Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitHub / GitHub Universe 2022 - Security / 21 Nov 2022
GitHub / GitHub Universe 2022 - Security / 21 Nov 2022
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Advanced security with novice skills - Universe 2022

Description

Presented by: Justin Watts

This talk will cover how TELUS reduced security threats and incidents overnight with Github Advanced Security.

As always, feel free to leave us a comment below and don't forget to subscribe: http://bit.ly/subgithub

Thanks!

Connect with us.
Facebook: http://fb.com/github
Twitter: http://twitter.com/github
LinkedIn: http://linkedin.com/company/github

About GitHub
GitHub is the best place to share code with friends, co-workers, classmates, and complete strangers. Millions of people use GitHub to build amazing things together. For more info, go to http://github.com

A

Foreign.

A

I have always lived by the Mantra reduced, toil, increase happiness and gets done, and for me you know that really culminates in Building Technology, that's going to impact people's lives and my favorite job I found so far is building platforms and Technologies for developers at companies.

A

My name is Justin. I live in the mountain town of Nelson, I like to build very large fire, breathing art cars and I. Also have this awesome dog named Hannibal, she's, nine and when I'm not doing all those fun things I'm. Actually, the director of engineering at Telus, working on developer platforms, the motivating factor of my job is that I don't think the technology itself is the most interesting thing.

A

It's how that technology can impact our colleagues and essentially your life as a human and the actual hard problem we are dealing with is how do we help our colleagues keep up with change? How do we consume it in such a way that we're able to master it Telus is an unbelievably large Enterprise. It is primarily known for its telecommunications. It brings Fiber Optic internet across Canada, one of the first providers to do so.

A

It is a cell provider and a wire align provider connecting millions of Canadians across the country so that they can talk to loved ones and work from anywhere.

A

Canada is the second largest country in land mass, but has a population smaller than that of California, and the entirety of England could fit in one of our national parks.

A

You have logistical problems of how do you actually connect people in remote rural communities at the same level that you would expect in a city we're dealing with heterogeneous systems on GitHub? We definitely do worry about people fragmenting so much that they can't come back in and I. Take that actually, as my primary responsibility, I, don't think being homogeneous for the sake of being homogeneous is great for a developer, because, once again, that's bureaucracy, that's stifles Innovation and instead, as the platform team I, ask myself the question: why does developer want to do B?

A

What are we missing from a? What are they seeing and B that I don't have and my goal when I build a platform? Is that I want to be rated on our adoption and the way you do? That is someone's got to see value in what you're building. So to me, that's that's the problem, and that's that that's my whole job GitHub is also interesting because we can go look at what languages are being used. I know the exact moment we had our first Rush Library show up the exact moment.

A

We had our first go, Library show up and it showed me what people were looking at getting into solving or interested in solving and by supporting rust early on we'd, be able to Shepherd them in and get them to same value that our Java developers were getting and so being able to constantly strategically look at the landscape via a lot of the views that GitHub provides. Lets me get ahead and ensure that our platform can support the most amount of people.

A

And now, thanks to GitHub I'm using GitHub actions in our modern deployment flows, we are able to make a release of code that potentially is only actually visible to the team working on it. When we talk about homogenizing Technologies things that bring people together, it seems a bit like a cop-out for many Enterprises, because everything's easier. If everyone does the same thing, so it's really important to note how GitHub is both a heterogeneous and homogeneous platform for us.

A

Github is extremely low opinion, whether we are programming in Java python JavaScript, whether we are working in a monolith or a micro service environment, whether we're working with one person or 100 people in a team GitHub supports our opinions. So when we actually want to use our security teams best insights, our goal is: how can we keep our entire company safe use the knowledge of our leading experts without having everyone have to come on that Journey with us to also become a security expert?

A

Why GitHub is so important as a security layer to have security features? Is that is the first point at which code leaves someone's laptop and enters our environment? Being able to catch a threat before it has been introduced to the Enterprise means we get to actually work on that threat. Without an incident being open, we can put that into the developer flow.

A

But, conversely, when we're talking about something that is a threat that is introduced not via our code but let's say a dependency, for example, log for J we're able to use GitHub, Advanced security to centrally look at the scale and scope of a problem. In our Enterprise in particular, with log4j via dependabot. We were able to see immediately exactly what repos were affected and exactly what version they were on and amazingly using dependabot's Auto PR feature.

A

We were able once there was a fix published in a new Branch push that pull request to every single available repo in the organization and dependabot provides the instructions for how to merge it. How to take that change in and mitigate the issue, and so when we look at joining GitHub from a repository perspective, we're bringing in a lot of existing code and what's great about dependabot, is we're able to actually choose kind of what to pay attention to what is important.

