►
From YouTube: Develop open source securely with GitHub. #DemoDays
Description
So now you're hyped up on open source and find all sorts of components to use in your own project. But how to do so while still staying on top of the latest security vulnerabilities in open source? By integrating some of the features in this Demo Day, you can programmatically understand risks in your software supply chain.
2:03 - Start & Intros
5:51 - Security Frameworks
7:58 - Identify - detecting the open source that we're using in our project with the Dependency graph
12:57 - Org level security issues (GitHub Advanced Security)
15:30 - Repository security policy
18:14 - Protect - reviewing dependency changes and why you might want to pro-actively update dependencies
22:35 - Dependency review, Rich diffs, and security advisories
28:30 - Pro-active updates
32:48 - Detect - dealing with novel vulnerabilities
34:53 - Dependabot alerts and Security updates
41:59 - Respond - Privately collaborating on fixes to vulnerabilities and disclosing vulnerabilities.
Hands-on training: https://lab.github.com/githubtraining/securing-your-workflows
A
Hello,
hello
and
welcome
everyone
nice
to
see:
y'all,
hello,
bakersfield,
california.
I
see
you
hello
to
everyone
from
all
over
the
world
good
morning,
good
afternoon,
good
evening,
good
night,
happy
friday
to
most
of
you
and
happy
saturday
to
all
the
the
early
morning.
Owls
I
see
some
folks
from
india.
I
want
to
give
you
a
special
shout
out
to
all
our
india
viewers.
I
know
the
past
week
or
two
or
three
even
has
been
pretty
rough
over
there
with
kovid,
so
I
hope
you're
all
staying
safe.
A
I
hope
you
are
about
to
enjoy
a
decent
weekend,
and
hopefully
you
get
a
break
from
some
of
the
challenges
out
there,
all
right
so
to
get
all
started.
If
you
joined
us
last
friday,
we
had
an
amazing
session
with
eddie
joude
and
andrea
griffis
around
some
of
kind
of
the
fundamental
whys
of
open
source.
Why
would
you
want
to
consider
bringing
open
source
into
your
company
or
why
would
you
consider
contributing
to
open
source
as
a
developer
today?
A
A
B
Yeah,
absolutely
so
today,
here
it's
demo
days,
so
I
have
a
demo
heavy
session
where
I'm
gonna
show
you
how
github
security
features
can
help
make
your
use
of
open
source
more
secure
and
we're
going
to
look
at.
You
know
why
that's
important-
and
you
know
just
some
of
the
ways
to
you
know,
structure
how
you
think
about
that.
B
B
B
You
know,
there's
a
39
increase
in
the
number
of
alerts
that
we've
sent
out
to
active
projects,
and
so
you
know
knowing
how
you're
going
to
respond
to
those
you
know,
features
you
can
use
from
github
and
processes
that
you
can
put
in
place
to
help
detect,
protect
from
and
respond
to.
Those
vulnerabilities
is
really
important.
B
B
You
know
our
friend
hubot
here
says
we
need
to
find
all
the
things,
but
in
in
the
context
of
open
source
security.
What
are
all
the
things?
Well,
there's
a
couple
of
things
that
we
want
to
identify.
The
first
is
you
know
what
are
the
open
source
components
we're
using
if
we
don't
know
what
open
source
components
we're
using?
We
won't
know
what
vulnerabilities
we're
exposed
to,
and
you
know
the
risk
that
that
leads
to
yeah.
So
that's
the
first
thing:
let's
get
our
inventory
of
open
source,
then
we
want
to
understand
you.
B
What
are
those
vulnerabilities?
You
know
what
how
severe
are
they
so
that
we
can
start
making
some
kind
of
intentional
decisions
about
you
know.
Does
this
vulnerability
really
affect
me?
You
know.
Do
I
need
to
upgrade
you
know
in
what
situations
might
this
be
an
issue,
and
the
other
thing
that
you
know
might
surprise
you
a
little
bit
to
talk
about
in
this
category?
