Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Universe 2020: Developer - Secure Development / 9 Dec 2020
GitHub / GitHub Universe 2020: Developer - Secure Development / 9 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Expanding GitHub’s security capabilities through integrations - GitHub Universe 2020

Description

Presented by
Jose Palafox, Business Development Manager, GitHub
Sara Joshi, Member of Technical Staff, Accurics
Alfredo Deza, Senior Software Engineer, Anchore
Jaap Karan Singh, Customer Success SME, Secure Code Warrior,

GitHub provides industry-leading native security capabilities within the developer workflow. Our code scanning, secret scanning, and Dependabot products and features deliver great value toward securing applications. Yet, additional security capabilities can be unlocked thanks to integrations. In this panel, we’ll share how third-party vendor solutions integrated with GitHub Actions can improve your security posture on top of native security capabilities. We’ll discuss contextual developer security training, infrastructure as code checks, and container scanning. And you'll learn about how to detect and prevent security issues in your code, how to ensure that runtime environments are up to date, and how to validate the security and configuration of deployment environments.

For more from GitHub Universe 2020, visit https://githubuniverse.com

As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub

Thanks!

Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github

About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com

A

Hey welcome to expanding github security capabilities through integrations, I'm jose palafox and I'm a business development manager here at github, covering our security product portfolio uh with me today. I've got three awesome panelists and we're going to talk about some of the mechanisms in github that you can use to scan your application code, your infrastructure code and help train developers to react better to security vulnerabilities as you've been hearing through the conference and as you'll keep hearing throughout the conference.

A

Security is incredibly important to us and we've added a number of new features to help secure your applications. uh Codeql is github's own security product that scans your application code base for vulnerabilities and we'll hear from some of our partners that are extending the software development life cycle security posture further on down. So we've got friends here from encore, acurix and secure code, warrior and I'll. Let them start off by introducing themselves and we'll talk through how these products can help uh further secure the software development life cycle alfredo.

A

You want to kick it off with an introduction.

B

Yes, hi jose hi everybody. Thank you so much. My name is alfredo desa. I have almost two decades of software development experience and I currently work at anchor with the tools and integrations team uh trying to to get all of the all of the the the reporting integrated with github actions so that, whenever vulnerabilities are coming up, uh we have accurate reporting at any any given point in time when, when we're interacting with uh github, specifically excited to be here, thank you so much for having me.

A

Great thanks alfredo sarah, you want to introduce yourself.

C

Yeah absolutely hi everyone. My name is sarah joshi, I'm a member of technical staff at acurix. I've been working here for about five months now so here at acura. Our mission is to connect and fix cloud infrastructure misconfigurations in design, build and run time. I'm thrilled to be here because devsecops is such an interesting field, and I really love learning and talking about it. So thank you so much for having me.

A

Yeah, of course, excited to have you here: sarah jopp, you want to introduce yourself.

D

Yeah, absolutely uh my name is uh job currency. I am part of the founding team and uh customer success sme at securia. um First of all, jose. Thank you so much uh for having us it's a great pleasure to be on this panel. I'm talking to you about integrating secure code warrior with github. I think it's quite an exciting thing for developers and for us as well. I think this is something that we've all been waiting on. Is you know how we can tightly integrate security into the pipeline.

D

My background, I'm a developer by trade by profession, so I've done that my whole life and then early on in my career, I saw the light when it came to appsx. I've been an abstech practitioner. So before I was at secure code warrior, I was working as an application security consultant at bae systems.

A

Awesome, so if I'm a developer and I've started, writing an application, I'm using codeql to scan whatever language I'm using and pick up common common mistakes or coding uh errors, and- and once I've done that, I want to package my application up into a container image so that I have a build artifact and I think that's where anchor really can help out. So alfredo. You want to talk to us a little bit about what encore does with container scanning and how that can help. Customers identify other vulnerabilities that that aren't in scope for.

B

Codeql uh yeah uh that that's right well, the thing with uh anchor what what we are trying to, what we're trying to do is uh really stay on top on on when vulnerabilities are being reported and having a straightforward way of reporting those to whoever is developing. So what happens is that whenever I'm I'm crafting a new application, I'm creating a production code? I may not be aware of dependencies that that might have security vulnerabilities since vulnerabilities are reporting all getting reported all of the time.

