirement that all
Security alerts and updates
push, integrated into the commits are signed
Notifications for vulnerabilities
developer workflow and
in your dependencies, and pull
powered by CodeQL
requests to fix them

Platform for Security Governance


GitHub
Security Overview
Code Security
Secret scanning for
private repositories
GHEC: Beta (GA Q1) GHES: Beta (3.0)

● Detect secrets from 30+ service


providers as soon as they’re pushed,
or anywhere in your git history

● Use the same tech GitHub uses to


scan ~140m public repos

● Triage results in bulk, and easily


exclude false positives
Secret Scanning
Demo
Code scanning
GHEC GHES

• Surfaces code vulnerabilities in


developer workflows like pull
requests

• Lowest friction way to run


CodeQL and 3rd party analysis
tools

• Integrates with Actions and 3rd


party CI/CD systems
● Developer-friendly

● Single API for a fluid user


experience

Code Scanning in ● Standards based

● Extensible with 3rd party


GitHub tools

● Supports Actions and 3rd


party CI/CD

● Easily enable/disable repos


3 rd party analyzers

• Scan code, Docker


containers, and
configuration for security
issues

• View results in code


scanning UX
Code Scanning
Demo
Supply Chain
Overview
Software composition analysis

Know what’s in your environment

Manage your dependencies

Monitor your supply chain

Get back to work!


Software composition analysis: functionality

Know Manage Monitor


what’s in your environment your dependencies your supply chain
● Discover your ● Determine if you are ● Audit your current
dependencies, including impacted by a new security environment for potential risks
transitive and checked in issue ● Enforce policies to prevent
dependencies ● Update for the latest new issues from being
● Understand your risks, such functionality and security introduced
as vulnerabilities and patches
licensing restrictions ● Review changes to
understand and approve new
dependencies you’re
introducing
● Remove unnecessary
dependencies, to reduce
surface of attack
Know your environment
Dependency graph
Understand your project’s dependencies
Dependency insights
See the dependencies across your organization
Dependency review
Identify new dependencies and vulnerabilities in a PR

Manage your dependencies


Dependabot alerts
Developers Get notified of a vulnerability in a dependency

Dependabot security updates


Review a PR to update to the minimum fixed version
Dependabot version updates
Review a PR to update to the latest stable dependency version
Dependency graph

GHEC GHES

• Parses manifest files for


dependencies

• Items added when a push to the


default branch is made

• Scans for JavaScript,


Java, .NET, PHP, Python and
Ruby dependencies
Dependency review

GHEC: Beta GHES: TBD

• Understand and review


dependency changes in pull
requests

• Catch additions and changes of


vulnerable or out of date
dependencies

• Avoid “after the fact” alerts and


remediation
Dependency Graph +
Dependency Review
Demo
Dependabot alerts

GHEC GHES

• Notifies of vulnerabilities in code


dependencies

• Generated automatically when a


new vulnerable dependency is
found
Dependabot security
updates
GHEC GHES: Beta Q3 2021

• Automatically creates pull


requests to fix vulnerable
dependencies

Dependabot version
updates
GHEC: Beta GHES: TBD

• Automatically creates pull


requests to update
dependencies
1.4x
faster to apply a patch
when an automatic pull request is generated
Dependabot
Demo
Fix and publish vulnerability
information
SECURITY.md
Share your reporting and disclosure policy

Security Advisories
Fix and publish a notice about a vulnerability
Maintainers
GitHub Advisory Database
Refer to a curated, open-source database of
vulnerabilities
GitHub Advisory
Database

• Powers GitHub’s vulnerable


dependency alerts

• Supports Composer, Maven, npm,


NuGet, pip, and RubyGems

• Open source under Creative Commons


4.0

• Includes advisories submitted directly


to GitHub, plus data from NVD,
community sources, and WhiteSource

• Curated by a dedicated team


GitHub’s supply chain security capabilities: what’s next
Know your environment
Private registries
Version updates for packages from private registries
Build-time detection
Detect dependencies and vulnerabilities per build

Manage your dependencies


Developers Streamlined alerts and notifications
Manage alerts easily and more control over notifications
Vulnerability exposure analysis
Determine if a vulnerability is invoked in your environment
Governance
Security Center
GHEC: Beta GHEC & GHES:
Q1 2021 Q2 2021

• A single place to view code scanning,


secret scanning and dependabot alerts
across your codebases

• Determine the riskiest repos with high


numbers of unaddressed alerts

• Monitor enrollment status as you


rollout security features across your
organization
Security Center
Demo
Security hardening
for
GitHub Actions
Secure Coding: GitHub Actions secrets

1. Never use structured data as a secret

2. Register all secrets used within


workflows

3. Audit how secrets are handled

4. Use credentials that are minimally


scoped for tasked at hand

5. Mirror credentials in Vault

@MayaKaczorowski
Data Leak Prevention
Best Practices
Thank you!!

You might also like