►
From YouTube: Advanced security with novice skills - Universe 2022
Description
Presented by: Justin Watts
This talk will cover how TELUS reduced security threats and incidents overnight with Github Advanced Security.
As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub
Thanks!
Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github
About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com
A
A
My
name
is
Justin.
I
live
in
the
mountain
town
of
Nelson,
I
like
to
build
very
large
fire,
breathing
art
cars
and
I.
Also
have
this
awesome
dog
named
Hannibal,
she's,
nine
and
when
I'm
not
doing
all
those
fun
things
I'm.
Actually,
the
director
of
engineering
at
Telus,
working
on
developer
platforms,
the
motivating
factor
of
my
job
is
that
I
don't
think
the
technology
itself
is
the
most
interesting
thing.
A
It's
how
that
technology
can
impact
our
colleagues
and
essentially
your
life
as
a
human
and
the
actual
hard
problem
we
are
dealing
with
is
how
do
we
help
our
colleagues
keep
up
with
change?
How
do
we
consume
it
in
such
a
way
that
we're
able
to
master
it
Telus
is
an
unbelievably
large
Enterprise.
It
is
primarily
known
for
its
telecommunications.
It
brings
Fiber
Optic
internet
across
Canada,
one
of
the
first
providers
to
do
so.
A
You
have
logistical
problems
of
how
do
you
actually
connect
people
in
remote
rural
communities
at
the
same
level
that
you
would
expect
in
a
city
we're
dealing
with
heterogeneous
systems
on
GitHub?
We
definitely
do
worry
about
people
fragmenting
so
much
that
they
can't
come
back
in
and
I.
Take
that
actually,
as
my
primary
responsibility,
I,
don't
think
being
homogeneous
for
the
sake
of
being
homogeneous
is
great
for
a
developer,
because,
once
again,
that's
bureaucracy,
that's
stifles
Innovation
and
instead,
as
the
platform
team
I,
ask
myself
the
question:
why
does
developer
want
to
do
B?
A
What
are
we
missing
from
a?
What
are
they
seeing
and
B
that
I
don't
have
and
my
goal
when
I
build
a
platform?
Is
that
I
want
to
be
rated
on
our
adoption
and
the
way
you
do?
That
is
someone's
got
to
see
value
in
what
you're
building.
So
to
me,
that's
that's
the
problem,
and
that's
that
that's
my
whole
job
GitHub
is
also
interesting
because
we
can
go
look
at
what
languages
are
being
used.
I
know
the
exact
moment
we
had
our
first
Rush
Library
show
up
the
exact
moment.
A
We
had
our
first
go,
Library
show
up
and
it
showed
me
what
people
were
looking
at
getting
into
solving
or
interested
in
solving
and
by
supporting
rust
early
on
we'd,
be
able
to
Shepherd
them
in
and
get
them
to
same
value
that
our
Java
developers
were
getting
and
so
being
able
to
constantly
strategically
look
at
the
landscape
via
a
lot
of
the
views
that
GitHub
provides.
Lets
me
get
ahead
and
ensure
that
our
platform
can
support
the
most
amount
of
people.
A
And
now,
thanks
to
GitHub
I'm
using
GitHub
actions
in
our
modern
deployment
flows,
we
are
able
to
make
a
release
of
code
that
potentially
is
only
actually
visible
to
the
team
working
on
it.
When
we
talk
about
homogenizing
Technologies
things
that
bring
people
together,
it
seems
a
bit
like
a
cop-out
for
many
Enterprises,
because
everything's
easier.
If
everyone
does
the
same
thing,
so
it's
really
important
to
note
how
GitHub
is
both
a
heterogeneous
and
homogeneous
platform
for
us.
A
Github
is
extremely
low
opinion,
whether
we
are
programming
in
Java
python
JavaScript,
whether
we
are
working
in
a
monolith
or
a
micro
service
environment,
whether
we're
working
with
one
person
or
100
people
in
a
team
GitHub
supports
our
opinions.
So
when
we
actually
want
to
use
our
security
teams
best
insights,
our
goal
is:
how
can
we
keep
our
entire
company
safe
use
the
knowledge
of
our
leading
experts
without
having
everyone
have
to
come
on
that
Journey
with
us
to
also
become
a
security
expert?
A
Why
GitHub
is
so
important
as
a
security
layer
to
have
security
features?
Is
that
is
the
first
point
at
which
code
leaves
someone's
laptop
and
enters
our
environment?
Being
able
to
catch
a
threat
before
it
has
been
introduced
to
the
Enterprise
means
we
get
to
actually
work
on
that
threat.
Without
an
incident
being
open,
we
can
put
that
into
the
developer
flow.
A
But,
conversely,
when
we're
talking
about
something
that
is
a
threat
that
is
introduced
not
via
our
code
but
let's
say
a
dependency,
for
example,
log
for
J
we're
able
to
use
GitHub,
Advanced
security
to
centrally
look
at
the
scale
and
scope
of
a
problem.