B

So whenever there's a process behind the scenes that is continuously updating its database and continuously knowing what vulnerabilities are uh are coming up, uh then that's uh that that's a definitely a good way to to help not only build more secure software, but also ensure that delivery processes is more robust.

B

um That's basically the the the what we're trying to do with uh with with anchor and specifically with the github actions.

B

uh The integration process allows us to uh report whenever there's a pull request uh and uh and and some vulnerabilities may have been reported for a dependency one of the ideas is that uh say, for example, if I'm, if I'm a node.js developer and I'm using some library, say uh confabulation, which is like it's been, it's been around forever and it's it's pretty uh uh pretty stable and I said well uh everything's fine with this library, no no vulnerabilities have been reported, but the the thing is that for the past 10 years for the past 10 months or so, we've had around eight security vulnerabilities reported for for node.js, which is the runtime.

B

So as a as a node.js developer, I may not be aware that vulnerabilities are getting reported against the runtime itself, even though my dependencies of the application that I'm currently developing are perfectly fine. So that's where anchor comes in and can report accurately right there with github actions as preventing a pull request from getting merged or or even as as part of a nightly run, for example, which is perfectly suited for github actions.

B

So that's why it's important and it allows developers that might be not be aware of, of something that is coming up to be. um Have that information right there to take some action.

A

Awesome and and once I've packaged my application into a container image and you've scanned it. I tend to write some configuration code for my cloud provider, or maybe some terraform or some kind of aws cloud formation template to deploy the software uh to my cloud environment, and I think uh accurix here can help uh scan the configuration code. So so sarah can you talk to us a little bit about uh what is infrastructure is code and how does acurax help detect security vulnerabilities in the configuration itself.

C

Yeah, absolutely I can do that so infrastructure, as code or iac enables developers to define and manage cloud infrastructure through code. Examples of iic that you may be familiar with, like you said, are terraform aws cloud formation, kubernetes, yaml, helm, charts, etc.

C

So the benefit of iac is that it helps developers to avoid cloud deployment inconsistencies and it also increases developer productivity. However, simple misconfigurations in iec can create serious exposures and in fact, in the last two years alone, cloud infrastructure misconfigurations have contributed to 200 breaches that exposed over 30 billion records. So here at acurix we use the open policy agent or opa framework from cncf to deliver policy.

C

As code, we have a library of 1800 plus policies to scan your iac and it can detect common misconfigurations like s3 buckets open to the public, ssh ports open to the internet, open security groups and much more more importantly, though, the app helps you fix these issues by automatically generating the pull requests and also providing the code required to resolve these issues. You simply need to review and then approve the pull request. So we call this capability remediation as code.

C

So now let me give you a real life example of how policy is code can be used to mitigate risk. A few weeks ago, a security advisory was published about an unreleased bug in kubernetes that can lead to denial of service in snapshot controllers at a high level.

C

This bug can be exploited under the following two conditions: if a cluster is running a vulnerable version of the snapshot controller and if untrusted users are able to create volume, snapshot resources in a specific api group, so after reviewing the security advisory, accurix added a new policy to its library that check the images used by controllers.

C

If a vulnerable version is present, it raises a violation and then it pinpoints the exact code that needs to be updated to use a non-vulnerable version. This enabled customers to detect and then eliminate the risk before deploying the infrastructure to production.

A

Awesome thanks. Sarah, once we've identified some of these vulnerabilities, we get some cwe alerts or some other kind of vulnerability, database alerts and job. I was hoping you could talk to us a little bit about what secure code warrior can do with those alerts and how we can help train developers from making those mistakes in the first place.

D

Yeah, absolutely so, I think, with all these tools that we have that we're able to put into the pipeline and give that early feedback loop to the developers, um you know we're able to surface vulnerabilities much quicker, uh but unfortunately um these are application, security tools, most of them and in general, what we find is developers just do not have the skills to be able to fix these vulnerabilities. So if you're coming out of university today, you're a software engineer, the one skill that you're not taught is how to do things securely.

D

You're taught how to write functional code if you're taught some architecture type things, but not what it takes, why good quality uh secure code? So that's where secure code warrior comes in our mission is to empower developers um with the right skills and the tools that they need to be able to act as that first line of defense within their organization, because if it comes down to it, I think everything these days is uh powered by technology.

