For more information on how GitHub can help you secure your code quickly and easily, download our security ebook.
How empowering developers helps teams ship secure software faster
AppSec expert Niroshan Rajadurai says putting developers at the center of everything will enable you to meet your security goals.
When life is easy for developers, good things happen.
Here at GitHub, we’re passionate about helping teams gain security resilience. And believe it or not, robust security is achieved when developers work less, not more. To explore this further, I sat down with Niroshan Rajadurai, Senior Director of Global GitHub Advanced Security Sales. Niroshan has been in the security space for decades and helped make CodeQL today’s most widely adopted SAST solution. We chatted about the importance of developer-empowering security and how GitHub is stepping up to help.
Gwen: To start off, what do you think is the most important component for effective AppSec?
Niroshan: Research has shown that integrating security into the developer workflow helps developers fix issues faster. However, simply integrating security and dumping results into different parts of the SDLC is not enough. We have to deeply understand how developers work and ask ourselves: what’s the ideal experience? How can we embed security to naturally optimize developers’ workflows?
Gwen: What role do developers play when it comes to preventing vulnerabilities?
Niroshan: Developers are at the center of everything. They write the code that introduces vulnerabilities and they write the code that fixes them. And developers have the power to prevent vulnerabilities from being introduced in the first place. Therefore, all our security features in the development lifecycle are built for developers and for their specific workflow—versus for the workflow of security professionals. But we don’t leave out security teams, either. Rather, we help them scale their impact by plugging them into the developer workflow.
Gwen: Can you give us a few examples of what “built for developers” means?
Niroshan: A great example of this is push protection for secret scanning. Every day, hundreds of credentials are leaked on GitHub and personal access tokens are accidentally exposed. On public repositories, we automatically revoke API keys and notify the owner. This provides a good developer experience, but an even better one is push protection, which is currently only available to GitHub Advanced Security (GHAS) users. With this feature, we scan pushes before accepting them, and if they contain secrets, we reject them. This helps customers prevent credential leaks while maintaining their developer flow.
Another example is how we centralize results in the pull request so security happens just like any other code review. In the pull request, developers can quickly make a fix or spin up a codespace in real time to get back into the code. They can also collaborate with their team and get all the context they need to fix vulnerabilities in seconds. Teams using GHAS can now view their code scanning findings directly in Codespaces, or in their local VS Code IDE, too.
Finally, we make visualization of all our security features easy with the GitHub security overview. It provides a high-level summary of the security status of an organization so it’s simple to identify repositories that require intervention—helping to scale the security team’s impact.
Gwen: In order for businesses to be successful, they need to innovate quickly. How does optimized security help their innovation efforts?
Niroshan: Innovation is reliant on securing your code in a way that increases developer velocity. When security attempts don’t put developers first, processes are slowed down. Developers struggle with high levels of noise, failed testing issues, and system performance impacts. This creates frustration and wastes time. But optimized security allows developers to fix issues quickly—enabling organizations to ship continuously.
We have to deeply understand how developers work and ask ourselves: what’s the ideal experience? How can we embed security to naturally optimize developers’ workflows?
Gwen: What are the challenges of AppSec today?
Niroshan: When AppSec originated, it was designed as a specialist activity. It was not thought of as a process that should be optimized for developers. When I was a developer 20 years ago, people would make changes to a piece of code and push them into the repository, and the build would break. Folks said we should have a process that was more developer friendly. And that’s how DevOps was born. Now, thanks to the developer-centric capabilities of DevOps, we never have to worry about the build being broken.
But AppSec never made it this far. Security is continually broken because it’s not designed for developers. The future of AppSec is DevSecOps, where security functionalities empower developers—just like DevOps.
Gwen: How is GitHub helping developers build a better AppSec future?
Niroshan: As the home for 94 million developers, we’re responsible for nurturing developers in every stage of their journey. From teaching students how to code, to accommodating the needs of scrappy startups, to providing the complex infrastructure required for Fortune 500s, we are dedicated to everyone.
As such, we have a massive amount of crowd-sourced security intelligence. Developers, security researchers, and academics all over the world contribute to further the community’s understanding and awareness. This enables developers to always have the latest security intelligence at their fingertips. And it shows. In 2022, developers updated 50% more vulnerable packages than in 2021, helping to secure 18 million projects on GitHub. The community, coupled with our dedication to maximizing developer velocity and ease, makes GitHub the optimal security solution.
Tags:
Written by
Related posts
From object transition to RCE in the Chrome renderer
In this post, I’ll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
Configure GitHub Artifact Attestations for secure cloud-native delivery
Introducing the generally available capability of GitHub Artifact Attestations to secure your cloud-native supply chain packages and images.
3 ways to get Remote Code Execution in Kafka UI
In this blog post, we’ll explain how we discovered three critical vulnerabilities in Kafka UI and how they can be exploited.