►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Security as Code: A DevSecOps Approach - Xavier René-Corail, GitHub
Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that is free for open source that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. Finally, we share the lessons learnt from offering security advice to 6 open source projects that have joined our free office hours.
A
A
What
we
do
at
the
GitHub
security
lab
is
that
we
help
secure
open
source
software,
all
open
source
software,
so
how
we
do
that
our
core
activity
is
a
security
audit
in
open
source
projects.
We
find
vulnerabilities
in
this
project.
We
disclose
them
to
the
maintainers.
We
help
the
maintainers
fix
them
and
we
do
that
for
all
open
source.
A
Well,
I
mean
any
open
source
project,
not
only
those
that
we
are
using
at
GitHub,
not
even
only
those
who
are
hosted
on
GitHub
any
open
source
project,
but
of
course
we
cannot
secure
the
Open
Source
by
ourselves
so
being
at
GitHub,
we
Leverage
The
Power
of
the
community.
So
how
do
we
do
that?
One?
We
educate
the
community,
so
we
share
our
security
techniques
and
our
security
findings
with
the
security
research
community
and
we
we
try
also
to
educate
the
open
source
Community.
A
A
Two,
we
amplify
security
research,
so
we
do
variant
analysis
whenever
we
find
a
noticeable
cve
or
security
vulnerability.
We
try
to
code
this
pattern
with
a
code
ql
and
we
try
to
run
the
query
on
all
open
source
projects
to
find
other
instances
of
this
vulnerability
and
finally,
we
notify
the
ecosystem.
So
we
are
a
CNA,
so
we
assign
cves
for
security
vulnerabilities
in
open
source
and
we
also
create
the
GitHub
advisory
database,
which
is
D3
and
open
source
database
for
security
vulnerabilities
in
open
source.
A
What
I
want
to
do
today
is
convince
you
of
the
benefits
of
using
security
as
code,
so
I
will
first
introduce
the
concept.
I
will
show
you
how
well
what
it
looks
like
concretely
with
a
codeql
and
then
hopefully
we'll
have
time
for
questions
afterwards,
so
my
Story
begins
far
far
away
on
planet
Mars,
10
years
ago,
meet
Grover,
it's
a
Well
curiosity!
Sorry,
it's
a
Rover
developed
by
NASA
Japan
and
ten
years
ago,
this
small
River
was
en
route
to
Mars.
A
Well,
not
very
small.
Here
you
can
see
a
few
humans
next
to
the
river
to
see
the
real
size
of
it
and
what
happened
once
it
was
already
going
to
Mars
is
that
the
NASA
JPL
engineering
team
found
a
bug
in
the
in
the
piece
of
code
that
was
in
charge
of
the
parachute
during
the
donding
phase,
so
pretty
pretty
critical
piece
of
code.
A
This
is
let's
dig
into
this
this
bug,
so
this
is
not
NASA's
real
code.
This
is
sudoku
that
I've
written
for
you
to
explain
what
it's
about
so
in
C.
If
you
declare
a
function
parameter
as
an
array
of
size
12
here
an
array
of
doubles
of
size
12
here,
it
doesn't
prevent
you
to
call
this
function
with
an
array
of
different
size.
So
this
is
what's
happening
on
nine
eight.
A
What
happens
if
you
look
at
line
free
during
the
processing
of
this
function?
What
happens
is
that
the
system
will
access
memory
space
that
is
beyond
the
allocated
memory
space
and
then
the
result
will
be
unpredictable.
You
don't
know
what
in
this
space,
so
we
found
this
bug.
We
checked
that
it
was
not
very,
very
harmful,
but
they
thought
hey
what
if
this
bug
is
happening
in
other
places
in
our
software.
A
After
a
quick
code
review,
we
found
project
on
another
place
where
this
was
happening.
So
they
said
okay
hold
on
we'll
need
to
find
all
instances
of
this
bug,
and
so
we
will
use
an
automatic
static
analysis
tool
to
find
all
of
these
instances,
and
so
we
used
codeql
to
find
all
instances
of
this
pattern
in
their
code.
A
So
this
is
an
example
of
this
query.
If
you
look
at
the
third
line,
you
see
that
we
are
looking
for
and
the
argument
in
position
in
position
I
and
that
this
argument
is
position.