D

So, if that's the case, if everything's being powered by a piece of code that originated from a developer, writing it developers really are the people that we should be targeting they're, most critical piece of that puzzle.

D

So we had a very interesting case, study from a customer that speaks to kind of the power of teaching developers about secure coding and it's a u.s tier one financial institution, and they have a large number of developers and they set themselves a lofty goal. They wanted to train all these developers on sql coding on the top vulnerabilities that they were seeing within their organization, but also understanding that developers are busy. Developers are very overworked.

D

They're, always constantly chasing deadlines being asked to add features, so they went about using secure code warrior to achieve this goal and the way they did it is by trying to build habits into the developers day-to-day workflow and what they did was assign the developers a task for every single day to go and do a security vulnerability challenge. Now that challenge takes anywhere from three to five minutes and the whole idea was you as a developer, find your rhythm and you figure out when you want to do that?

D

Is it on your bus ride or train ride to work? Is it early in the morning? You know similar to how a lot of people read newspaper. Maybe you go and do a security challenge.

D

Basically do one challenge a day for three months and build that into your daily routine and what they found at the end of that three months is that the developer accuracy level increased by 60, so they were making less mistakes when it came to writing code and they were writing secure code from the beginning and essentially, what that translates to is obviously we're catching uh less bugs at the at the later end.

D

So there's less security bugs for us to go and fix we're, exposing our applications less in production when it comes to these vulnerabilities with all these attackers, but also, if you look at it from an engineering function perspective, there is a massive gain to be had from a product velocity perspective, because we don't have to come back and fix all of these vulnerabilities and what we've tried to do with the github. Integration is basically just act as an extension of that. So we've got a training platform where you can go in.

D

You can have some very targeted training programs, but if you look at the power of the github integration, the action ecosystem, it's that we're able to catch these things really early on. If a developer commits something, maybe they have a pull request. If we can surface bad things to them straight away, it's so much quicker for them to go and fix it. And so that's the case. One of the things that developers will need is targeted remediation advice.

D

So if encore or acure x comes back and says, hey you've got this vulnerability with your docker config or you know. If you're doing sas scanning you've got this web application or mobile vulnerability as a developer. How do you go and fix it? I think today what we find is that developers will go and remediate. It might not be the best way to fix it. Maybe it goes back again goes back again and that's a normal thing that happens in the workflow.

D

It's like two or three times for you to actually get the vulnerability right and fix it. um So where we're coming in is once you've got all these amazing tools come in and find these vulnerabilities.

D

We want to be able to enrich the results of these vulnerabilities, with targeted advice on secure code warriors, so we have a massive content library that covers everything from web mobile api, even mainframe, like cobol and so on. So if there's a vulnerability found we'll point you to a deep link within secure code, warrior that will say hey. This is how you fix this particular cwe, or this vulnerability within your language and framework, and this is going to be actual functional code apis that you can use awesome.

A

One thing we've all mentioned, and maybe hasn't been explicitly shared, is how all these products integrate with github, and so what I was hoping we could do next is talk about how these alerts show up in the ui and why it's important to present this information to developers while they're writing their software.

A

So if we go to the next slide, I think uh alfredo. This sets you up to maybe talk through uh the kinds of alerts that encore is finding and how those are surfaced in the github ui. Could you give us a little context of what's going on here.

B

Yeah, um that's right, so the idea here is that you have say a container a container-based application with with a docker file, and you are able to build this container and create your your application and through the github actions uh you build this container and then we go in and start uh analyzing the different various layers and components of this completed container. So so that's that's a crucial thing that that happens here, because as a developer, you might not know what it's getting pulled in.

B

So by being able to build a container and then we go in and analyze these uh built uh built image, uh we can accurately say well. This is what what would uh happen at the end of the day. If this, if this code and if this docker file gets uh executed, we end up with a with a running container.

B

It would look like these and and then we correlate the um uh the the the software build the materials like everything, the catalog that gets produced out of investigating what the contents are and then a matching uh starts occurring. If there's a package and a certain given version, and so what ha what happens here? It's uh there's there's a couple of things.

