How empowering developers helps teams ship secure software faster

When life is easy for developers, good things happen.

Gwen: To start off, what do you think is the most important component for effective AppSec?

Niroshan: Research has shown that integrating security into the developer workflow helps developers fix issues faster. However, simply integrating security and dumping results into different parts of the SDLC is not enough. We have to deeply understand how developers work and ask ourselves: what’s the ideal experience? How can we embed security to naturally optimize developers’ workflows?

Gwen: What role do developers play when it comes to preventing vulnerabilities?

Niroshan: Developers are at the center of everything. They write the code that introduces vulnerabilities and they write the code that fixes them. And developers have the power to prevent vulnerabilities from being introduced in the first place. Therefore, all our security features in the development lifecycle are built for developers and for their specific workflow—versus for the workflow of security professionals. But we don’t leave out security teams, either. Rather, we help them scale their impact by plugging them into the developer workflow.

Gwen: Can you give us a few examples of what “built for developers” means?

Niroshan: A great example of this is push protection for secret scanning. Every day, hundreds of credentials are leaked on GitHub and personal access tokens are accidentally exposed. On public repositories, we automatically revoke API keys and notify the owner. This provides a good developer experience, but an even better one is push protection, which is currently only available to GitHub Advanced Security (GHAS) users. With this feature, we scan pushes before accepting them, and if they contain secrets, we reject them. This helps customers prevent credential leaks while maintaining their developer flow.

Another example is how we centralize results in the pull request so security happens just like any other code review. In the pull request, developers can quickly make a fix or spin up a codespace in real time to get back into the code. They can also collaborate with their team and get all the context they need to fix vulnerabilities in seconds. Teams using GHAS can now view their code scanning findings directly in Codespaces, or in their local VS Code IDE, too.

Finally, we make visualization of all our security features easy with the GitHub security overview. It provides a high-level summary of the security status of an organization so it’s simple to identify repositories that require intervention—helping to scale the security team’s impact.

Gwen: In order for businesses to be successful, they need to innovate quickly. How does optimized security help their innovation efforts?

Niroshan: Innovation is reliant on securing your code in a way that increases developer velocity. When security attempts don’t put developers first, processes are slowed down. Developers struggle with high levels of noise, failed testing issues, and system performance impacts. This creates frustration and wastes time. But optimized security allows developers to fix issues quickly—enabling organizations to ship continuously.

We have to deeply understand how developers work and ask ourselves: what’s the ideal experience? How can we embed security to naturally optimize developers’ workflows?

Gwen: What are the challenges of AppSec today?

Niroshan: When AppSec originated, it was designed as a specialist activity. It was not thought of as a process that should be optimized for developers. When I was a developer 20 years ago, people would make changes to a piece of code and push them into the repository, and the build would break. Folks said we should have a process that was more developer friendly. And that’s how DevOps was born. Now, thanks to the developer-centric capabilities of DevOps, we never have to worry about the build being broken.

But AppSec never made it this far. Security is continually broken because it’s not designed for developers. The future of AppSec is DevSecOps, where security functionalities empower developers—just like DevOps.

Gwen: How is GitHub helping developers build a better AppSec future?

Niroshan: As the home for 94 million developers, we’re responsible for nurturing developers in every stage of their journey. From teaching students how to code, to accommodating the needs of scrappy startups, to providing the complex infrastructure required for Fortune 500s, we are dedicated to everyone.

As such, we have a massive amount of crowd-sourced security intelligence. Developers, security researchers, and academics all over the world contribute to further the community’s understanding and awareness. This enables developers to always have the latest security intelligence at their fingertips. And it shows. In 2022, developers updated 50% more vulnerable packages than in 2021, helping to secure 18 million projects on GitHub. The community, coupled with our dedication to maximizing developer velocity and ease, makes GitHub the optimal security solution.