In
our
Enterprise
in
particular,
with
log4j
via
dependabot.
We
were
able
to
see
immediately
exactly
what
repos
were
affected
and
exactly
what
version
they
were
on
and
amazingly
using
dependabot's
Auto
PR
feature.
A
We
were
able
once
there
was
a
fix
published
in
a
new
Branch
push
that
pull
request
to
every
single
available
repo
in
the
organization
and
dependabot
provides
the
instructions
for
how
to
merge
it.
How
to
take
that
change
in
and
mitigate
the
issue,
and
so
when
we
look
at
joining
GitHub
from
a
repository
perspective,
we're
bringing
in
a
lot
of
existing
code
and
what's
great
about
dependabot,
is
we're
able
to
actually
choose
kind
of
what
to
pay
attention
to
what
is
important.
A
So
in
the
cases
that
we're
dealing
with
an
internal
repository
that
initial
dependabot
scam
will,
let
us
know
what
from
our
libraries
do.
We
need
to
be
worried
about
high
medium,
low
and
critical
and
we
address
them
in
that
order.
Anytime,
we
see
a
critical
alert.
We
depend
on
dependabots
information.
It
provides
us
on
what
is
the
risk?
How
do
we
fix
this,
and
is
there
a
fix
available
when
we
train
our
teams
to
listen
to
dependabot,
as
if
it's
another
team
member
and
we
really
love
the
functionality
that
it
auto
generates
a
pull
request?
A
That
pull
request?
Has
the
steps
in
it
for
what's
needed
to
be
done
to
do
the
remediation,
so
we
feel
safe
turning
this
on
at
scale
across
all
repositories,
so
we're
able
to
use
GitHub
as
a
command
center
to
look
at
the
scope
of
that
issue.
See
how
it
was
being
addressed
and
consumed
in
the
Enterprise,
because
what
we've
shifted
from
is
the
Walled
Garden.
The
idea
of
being
in
the
building
is
what
keeps
you
safe
to.
We
need
to
operate
over
the
Internet.
A
We
need
to
assume
everyone
is
always
trying
to
look
at
what
we're
building
everyone's
always
trying
to
break
in.
We
can
safely
unlock
being
able
to
work
on
our
code
anywhere
in
the
world,
while
not
actually
reducing
and
in
many
cases,
actually
having
a
higher
security
standard
than
we
ever
had
so
GitHub
Advanced
security
without
a
shadow
of
a
doubt,
is
the
most
exciting
thing
for
me
as
an
engineering
leader
in
terms
of
my
ability
to
have
confidence,
go
up
with
minimum
need
for
human
change.
A
A
Has
the
education
built
in
or
doesn't
increase
the
cognitive
load
on
the
developer
and
simply
just
works
in
the
background,
without
any
change
in
developer
behavior
and
increases
our
performance,
security
and
reliability
and
get
up
Advanced
security,
particularly
this
year
with
the
launch
of
push
protection,
it's
really
pushing
into
that
territory
where
the
product
just
works,
and
we
don't
need
the
developer
to
change
their
workflow
or
understand
and
increase
their
complex
security
landscape
to
stay
safe.
When
we
were
looking
at
push
protection,
we
were
worried
about.
A
How
are
we
going
to
enable
this
for
every
single
team
because
our
fear
was?
Are
we
introducing
a
blocking
process?
Sure
we
may
be
more
secure,
but
if
all
of
a
sudden,
you
can't
push
code
because
it's
found
a
secret
and
you
have
to
reach
out
to
us
and
get
remediation
help,
and
you
don't
know
why
this
change
is
coming
up.
A
So
the
way
push
protection
works
for
us
is
a
developer,
maybe
accidentally
their
SSH
key
is
inside
of
their
repo
when
they
go
to
commit
automatically
GitHub
will
check
and
block
the
push
and
give
you
this
custom
URL
that
you
can
visit
and
the
URL
presents
you
with
options.
It
says:
hey,
you
know,
we've
detected
something
that
we
think
is
a
secret.
Is
this
a
test?
A
Is
this
something
that
you're
already
aware
of
and
don't
need
to
fix,
but
also
it's
protected
you
that
if
you're,
like
oh
gosh
I,
didn't
mean
to
do
that,
you
can
pull
that
commit
back
out,
pull
that
secret
out
reform
the
push
and
now
not
only
have
we
really
taught
you
in
the
flow.
What
you
need
to
do,
but
you've
actually
mitigated
this
from
becoming
an
incident
you've
handled
it
as
part
of
the
developer
life
cycle.
A
Push
protection.
It
really
is
that
idea
of
I've
reduced
the
cognitive
load
I
can
trust
that
GitHub
is
going
to
keep
me
safe.