Is.
A
B
You
know
what
are
your
supported
versions
and
your
how
you're
going
to
handle
those
security
issues
when
they're
raised,
and
so
we're
going
to
be
looking
at
some
of
the
features
that
github
has
that
what
is
going
to
help
you
with
these
steps-
and
so
you
know
it's
demo
days,
so,
let's
jump
straight
into
demos
and
look
at
the
things
that
we
can
do
to
help
identify
okay.
So
the
first
thing
I
want
to
do
is
show
how
we
can
detect
the
open
source
that
we're
using
in
a
project.
B
B
B
So,
if
I
jump
over
to
the
insights
tab
here
and
go
to
dependency
graph,
you'll
see
that
what
we
now
have
is
an
inventory
of
everything
that
this
particular
repository
depends
on.
So
it's
analyzed
our
package,
lock,
json
file
and
you'll,
see
you
know
pretty
quickly.
It's
discovered
that
this
project
has,
you
know
just
over
1300
dependencies,
and
so
we've
worked
out.
What
each
of
those
dependencies
are
the
particular
version
we
can
drill
in
here
to
see
kind
of
what
the
dependency
tree
looks
like
for
that.
B
You
know
if
you
are
the
publisher
of
an
open
source
project.
You
can
also
see
you
know
what's
depending
on
you,
but
you
know
this
is
kind
of
our
first
step
to
all
of
the
other
security
experiences
is
having
this
base
set
of
information
about
our
dependencies
and
yeah.
To
just
fill
you
in
on
how
this
works
is
what's
happening
is
when
this
features
on
as
you're
pushing
commits
up
to
your
repository,
we're
analyzing.
The
different
package
manifests
for
our
supported
ecosystems
that
are
in
those
commits
and
building
up
analyzing.
B
So
the
other
thing
that
we
want
to
look
at
here
from
an
identification
perspective
is
this
is
great
at
a
single
repository
level.
But
what
if
we
want
to
understand
what
our
security
issues
are
across
the
whole
organization,
and
we
just
released
this
feature-
it's
only
available
for
github
advanced
security
customers.
So
I
just
need
to
point
that
out,
but
this
is
up
at
the
organization
level,
where
we
can
now
go
and
see
for
the
set
of
repositories
that
we
have
in
an
organization.
B
What
are
the
different
security
features?
We
have
turned
on
and
off
so
you
know
with
dependency
graph
and
I'm
going
to
show
the
alerts
part
of
this
in
a
minute
we
have
dependebot.
So
I
can
see
here
what
is
the
ratio
of
projects
in
this
particular
organization
that
have
this
feature
turned
on
or
off?
B
But
more
importantly,
I
can
also
see
you
know
what
are
the
individual
results,
so
I
filtered
here
to
repositories
that
I
created.
This
is
just
a
testing
organization.
We
use-
and
in
fact
here
is
that
repository
I
was
just
in
and
we
can
see
that
over
here.
These
are
the
number
of
vulnerabilities
that
are
active
vulnerabilities
that
exist
for
each
of
the
repositories
from
dependable
alert.
B
So
you
know,
with
with
dependency
graph,
we
now
have
the
inventory
with
security
center.
We
can
see
an
overview
of
you
know
the
the
risks
that
exist
across
the
organization,
but
you'll
recall
when
I
was
talking
about
identify.
The
other
thing
that
we
may
want
to
do
is
share
what
our
security
policy
is
for
a
particular
repository.
B
So
let's
take
a
look
at
how
you
would
set
one
of
those
up,
I'm
back
in
that
same
repository.
I
was
in
before
our
nothing
enabled
repository
and
I'm
in
the
security
tab
on
the
overview,
sub
tab
and
so
you'll
see
here
security
overview.
You
know,
we've
got
a
orange
icon,
that's
saying
we
don't
have
a
security
policy
set
up
and
I
can
go
ahead.