I
has
well
it's
an
array,
and
that
has
a
size
a
and
then
we
are
comparing
this
to
the
parameter
of
the
function.
Declaration
in
position,
I
same
position
I,
and
you
see
that
it's
also
an
array
of
size
B
and
we
compare
the
size
and
we
see
that
a
is
smaller
than
b.
A
A
And
well
as
much
as
we
would
all
love
to
follow
NASA's
example
and
shift
left
security
to
include
all
of
that
into
the
development
life
cycle.
Some
companies,
some
organizations
struggle
with
that.
Apparently
in
a
recent
survey
of
about
the
state
of
devsecups
43
of
respondents,
say
that
they
were
frustrated
that
security
testing
was
done
late
in
the
software
development
lifecycle.
A
A
A
A
A
A
Opposite
would
be
that
another
team
is
running
the
test
for
you
and
then
creates
a
bunch
of
issues
and
then
send
all
the
issues
to
you
right.
I.
Remember
one
former
colleague
telling
me
Oh
wow,
hey
my
security
tool.
We
finally
moved
from
generating
a
PDF,
and
now
they
are
integrating
with
driver
and
oh
developers
will
love
it
and
well
as
much
as
we
can
all
agree
that
moving
from
PDF
to
visuals,
it's
an
improvement,
but
developers
didn't
love
it
right.
A
They
they
were
still
not
autonomous,
Mastery
Mastery
is
being
able
to
learn
in
the
process
right.
So
you
are,
you
know,
acquiring
a
new
scale
learning
so
for
security
testing.
That
would
be
that
developers
I
mean
this
security.
During
this
security
testing
process,
we
learn
about
some
secure
code
practices.
We
are
able
to
learn
and
to
not
repeat
the
mistakes.
The
same
mistakes
in
the
future,
the
contrary
would
be
that
the
expertise
stays
in
that
other
team
and
doesn't
benefit
the
Developers
and
finally
purpose.
A
Well,
the
purpose
of
a
developer
right
that
would
be
to
to
to
create
a
delightful
software
for
their
for
their
users
right.
We
all
know
that
so
high
quality
and
high
security
too
right.
They
should
be
able
to
relate
what
they
are
doing
to
this
purpose
right,
so
they
should
be
able
to
say:
oh
okay,
I
know
why
I
need
to
fix
this
thing.
It's
I
can
relate
it
to
this
purpose
right.
A
A
What
worked
was
when
they
were
able
to
code
it
themselves
with
tools
like
Fitness
and
selling
them
devops,
when
we
wanted
to
include
deployment,
testing
and
probability
testing,
what
worked
was
infrastructure
as
code
this?
This
is
really
what
ticked
and
made
them
adopt
these
practices
infrastructure
as
good.
A
It's
a
qts
code
would
be
well.
I
took
this
definition
from
the
web,
but
basically
what
I'm?
What
I
want
to
do
is
that
the
developers
are
able
to
code
their
security
testing,
their
security
checks
right
and
with
that
you
get
automation,
you
get
repeatability,
you
get
reusability,
you
get
documentation
right
same
as
infrastructure
as
good,
but
with
security.
A
A
Ql
stands
for
query
language,
it's
kind
of
SQL
for
code.
It
will
query
your
code
as
if
it's
data
with
this
language,
you
describe
what
to
find
and
not
how
to
find
it.
It's
very
expressive
in
this
way
and
it's
a
logical,
declarative
language
based
on
data
log
and
it's
also
object
oriented
which
is
super
useful
for
reusability.
A
We
will
see
that
later
a
bit
more
into
details,
codeql
Works
in
two
phases.
First
phase:
it
will
extract
your
code
into
a
relational
database.
It
will
extract
all
aspects
of
your
code.
Like
the
abstract,
syntax
tree,
some
semantics
and
even
the
control
flow
graph,
and
then
it
gives
you
an
optimized
object-oriented
language
that
will
abstract
Ware
right
to
query
this
DB
yeah.
So
on
the
diagram
on
the
left,
you
see
a
bit
more,
these
two
phases
extraction
and
then
query.
A
Now,
let's
have
a
look
at
the
first
example.
So
what
happens
behind
the
hood
is
that
in
the
GB
we
have
a
table
that
has
been
created
that
is
named
function
and
in
this
table
you
have
a
colon
called
name,
and
then
you
have
all
the
the
functional
declarations
in
this
table
and
codequel
created
a
class
on
top
of
that.