B

First, we were able to alert and prevent a certain uh pull request or a change in github, given the type of reporting that we're getting so you can actually say wow, I'm fairly certain that my the vulnerabilities that are low risk or medium risk are are good to go. But if there's anything that is critical, it's a critical vulnerability like you need to stop these pull requests.

B

So we are able to fine-tune what type of vulnerabilities are getting reported in the github ui and those are optionally um sent over to uh produce a serif report which allows you to have a nice um kind of like a table based view of everything that is being reported and- and you can act actually uh go through different details, so it is not only the reporting that is interesting. It's also that you can actually say well, I want to.

B

I want to see what critical vulnerabilities are being reported where they're coming from what software is affected. How is it? How is it that that's affecting me? How? How does this thing got matched and which are important and critical details when you're developing an application? You might not be aware where what that, where that information is coming from, um so that's that's kind of like what we're we're seeing here on this slide. That's that's basically kind of like the workflow.

A

Nice- and I know sarah you've got something similar with acurix, maybe on the next slide, you could walk us through what the acureex reports look like when they're scanning your infrastructure as code.

C

Yeah, absolutely so you can get the acurex app from the github marketplace and sign up for free once you do that, you simply need to specify the repo or repos that you want to scan.

C

The app will begin scanning the repo and then report violations in the issues tab, as you can see here on this screenshot, each issue reported, has an associated severity level with it so it'll be high, medium or low, as issues are detected, the app helps developers fix them by automatically generating pull requests and then providing the code required to resolve these issues. So if you go to the next slide,.

C

There we go developers simply need to review and then approve the pull requests. So, as we can see in this example, the vulnerability is to ensure that s3 buckets have server-side encryption at rest enabled. So we provide some information about remediation. Then we add the code to resolve it in the pull request. So this functionality allows developers to leverage iic to achieve speed and agility, while simultaneously ensuring that compliance and security best practices are observed.

A

Awesome thanks sarah and I know job you built a github action that kind of intercepts some of these reports that are going into the github ui and then appends them with the contextual training information. So maybe you can talk us through. You know if we're using the secure code warrior add-on here to any of these security tools. What that looks like and kind of what the developer experiences on the next slide.

D

Yeah, absolutely so what we'll do is uh once all these appsec tools have worked very hard and they've found all of these vulnerabilities or flaws, and they pinpoint what cwes or cves they are. um We will enrich that information uh with training links um so and training information, so you'll see uh over here. I've got a pull request view, so this is a node.js application.

D

Someone has raised this pull request and there happens to be a vulnerability in it, which is reflected cross-site scripting. Now, if the user already knows how to fix it great, they can go and fix it or you know, let's say in the case of accurate: sometimes they just raise a pull request. All you need to do is review and fix it.

D

That would be amazing if that just happened, but in a lot of cases you have to actually go in and do it yourself and you have to figure out hey what that vulnerability is and then b, okay. Well now that I understand it, I know why this is important for me to go and fix. Well, how do I actually go and fix it?

D

um So if you go over to the next slide, once you click on the training link from within the the pull request from that comment, uh you will land on this particular page that you see on the on the bottom right hand, side and there's two things to note here. So we clicked on the link and then, if you look at number two we're actually in the language and framework. In this case this was a node.js express application.

D

um So we're looking at a node.js express code base and if you look at number three uh we're looking at a training piece of content uh for reflected cross-site scripting and that's the whole idea for me as a developer, I can go in very quickly understand what this vulnerability is in node.js and then also the second part. How do I go about fixing it within my stack awesome.

A

Well, thanks for sharing that everybody, I think uh this is really good to kind of see how all of your tools integrate into the github ui and provide more information to developers as they're working actively on their their application um in the last five minutes here to take us out I'd love to kind of understand. uh What's coming next, for for your companies, you know where where's the product headed or what are the next kind of set of problems on your horizon alfredo. You want to kick us off.

B

Yeah, uh that's right, jose, like I, I see in the in the near future. A couple of uh a couple of different things that are are pretty interesting. um Personally. What I would like to see is a more and more integrations in within github for security, vulnerability reporting.

B

We have on the on the static analysis side of things we already know when packages are uh specified for a certain dependency uh to be installed, and that could be a docker file for python. That's a set of pi or requirements.txt. So we already know where packages are being declared at what a particular version and developers have.