Click
here
and
say:
I
want
to
set
up
a
security
policy
for
this
repository,
and
this
is
basically
creating
a
security
md
file
in
the
root
of
the
repository.
B
B
We
may
not
want
them
to
go
and
open
a
public
issue
which
might
disclose
that
there
are
vulnerabilities
before
we've
had
a
chance
to
create
a
patch.
So
often
here
we
might
tell
direct
them
to
some
specific
security
email
address
where
we
want
them
to
report
issues
or
provide
them
with
some
other
secure
channel
of
giving
that
information
from
here
I
can
simply
commit
this
in,
and
it's
now
part
of
the
repository
you
can
create
these
on
private
repositories.
B
If
you
want
to
share
information
internally
for
internal
vulnerability
reporting,
but
where
it's
most
useful
is
going
to
be
in
your
public
repositories,
where
you
want
to
explain,
you
know
for
this
open
source
project.
What
is
the
process
you
have
in
place
for
reporting
security
issues
so
focused,
you
know
mainly
in
identify
there.
What
I
want
to
do
now
is
kind
of
shift
and
talk
a
little
bit
more
about
you
know.
How
do
we
protect
because
identification
is
useful?
You
know
we
can
go
find
the
vulnerabilities
we
have.
B
B
Someone
might
have
opened
an
issue
and
they
just
went
and
fixed
it.
We've
made
way:
we've
added
functionality
to
make
it
easier
for
projects
to
disclose
those
vulnerabilities
and
I'm
going
to
show
that
a
little
bit
later,
but
that
still
doesn't
guarantee
that
all
vulnerabilities
will
be
disclosed
so
proactively.
B
You
know
if
we
assume
that
it's
not
a
matter
of
if
but
when
a
vulnerability
is
going
to
be
raised,
then
what
you
don't
want
to
be
doing
at
a
point
in
time
when
you're
trying
to
you
know
quickly,
resolve
a
potentially
a
critical
vulnerability
is
trying
to
upgrade
your
dependencies
across.
You
know
multiple
major
versions.
B
B
So
let's
look
first
at
how
we're
going
to
find
vulnerabilities
that
are
being
introduced.
So
I
mean
a
it's
actually
a
fork
of
that
previous
repository.
This
one
does
have
some
security
features
already
turned
on
the
feature
I'm
going
to
show.
You
is
dependent
on
having
dependency
graph
turned
on
because
yeah
identify
is
really
the
key
to
a
lot
of
security,
and
if
we
look
in
this
repository
you're
going
to
see
that
we
have
three
open,
pull
requests
all
created
by
this
person,
william
bartholomew,
not
entirely
sure
he
can
be
trusted.
B
B
As
part
of
you
know,
updating
our
blockchain
library
and
there's
a
feature.
That's
in
pull
requests
called
rich
diff
and
where
you
might
have
seen
this
previously,
is
an
ability
to
see
a
rich
difference
for
changes
to
markdown
files.
So
the
same
capability
exists
on
markdown
files,
but
what
we've
done
with
a
feature
called
dependency
review
is
also
expanded,
that
to
support
package
manifest
files,
and
so,
if
I
click
on
the
rich
diff
here,
this
is
the
package
json
itself
you
can
see.
This
is
relatively
uninteresting.
B
B
You
know,
4
000,
editions,
15,
000
deletions,
so
there's
a
pretty
insignificant
set
of
changes
to
our
dependencies
here.
So
let's
take
a
look
at
the
rich
diff
for
this
one,
and
here
we
can
see
a
much
deeper
view
of
what
was
going
on.
You
know
his
dependencies
that
were
added
here
are
ones
that
were
updated.
B
B
This
comes
from
the
github
advan
advisory
database,
which
is
a
database
of
security
vulnerabilities
that
we
are
that
we
maintain
and
make
available
for
free
under
a
creative
commons
license,
and
so
in
this
case
I
might
say,
yeah,
I'm
relatively
happy
with
this
pull
request.