I
can
trust
that
the
security
team's
rules
that
they're
caring
about
with
their
creativity
are
going
to
keep
me
safe
and,
if
I
happen,
to
make
a
mistake,
it'll
get
caught
and
we'll
be
able
to
deal
with
it
in
a
way
that
isn't
going
to
be
stressful
right.
Without
that
system,
I
may
just
be
worried
about
introducing
a
new
piece
of
code.
I
may
be
more
inclined
to
modify
an
existing
one.
A
I
may
be
more
inclined
to
do
something
less
unique,
something
less
risky,
just
because
I'm
afraid
of
the
consequences,
but
the
other
thing
you
can
do-
and
this
is
great
for
educating
the
system
on
what
type
of
false
positives
or
types
of
Secrets
we
have
is
a
unique
domain-
is
generated
for
each
of
these
instances.
Where
we're
able
to
say
actually,
you
know
what
this
is
a
token
you're,
not
wrong,
but
it's
used
in
tests
or
it's
a
false,
positive
or
I'll
fix
it
later.
A
I'll
fix
it
later
is
a
bit
of
a
sketchy
answer,
because
potentially
that
could
be
something
that
really
is
leaking
and
you
may
not
be
making
a
great
choice,
and
so,
when
this
option
is
picked,
there's
actually
an
additional
security
alert
that
goes
out
to
the
admins
and
folks
are
looking
after
Security
in
the
team.
So
github's
figured
out
that
we
have
some
kind
of
high
entropy
string
or
a
secret,
and
what
I'm
going
to
do
now
is
actually
tell
it.
A
So
when
the
feature
first
launched,
we
looked.
How
do
you
turn
this
thing
on
and
we
noticed
that
the
functionality
is
enable
per
repo
per
organization
or
per
Enterprise,
and
definitely
the
thought
that
ran
through
our
head
was?
Are
we
really
potentially
one
click
away
from
just
turning
this
on,
for
everyone
and
being
protected
and
I?
Don't
think
we
really
believed
it.
So
we
we
tried
it
on
a
repo,
because
the
thing
we
were
afraid
of
is
well.
A
What's
this
going
to
do
to
the
developer
flow
like
if
I
turn
this
on
and
I'm
just
doing
everyday
work.
What
changes
for
me
and
it's
one
of
the
first
features
we'd
seen
from
GitHub
that
operated
this
way,
but,
like
I,
said
it's
a
non-blocking
flow
and
what's
interesting,
is
that
there's
no
secret
in
the
flow
developer
doesn't
see
anything
different,
get
commit,
get
push
just
works,
and
so
once
we
did,
that
test,
we
thought.
Well.
Maybe
there
might
still
be
some
complaints,
but
we
actually
took
the
jump.
A
We
turned
it
on
for
the
entire
Enterprise.
We
enabled
this
across
8
000
repos
for
nearly
5
000
developers,
and
we
have
not
had
a
single
complaint
about
this
workflow
as
we
have
watched
the
numbers
tick
up
on
cases
where
we're
being
protected
and
we
were
not
before
but
I
had
this
extremely
high
confidence
from
what
we'd
seen
in
our
repo
demonstration
and
also
our
ability
to
turn
this
off
quickly
and
once
again,
when
we
get
back
to
blast
radius.
A
This
idea
that
if
I
was
wrong,
when
my
gut
feel
my
assumption
and
what
I'd
seen
I
could
get
this
back
out
of
the
system
just
as
quickly
as
it
was
put
in,
and
this
was
all
done
in
a
single
day
from
hearing
about
the
feature:
reading
the
blog
post,
giving
it
a
try
in
a
test
repository
and
from
the
admin
panel.
Turning
this
on
across
the
Enterprise
I
implore,
you
to
think
about
adoption
at
the
Enterprise
level.
A
A
A
If
you're
going
to
assign
someone
a
problem
like
hey,
what
is
the
next
great
thing
in
Internet
that
we
could
do
in
Canada?
What's
the
next
great
thing
in
Virtual
Healthcare,
you
want
to
free
up
as
much
of
someone's
brain,
to
focus
on
valuable
and
novel
problem
solving
and,
if
you're
cluttered
up
with
what
forms
I
need
to
fill
in
what
processes
I
need
to
follow
and
more
of
that
knowledge
that
you
have
in
a
system.
You're
gumming
up
the
works
of
getting
Innovative
code
out
of
people.
A
So
much
code
is
stored
on
GitHub,
so
many
open
source
communities
are
talking
and
discussing
on
GitHub
and
so
the
context
switching
is
minimal
versus
us
having
a
competitor
solution
that
is
maybe
on-prem
or
unhooked.
We
would
have
to
be
context
switching
to
GitHub
anyway,
for
all
the
amazing
libraries
that
we're
working
with
and
interacting
with
on
a
daily
basis,
I
pick
GitHub
by
choice
every
day,
because
I
think
it's
a
great
place
to
get
work
done,
and
so
having
that
be,
where
I'm
doing
my
work
at
Telus,
it
just
makes
sense.