In this interview, we dig deeper with Maya Kaczorowski on what DevSecOps is, and how to apply it. It’s a mindset shift in how development teams think about security. DevSecOps is about making all parties who are part of the application development lifecycle accountable for security of the application.
A software supply chain is anything that goes into, or affects your code. Even though supply chain compromises are real, and growing in popularity, they’re still extremely rare – and so the most important thing you can do to protect your supply chain is patch your vulnerabilities. Then, to successfully secure your software supply chain, you need to understand the dependencies in your environment, know about vulnerabilities in those dependencies, and quickly patch them. For Software Composition Analysis (SCA) capabilities native to GitHub, use Dependency Graph, Dependabot alerts, and Dependabot security and version updates to automate the hard work.
Integrating static analysis security testing into the developer workflow is hard. We discuss the challenges and how to overcome them
When developers share the responsibility of security, perform security testing earlier in your development lifecycle, and use Git as a source of truth, you can help your development teams find and remediate security issues faster.
GitHub’s dependency graph identifies all upstream dependencies and public downstream dependents of a repository or package by parsing manifest files, so that you can better manage the security and compliance of your dependencies.
As previously announced, beginning November 13th, 2020, we will no longer accept account passwords when authenticating with the REST API and will require the use of token-based authentication (e.g., a personal access, OAuth, or GitHub
Protect your team’s code with secure software development best practices like setting up SAML/SCIM integrations, enforcing policies to avoid code leakage, and more.