This
seems
pretty
low
risk.
You
know,
I
don't
see
this
being
exploited
in
my
application,
so
I'm
going
to
go
ahead
and
approve
that
pull
request.
B
B
B
And
you
know,
if
I
look
at
this
one,
this
is
a
remote
code,
execution
vulnerability,
so
that
could
be
a
relatively
serious
risk
to
my
application
and
so
at
a
glance
at
as
part
of
our
normal
process,
for
reviewing
a
pull
request.
We
can
go
and
see
what
is
the
impact
of
this
change
to
my
dependencies?
B
What
vulnerabilities
are
being
introduced
and
then
can
make
a
more
meaningful
decision
about?
You
know
whether
or
to
accept
that
risk
or
not.
So
that's
the
you
know
reviewing
of
incoming
open
source
changes
to
a
project,
but
the
other
technique
that
I
mentioned
was
the
proactive
upgrade
of
dependencies.
B
Dependibot
has
kind
of
multiple
sub
features.
There's
dependable
alerts,
which
we'll
talk
about
in
more
detail
in
a
minute,
but
there's
also
security,
updates
and
version
updates
version
updates.
Is
the
capability
to
do
that
proactive
upgrading
of
dependencies,
so
this
doesn't
care
if
a
dependency
has
a
vulnerability
or
not.
This
is
all
about
just
keeping
up
to
date
on
our
dependencies
and
so
to
set
this
up
very
similar
to
the
process
that
we
went
through
for
creating
a
security
policy
is
we
can
go
in
click
create
config
file.
B
I'm
not
going
to
go
through
this
in
complete
detail
and
explain
every
single
configuration
option.
There
is
a
link
to
the
documentation
here
where
you
can
go
and
learn
about
the
different
configuration
options,
but
what
this
gives
us?
The
ability
to
do
is
configure
multiple
update
policies
for
this
particular
repository.
B
B
If
I
was
in
a
mono
repo,
maybe
I
want
to
scope
to
a
certain
directory,
or
maybe
I
have
a
set
of
tools
in
one
directory
and
the
application
source
in
another
directory,
and
I
want
to
focus
this
on
the
application
source
directory.
So
I
could
provide
some
scoping
here
and
I
can
set
up
a
schedule.
You
know
how
often
do
I
want
dependerbot
to
look
for
packages
and
to
send
pull
requests.
B
There's
other
configurations
where
you
can
put
constraints
around,
for
instance,
version
ranges
and
you
can
have
different
update
policies
in
here,
so
you
could
say,
update
the
things
in
this
directory
on
this
cadence
update
the
things
in
this
directory
on
this
other
cadence.
So
you
have
a
lot
of
control
here
and
dependebot's
going
to
go
in
on
that
cadence
see
if
any
of
your
packages
need
to
be
upgraded
and
then
it's
going
to
create
pull
requests
to
apply
those
upgrades
for
you
and
you
also
have
control
over.
B
You
know
how
those
pull
requests
are
tagged,
who
they're
assigned
to,
and
things
like
that,
so
these
two
techniques
can
both
be
used
in
in
conjunction
with
each
other.
You
know
you
can
have
dependable
version
updates
going
in
and
applying
proactive
updates
as
well.
As
you
know,
when
developers
are
adding
new
dependencies
or
applying
their
own
updates,
you
can
go
in
and
review
the
impact
of
those
changes.
B
B
We
know
what
vulnerabilities
already
exist
and
we
just
talked
about
processes
that
we
can
have
in
place
to
prevent
vulnerable
open
source
from
being
introduced,
but
unfortunately,
new
vulnerabilities
are
going
to
be
discovered
in
the
components
we're
already
using.
You
know
a
component
could
have
been
in
our
source
code
base
for
four
years,
and
a
new
vulnerability
is
discovered.
B
Okay,
so
we're
in
the
security
analysis
configuration
and
you
can
see
that
we
have.