So
you
have
a
class
function
that
Maps
the
table
called
function
and
you
in
this
class
you
have
a
member
name
that
you
can
access
with
get
name
that
Maps
the
name
column.
A
If
you
look
at
the
second
example,
you'll
see
that
we
are
able,
like
in
SQL,
to
do
a
join
between
two
tables.
So
here
the
functions
and
the
function
Scrolls
and
this
joint
is
made
super
easily,
with
the
line
and
C
dot.
Target
equals
f
right.
So
we
are
binding
the
target
of
the
curl
with
the
function.
We
can
also
access
directly
the
first
argument
of
the
curl
with
C
dot
get
argument.
A
So
with
codeql,
you
have
support
for
all
of
these
languages
to
C
sharp
that
is
missing
on
this
slide
and
you
we
have
also
a
swift
and
kotlin
that
are
in
beta
right
now,
so
for
each
language
we
need
a
bit
of
work
to
support
it,
because
the
code
team
needs
to
design
the
optimal
data
schema.
We
need
to
design
the
extractor
that
transform
your
code
into
a
DB.
A
A
And
then
so,
once
you
have
a
the
code
queries
the
code.
Queries
are
open
source
and
you
can
have
two
possible
ways.
You
can
just
consume
them
right.
The
queries.
Are
there
open
source?
You
can
just
run
them
on
your
code
or
you
can
be
a
writer
if
you
choose
to
consume
well.
This
is
super
easy.
You
can
really
immediately
benefit
from.
This
group
is
because,
if
you're
out
of
an
open
source
project,
it's
free
for
you,
it's
free
for
all
open
source
project,
not
only
the
project
that
are
hosted
on
GitHub.
A
If
you
are
on
YouTube,
though,
you
can
also
have
free
inclusion
of
this
into
your
CI
CD
and
it's
one
click
easy.
You
go
to
your
GitHub
project
and
you
enable
codeql.
This
is
a
one-click
configuration
and
once
you
do
that,
you
will
have
code
query
running
on
your
project
automatically
and,
for
example,
codeql
will
analyze
all
your
new
pull
requests
and
it
will
comment
on
it.
A
So
here,
for
example,
you
have
a
new
code
popping
up
and
you
have
a
codequel
analysis
telling
you
that
there
is
a
possible
client-side,
cross-size
xss
in
your
code,
so
here,
as
you
can
see,
it's
it's
really,
acting
as
if
you
had
a
peer
reviewer
telling
you
hey,
I,
think
there
is
a
problem
here
in
your
code.
So
it's
it's
not
changing
anything
from
what
you'd
usually
do.
It's
included
into
your
software
development
lifecycle
right.
A
A
This
reliability,
you
will
get
a
remedition
device,
so
as
a
developer,
you
will
be
able
to
act
on
it
immediately
and
autonomously
I
know.
Yes,
this
documentation
is
also
customizable
because,
as
I
said,
the
querys
are
open
source.
So
you
can,
you
know,
kind
of
adapt
them
to
your
particular
the
particular
case
of
your
code
of
your
project,
your
organization,
to
get
your
developers
really
doing
the
right
thing
for
this
particular
vulnerability.
A
Imagine
that
your
open
source,
maintainer
yeah,
those
are
the
open
source
maintainer
of
popular
Java
Library,
let's
say
block
40
completely
randomly,
and
then
you
heard
about
this
vulnerability
pattern
gndi
injection,
so
you
want
to
make
sure
that
your
library
is
not
vulnerable
to
that.
What
would
that
be?
In
your
case?
It
would
be
that
an
attacker
can
use
your
logging
functionality
where
he
can
pass
us.
They
become
passes
training
and
then
this
training
will
perform
a
gender
agenda
lookup
in
a
remote
server.
A
For
example,
it
means
that
here
you
have
an
attacker
who
can
control
this
message
here
in
this
message
they
will
pass
a
gndi
lookup,
and
this
will
end
up
into
this
file
generally
imanager.java
into
this
call
to
context
lookup
into
this
argument:
name
Okay.
So
what
I
will
do
is
that
I
will
try
to
show
you
how
we
find
this
pattern
with
code
ql
in
in
log
4G,
so
I
mean
Visual
Studio
code,
and
what
I
did
is
that
I
installed
the
code,
ql
extension
here.
