Securing one software project is a difficult task. Now, consider the job of helping millions of developers in thousands of organizations write more secure code, eliminate exploitable vulnerabilities, and find dependencies in their software supply chains and you begin to get a sense of the challenge that Mike Hanley has taken on as the new CSO at GitHub.
In a world that’s built on and run by software, it’s no stretch to say that the tools and systems used to develop and deliver all of those applications should now be considered part of the country’s critical infrastructure, too, and treated as such. Finding examples of why this is so is not difficult, with the most prominent one being the continued fallout from the intrusion at SolarWinds and subsequent downstream effects on thousands of customers. While that incident was a deliberate attack by a foreign adversary that deliberately inserted a backdoor into a software update, unintentional errors and oversights can have the same kind of cascading effects.
“When you think about the fact that most software is composed of open source software, getting it right for us is super important. Making sure that we have not just an investment but a visible investment in security is so important,” said Hanley, who joined GitHub last week from Cisco, where he was the CISO.
“And when you look at a platform like ours that has millions of developers on it every day, it’s critical that we do the work to help make sure they’re not shipping vulnerable code. There are so many developers that are running these projects that are not necessarily going to be security experts, and they shouldn’t have to be. The point is for them to be experts at what they do best. That’s where the real opportunity happens for us.”
To support that goal of making security more accessible for developers, GitHub has added a number of features and tools recently. In 2019 the company acquired Dependabot, a tool that allows the platform to monitor dependencies in projects for known vulnerabilities and then automatically open pull requests to ensure the project has the newest version. Last year, GitHub introduced a feature that automatically scans repositories for vulnerabilities, taking some of the pressure off developers to stay on top of newly disclosed flaws in libraries and other components they use. A related feature will scan repositories for secrets, such as credentials, left in the code and alert developers.
"This is such an important moment. The whole world is built on software.”
Changes like those can have a major effect on the security of the software built on GitHub, and Hanley said the ability to have that kind of broad influence on the software ecosystem was important for him.
“A huge motivation for me was the ability to protect the platform, but it’s also the best point of leverage to raise the tide for everyone,” he said. “GitHub has such a unique leverage point. Something like secret scanning can fundamentally limit the number of people who make those simple mistakes. If you get a very complex set of tools that assumes a lot of security expertise, that’s where you can get in trouble. This is where thoughtful design and enabling the developer community to do its work is important.” As much of a difference as those changes can make for developers, the software ecosystem is vast and deep and no one entity has visibility into all of it. Sharing security knowledge, threat intelligence, and best practices is a vital part of securing networks and software projects alike. Hanley, who spent several years at CERT, said he sees room for more cooperation between the private and public sectors on a range of initiatives, including standards and development practices.
“We need to look for more opportunities for collaboration. Things like NIST standards help set the bar and accelerate adoption of something like zero trust, for example. The government was on time on that one,” he said.
“There are opportunities there around software security and secure development practices. We can iterate on things like vulnerability management. There’s more to it than just vulnerabilities that exist in code. This is such an important moment. The whole world is built on software.”
CC-By 2.0 license photo from Flickr.