B

uh The first thing that they're seeing is not some tab in some ui, but rather when they're, seeing the code right in front of them to have some sort of reporting right there, and then this is similar to different lending tools that exist today. For for most any uh any language where, where the linking occurs right right there in the ide or um the text editor, so I think a better integration there that allows uh reporting uh security vulnerabilities in front of the developer. That would be.

B

That would be tremendous and the other one is um so that's kind of like going left, but like the r, the other um uh interesting one is uh going going all the way to the right when, when there's a dynamic application, security, testing or dash, um when, when you have an application that is up and running and kind of like sandbox, and somehow it's pulling dependencies out of the blue uh that you were not uh getting accounted for.

B

So I I think those two are are crucial and- and I think uh more work will go into into those areas to to provide better, better reporting.

A

Sarah, what's new for acure x or what's on the horizon, big big features, you're excited about.

C

Yeah sure so there are a lot of new and exciting innovations in the works at acurix to help developers embrace security.

C

As many of you know, in high velocity development environments, where iac is constantly being updated and issues are constantly being reported, it can be really overwhelming for developers to know like which issues to fix first, so at accurix we're going beyond policy as code and remediation as code with a capability that we call security as code. So this will automatically perform threat modeling and help prioritize risks based on severity.

C

So let me give you an example of how this could have prevented a breach at a well-known, clean energy company a couple of years ago. So in this breach, attackers found a kubernetes server exposed to the internet and the server did not have authentication enabled the attackers found credentials stored inside the kubernetes pod and they were able to use these credentials to explore data within the company's s3 buckets. So here's how security as code could have been used to detect and mitigate this breach path.

C

If a container scanning tool reported that credentials were found inside a kubernetes pod, acura's can then build threat models to analyze. If that pod has any exposures specifically, it would be able to determine the following.

C

So if the server was exposed to the internet, if authentication was not enabled for the server, if the credentials could be used to access any cloud storage services and then the overall blast radius of the attack, I'm really excited about this capability, because I I believe in making security simple yet effective for developers, it's a really complex topic with lots of nuances, and so my goal is to help build a product that fits into developers.

C

Cloud native workflows helps them to be able to identify issues and then also to be able to fix them without having to be security. Experts.

A

Awesome: what's going on with secure code warrior next, are you adding more frameworks or new new vulnerability databases or what's what's coming at us next.

D

uh So I think one of the things that we are always doing is uh adding new languages and frameworks and vulnerability. Databases actually just crossed the 50 language mark recently, uh but I'm going to I'm going to make a place, a big bet and say 2021, not just for scw. I think in general, for the application security industry is going to be the year of integrations and I think mainly the reason for that is. If you look at integrations or you look at partnerships, it's not just you know one plus one equals two.

D

I think it's more a case of one plus one equals eleven. So hopefully I think, just as part of like everything that we've discussed today, people realize that by integrating all of these amazing tools together, um you don't just get. You know a greater effect of all of them. It's actually. The combined effect is so much greater than the sum of its individual parts. So I think that's what we're going for.

D

So we want to double down on integrations, and one of the things that I think we can really bring to the table is really really really bad code. 99 percent of the code that we have in sew is bad codes. We have this massive library of really bad vulnerabilities and if we look at you know all these uh application security tools, we look at github with you know: it's advanced security codeql, you, you know, partners can leverage our content.

D

You know the thousands of challenges and code bases that we have to make their engines better, so you're better at detecting bad vulnerability patterns. Then I think, on the flip side, uh the benefit that we can get from all these tools is as we integrate together. uh There are probably blind spots that we have because at the end of the day, all of these vulnerability databases- these challenges that we have are written by humans.

D

So we're going to write about vulnerabilities that we don't that we know about and we're going to completely ignore the ones that we don't know about. So I think, taking advantage of the ecosystem, uh looking at tools like codeql, if you're able to identify what the gaps are in our own content, based on these production tools that are running on open source repositories on private repositories, we can then leverage that to identify the gaps and then build content in that particular area.

A

Awesome well thanks so much everybody for joining the panel today. I hope those in attendance got to get to hear some good new information about how these tools integrate with github. If you take a look at the last slide, all of these integrations are available today in the github marketplace and help your development team shift left by going and installing them give them a dry run. I think you'll, like the results. So thanks a ton and we'll see you next time.