The world runs on software, and a large portion of it, especially the open source software that’s part of everything we experience, is built by millions of developers on GitHub every day. GitHub is heavily invested in both the security of the platform and helping developers shift left their security investments in building secure software. Security is core to the company’s mission and no team and platform is in a better position than GitHub to continue to advance the state of software security together with the developer community. That’s why I’m excited to share today that I have joined GitHub as Chief Security Officer.
Making security easy and effective for everyone is close to my heart after five years building and leading the security program at Duo Security. My time there solidified for me that good security and the speed of the business are not opposing concepts when met with thoughtful design and a customer-centric approach. I believe that security done well allows us to go further, faster, and more confidently than ever before.
This approach is already fully consistent with GitHub’s approach to developer-first security. Investments in areas like passwordless authentication and the industry-leading move of eliminating all third-party tracking cookies on GitHub.com demonstrate a clear priority on developer security and privacy on the platform. Similarly, developer-focused security capabilities like secret scanning and CodeQL provide key guardrails that help developers avoid incidents and shipping vulnerabilities. Having built programs in SaaS companies like Duo and large enterprises like Cisco, I know how critical these capabilities are to a wide range of developers, and these investments are an incredible foundation for the next round of growth and investment in our Security org.
As a security practitioner, this is also an exciting transition for me as much of the security community, and many of my favorite security projects, live on GitHub, like CloudMapper, stethoscope, GoPhish, and osquery. I couldn’t be more excited to help secure the platform that’s made these influential projects possible and expanded their reach in incredible ways.
It is truly a special time to be joining GitHub to lead the Security org. I’m excited to work with the team and the community to assure that GitHub continues to lead as the most trustworthy home for developers, ecosystems, and teams to come together and create. If you’re interested in joining us, we’d love to talk to you — please keep an eye on open roles in the Security org as we enter this exciting new chapter of Security @ GitHub.
This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.
In this post, I’ll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I’ll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.
With push protection now enabled by default, GitHub helps open source developers safeguard their secrets, and their reputations.
Mike Hanley 