I
turned
on
dependency
graph
before
we
also
have
dependebot
alerts
and
security
updates.
So
I'm
going
to
go
ahead
and
I
am
going
to
turn
both
of
these
on.
There
are
some
dependencies
between
these.
So
if
you
go
and
turn
one
on,
it
will
automatically
turn
the
other
required
features
on.
B
So
we
have
all
three
of
the
dependency
open
source
related
security
features
enabled
now.
So
let's
go
back
to
our
security
tab
and
take
a
look.
So
if
we
look
here
depending
on
alerts,
we
now
have
13
alerts,
and
so,
if
I
go
in
here,
this
is
telling
us
for
the
open
source
that
is
already
in
our
default
branch.
A
B
B
Now
we
might
look
at
this
and
say:
look
this
actually
isn't
an
issue
in
our
environment,
so
I
do
have
the
option
to
go
in
and
dismiss
this
particular
alert
some.
Some
of
these
I
don't
necessarily
recommend
using
but
yeah.
Sometimes
it's
better
to
be
honest
than
to
you
know
kind
of
sweep
things
under
the
rug.
You
know
I
could
come
in
and
say
yeah.
I
just
don't
have
time
to
fix
this,
but
in
some
cases
you
look
at
a
vulnerability
and
the
risk
is
acceptable.
You
know.
B
This
is
definitely
a
signal
that
we
look
at
to
make
sure
that
the
information
we're
giving
you
is
accurate,
or
maybe
that
yes,
this
component
has
a
vulnerability,
but
we're
not
using
the
particular
function
in
it.
That
is
vulnerability.
You
know
it
might
be
a
particularly
large
library
with
lots
of
different
capabilities
and
we're
only
using
one
small
part
of
it
and
so
we're
not
affected
by
this
vulnerability.
B
B
The
vulnerable
functionality
today
doesn't
mean
that
someone
else
isn't
going
to
come
along
and
start
using
vulnerable
functionality
in
it
tomorrow
next
week,
next
month,
so
you're
generally
better
off,
you
know
keeping
those
versions
up
to
date,
but
in
some
cases
you
know
this
could
this
could
be
a
valid
option
yeah
so
that
that's
our
ability
to
dismiss
alerts
and
then-
and
they
may
not
have
come
through
yet
I
can
manually
kick
one
off.
I.
B
The
the
other
thing
is
dependable
alerts:
have
the
ability
to
notify
you
yeah?
This
is
something
that
you
know
you
might
have
seen
some
angst
about
in
the
past
of
you
know,
defendabid
alert.
You
know
telling
me
constantly
that
I
have
problems.
This
is
an
area
that
we've
already
done.
A
number
of
fixes
in
or
improvements
to
make
depend
about
more
precise
about
what
it
tells
you
and
when-
and
we
also
have
some
further
work
coming
up
in
this.
B
B
Down
here
we
can
configure
who
has
access
to
the
alerts
by
default.
It's
the
organization
and
repository
administrators,
but
I
can
give
additional
people
access
to
the
alerts
and
that
will
also
give
them
access
to
the
notifications,
and
you
can
come
in
and
configure
your
notification
settings
for
dependable
alerts.
So
you
can
choose
how
you
get
the
notifications
as
well.
As
you
know,
do
I
want
an
email
as
soon
as
the
vulnerability
is
found
or
do
I
want
a
digest,
and
you
know
on
what
frequency
and
you're
going
to
see.
B
Being
introduced,
we
looked
at
how
we
can
detect
vulnerabilities
that
are
responding
and
sorry
detect
new
vulnerabilities
in
existing
open
source
and
then
the
last
thing
I
wanted
to
talk
about
is
you
know?
How
do
we
go
ahead
and
respond
to
vulnerabilities
that
we've
been
alerted
to
for
our
open
source
projects?
B
Is
you
know
by
default?