A
All
of
this
is
is
free
for
open
source
and
then,
as
I
told
you,
we've
gotql,
you
have
to
do
two
phases.
You
generate
the
code
base
and
then
you
credit
this
code
base.
So
I've
used
the
code
qlcli
to
generate
the
log4j
library
here
and
I
imported
it
into
my
workspace.
So
now
icon
run
queries
on
it.
Ok,
so,
for
example,
here
I
got
a
query
that
look
for
empty
statement.
Block
and
I
can
run
it,
but
that's
not
what
is
interesting
for
me.
A
What
I
want
to
find
I
want
to
find
this
message
here
Okay.
So
one
thing
that
is
super
useful
is
that
in
codeql
you
in
in
this
extension,
you
also
have
the
ASW
the
AST
viewer
here.
That
gives
you
the
name.
You
know
of
the
classes
that
codeql
is
mapping
your
code
with
so,
for
example,
here
the
method.
Well,
the
class
that
I
need
to
query
is
called
method
cool.
A
This
parameter
here.
Well,
it's
called
the
parameter
and,
for
example,
this
is
an
annotation,
okay,
cool,
very
useful
right.
Some
of
the
names
are
pretty
intuitive,
but
in
some
cases
it's
very
useful
to
use
this
TPO
to
know
what
you
are
querying
okay.
So
let's
do
that
I
want
to
find
the
parameter.
The
first
parameter
of
a
method
that
overrides
logo.info.
A
A
A
Logo.Info,
yes,
it
tells
me
that
because
I
practiced,
of
course,
so
okay
well
and
has
a
consequence
parameter.
Yes,
please,
okay,
so
from
method,
pen
and
oop,
okay
and
parameter
P,
let's
see
so
my
method
is
overriding
logo.info,
my
method,
that's
one
parameter!
This
parameter
is
p
and
the
type
of
p
is
cow
sequence.
Okay,
yes,
I
think
this
is
what
I
want
and
then
select.
A
A
And
the
method
is
declared
in
a
class
that
is
a
subtype
of
jadak
naming
context.
Yes,
okay
and
select
the
first
argument,
Okay
so
from
let's
see
from
method
access
method,
I'm
binding
the
two,
the
name
of
the
method
is
lookup
and
the
declaring
type,
which
is
the
class
where
this
number
is,
is
implementing
jabax
naming
context.
Well,
this
is
exactly
what
I
want
and
I
will
just
select.
The
first
argument
here
I
need
to
comment
this
bit
here.
A
Okay,
I
got
two
results
if
I
click
on
the
first
one,
it's
in
data
source
connection
through
the
Java.
This
is
not
what
I'm
looking
for,
but
this
one
is
exactly
the
one
I'm
looking
for
I
mean
gndi,
manageable,
Java
and
I've
got
my
my
first
argument:
cool
okay.
So
what
I
did
now
I
found
these
two
places
in
the
in
the
code,
but
what
I
want
to
know
is:
is
there
a
possibility
that
this
untrusted
Source
right
that
that
an
attacker
can
pass
to
the
lodging
personality?
A
A
A
A
A
A
A
Let's
go
back
okay,
so
we
have
implemented
our
source
good.
Now
we
have
to
implement
our
sync.
What
do
we
do?
Well,
we
should
copy
what
is
in
here
into
the
sync,
but
no,
there
is
a
simpler
way.
Remember
that
queries
are
open
source
and
it's
an
objects,
oriented
language
so
because
of
that
the
community
people
from
the
community
are
providing.
You
know,
queries
but
also
some
libraries
and
some
classes
and
that
we
can
reuse.
It
happens
that
a
community
contributor
created
a
class
called
jndi
injection.
A
Sync
I
think
that
I
will
use
this
one,
so
I
will
say
yeah
see.
My
sync
is
an
instance
of
this
class.
Gndi
injection
sync:
let's
quickly
evaluate
to
make
sure
that
okay,
this
class
is
coming
from
the
community
I'm,
not
really
sure.
If
that
does
what
I
want.
Oh
so
see
it's
not
doing
exactly
the
same
thing
right.
It
gives
me
Five
results
in
instead
of
the
of
the
two
ones
that
I
had
so
it's
less
precise
that
what
I
had
before.