You
know
we're
not
looking
at
any
of
the
data
in
your
private
repositories
when
you
opt
in
to
dependency
graph
you're
effectively
giving
us
access
to
read
the
changes
to
the
package
manifests
as
they
are
flowing
in
to
your
repository
and
so
we're
looking
at
specific
file
types,
so
we're
going
and
looking
for
justpackage.json
files.
B
B
B
So
you
have
a
lot
of
control
over
whether
you
want
us
to
look
at
those
files
at
all,
as
well
as
you
know,
who
has
access
to
the
information
resulting
from
it.
So
I
hope
that
it
helps
address
any
concerns
you
have
there
you'll
find
a
lot
more
detail
in
our
documentation
up
on
docs.github.com,
and
if
you
have
specific
questions
beyond
that,
you
know
you
can
reach
out
to
support
github,
to
discuss
your
specific
scenario.
B
B
B
B
B
A
B
B
And
so
I
could
say
you
know,
perhaps
the
bug
here
is
that
sensitive
information
such
as
your
token
gets
included
into
sent
data.
So
I
can
choose
that
categorization
here
and
I
can
assign
multiple
of
these
and
then
because
github
became
a
cve
numbering
authority.
We
have
the
ability
to
actually
go
in
and
say
you
know.
I
want
the
ability
to
request
a
cve
for
this
or
if
I've
already
been
assigned
one.
I
can
choose
that
and
provide
those
details.
B
B
B
So
I'm
going
to
go
ahead
and
create
this.
This
is
just
a
draft
security
advisory
within
my
repository
yeah.
Only
these
people
can
see
it,
but
what's
important
is.
I
can
now
add
other
people
to
collaborate
on
this.
So
you
know
maybe
there's
a
security
professional
that
I'm
working
with,
and
I
want
to
give
them
access
to
this
advisory.
B
We
can
have
discussion
on
the
advisory
back
and
forth,
and
I
can
also
start
a
temporary
private
fork
where
we
can
collaborate
on
the
fix
with
these
collaborators
without
disclosing
the
vulnerability
publicly
until
we
have
a
patched
version
in
place
and
then
once
we
have
our
patch
we've
written
up
our
advisory,
we've
refined
the
text,
we're
pretty
happy
with
it.
We
can
request
a
cbe
and
eventually
publish
this
advisory
to
be
public
as
part
of
the
repository
and
have
that
appear
as
part
of
the
github
advisory
database.
B
Basically
all
of
the
previous
features.
I've
shown
you
in
this
session,
such
as
the
dependable
alerts,
security
updates,
an
interdependency
review
so
now
that
consumers
of
this
project
have
this
high
quality
curated
data
directly
from
the
project
maintainers
available
right
for
them
as
part
of
their
development
workflows.
B
B
So
at
this
point
you
know:
we've
gone
through
yeah
those
four
security
functions
from
the
security
framework.
Earlier
we
we
learned
how
that
we,
we
identify
the
open
source
we're
using
and
the
vulnerabilities
it
has.
We've
learned
some
techniques,
such
as
dependency
review
and
proactive
updates
to
protect
vulnerable,
open
source
from
being
introduced.
B
Yeah
we've
been
able
to
go
in
and
turn
most
of
these
features
on.
You
know
I
didn't
fully
configure
them,
but
we
were
able
to
go
through
all
of
these
features
in
you
know
just
under
an
hour.
So
as
you
can
see,
it's
pretty
easy
to
get
started
start
learning
about.
You
know
what
vulnerabilities
you're
exposed
to
fix
them.
You
know
get
proactive
updates
and
security
updates
in
place.
B
You
know
a
lot
of
them.
It
is
that
easy
to
just
go
in
and
click
the
enable
button.
You'll
find
a
lot
more
information
on
docs.github
about
how
to
turn
these
features
on
how
to
configure
them.
If
you
want
to
get
in
more
detail,
but
I
encourage
you
to
go
out,
yeah
try
these
features
and
you
know
see
how
they
help
you
improve
the
security
of
your
open
source
use.