A
A
A
If
we
look
at
this
other
part
here
so
same
thing,
you
have
150
50
steps
right,
so
this
is
something
that
is
impossible
to
to
find
manually
right.
Even
if
you
Elon
Musk,
and
you
have
code
review
superpower
and
you
can
read
pages
and
pages
of
printed
code,
you
cannot
do
that.
You
cannot
beat
that.
So
this
is
the
way
that
you
can
use
codeql
to
find
paths
across
a
hold
of
your
code.
A
Here.
I
want
to
mention
one
thing:
I,
the
the
minimal
thing
that
you
have
to
do
for
this
thing.
Configuration
is
to
define
a
source
and
a
sink
right,
and
the
library
is
already
pretty
good
to
to
give
you
nice
results,
but
you
have
control
of
your
10
tracking
total
control.
How?
Because
you
can
also
Implement
two
other
predicates
one
where
you
can
Define
sanitizers,
you
can
say
hey
when
you're
passing
through
this
call,
then
it's
sanitizing
the
data.
So
stop
your
10
tracking.
A
A
I
want
you
to
continue
the
tent
when
I
pass
through
this
call,
because
it's
taking
my
my
data
so,
for
example,
you
can
say
hey
I,
want
to
to
have
a
change
between
the
first
argument
of
this
call
and
the
written
value
or
the
first
argument
of
this
call,
and
that
number
of
that
argument
of
this
girl
I
want
you
to
propagate
the
time.
So
that
gives
you
really
total
control
of
your
of
your
10
tracking.
You
can,
with
sanitizers,
reduce
false
positive.
A
A
So
that's
it!
We
found
look
for
Shell
with
with
calcul.
That's
pretty
cool,
let's
go
back
to
our
slides,
so
so
yeah
what
time
for
the
conclusion!
So,
with
security
as
code
and
with
code
QR,
you
get
an
automated
reputable
reusable
Security
checks
that
you
can
include
seamlessly
into
your
software
development
lifecycle
and,
if
you're,
a
developer.
When
you
get
that
you
know
it's
code,
so
I
can
read
it.
I
can
understand.
I
can
learn
from
it.
A
Baby
is
a
documentation
attached
to
it,
so
I
can
really
learn
from
it
even
more,
and
there
is
also
a
bonus.
Is
that
because
the
code
queries
are
open
source,
you
get
Community
Driven
Security
checks.
What
I
mean
by
that
is
that
these
queries
they
are
written
by
the
qql
team
at
GitHub.
They
are
written
by
19
security,
lab
they're,
written
by
security
teams
at
our
customers.
They
are
written
by
dozens
of
independent
security
researchers
who
are
contributing
to
the
to
this
to
these
cultural
queries.
A
So
that's
the
bonus
of
the
of
the
of
having
this
queries
being
Community
Driven,
and
that
is,
if
you
want
to
know
more,
you
can
browse
cosplay.com.
You
can
go
to
the
website
of
the
security
lab
on
this
website.
You
will
find
access
to
our
public
slide
to
our
community
slack.
You
will
find
some
examples
of
how
we
used
codeql.
You
will
find
also
some
code
QR
ctfs,
that
you
can.
You
know,
play
with
to
to
learn
about
culture,
and
you
can
also
visit
GitHub
at
the
booth
g17.
A
B
A
Oh
no,
no
so
so
the
question
is:
how
is
GPT
playing
into
cultural?
So
no
a
cultural
is
pretty
deterministic.
You
know
it
just
analyze
your
code
put
all
of
that
into
a
database
and
then
look
for
look
for
you
know
analyze
your
control
flow
graph
Etc,
so
I
was
just
using
copilot
to
write
the
code.
That
does
the
query.
Now,
if
you
go
to
the
to
the
code
ql
site,
you
will
see
that
I
I
think
we.
A
We
run
a
beta
about
to
use
machine
learning,
to
identify
more
automatically
some
sources
and
some
things
right.
So
we
have
a.
We
have
a
bit
of
of
machine
learning
that
helps
with
defining
sources
and
seeks
automatically,
but
it's
it's
still
in
beta
and
no,
we
so
we're
not
using
GPT.
Inside
of
the
of
the
of
the
query
itself.
That
makes
sense.