A

So in the cases that we're dealing with an internal repository that initial dependabot scam will, let us know what from our libraries do. We need to be worried about high medium, low and critical and we address them in that order. Anytime, we see a critical alert. We depend on dependabots information. It provides us on what is the risk? How do we fix this, and is there a fix available when we train our teams to listen to dependabot, as if it's another team member and we really love the functionality that it auto generates a pull request?

A

That pull request? Has the steps in it for what's needed to be done to do the remediation, so we feel safe turning this on at scale across all repositories, so we're able to use GitHub as a command center to look at the scope of that issue. See how it was being addressed and consumed in the Enterprise, because what we've shifted from is the Walled Garden. The idea of being in the building is what keeps you safe to. We need to operate over the Internet.

A

We need to assume everyone is always trying to look at what we're building everyone's always trying to break in. We can safely unlock being able to work on our code anywhere in the world, while not actually reducing and in many cases, actually having a higher security standard than we ever had so GitHub Advanced security without a shadow of a doubt, is the most exciting thing for me as an engineering leader in terms of my ability to have confidence, go up with minimum need for human change.

A

You know the best part about living in Nelson, British Columbia is means this house isn't my only office I've actually got a remote office on the top of a mountain right there on Pulpit Rock. The holy grail for us is when we can turn something on that either.

A

Has the education built in or doesn't increase the cognitive load on the developer and simply just works in the background, without any change in developer behavior and increases our performance, security and reliability and get up Advanced security, particularly this year with the launch of push protection, it's really pushing into that territory where the product just works, and we don't need the developer to change their workflow or understand and increase their complex security landscape to stay safe. When we were looking at push protection, we were worried about.

A

How are we going to enable this for every single team because our fear was? Are we introducing a blocking process? Sure we may be more secure, but if all of a sudden, you can't push code because it's found a secret and you have to reach out to us and get remediation help, and you don't know why this change is coming up.

A

It would mean we'd need to do huge amounts of training campaigns, awareness campaigns before we even thought about turning this on for the internet, but when we did our demo internally with our own team, what blew our mind was: GitHub had found a way to do this as a non-blocking process.

A

So the way push protection works for us is a developer, maybe accidentally their SSH key is inside of their repo when they go to commit automatically GitHub will check and block the push and give you this custom URL that you can visit and the URL presents you with options. It says: hey, you know, we've detected something that we think is a secret. Is this a test?

A

Is this something that you're already aware of and don't need to fix, but also it's protected you that if you're, like oh gosh I, didn't mean to do that, you can pull that commit back out, pull that secret out reform the push and now not only have we really taught you in the flow. What you need to do, but you've actually mitigated this from becoming an incident you've handled it as part of the developer life cycle.

A

Push protection. It really is that idea of I've reduced the cognitive load I can trust that GitHub is going to keep me safe. I can trust that the security team's rules that they're caring about with their creativity are going to keep me safe and, if I happen, to make a mistake, it'll get caught and we'll be able to deal with it in a way that isn't going to be stressful right. Without that system, I may just be worried about introducing a new piece of code. I may be more inclined to modify an existing one.

A

I may be more inclined to do something less unique, something less risky, just because I'm afraid of the consequences, but the other thing you can do- and this is great for educating the system on what type of false positives or types of Secrets we have is a unique domain- is generated for each of these instances. Where we're able to say actually, you know what this is a token you're, not wrong, but it's used in tests or it's a false, positive or I'll fix it later.

A

I'll fix it later is a bit of a sketchy answer, because potentially that could be something that really is leaking uh and you may not be making a great choice, and so, when this option is picked, there's actually an additional security alert that goes out to the admins and folks are looking after Security in the team. So github's figured out that we have some kind of high entropy string or a secret, and what I'm going to do now is actually tell it.

A

You know what this is used in tests, don't worry about it and once we do that, we're going to be able to push again and github's going to accept it and I'm going to be able to finish up my work here and head home.

A

So when the feature first launched, we looked. How do you turn this thing on and we noticed that the functionality is enable per repo per organization or per Enterprise, and definitely the thought that ran through our head was? Are we really potentially one click away from just turning this on, for everyone and being protected and I? Don't think we really believed it. So we we tried it on a repo, because the thing we were afraid of is well.

A

What's this going to do to the developer flow like if I turn this on and I'm just doing everyday work. What changes for me and it's one of the first features we'd seen from GitHub that operated this way, but, like I, said it's a non-blocking flow and what's interesting, is that there's no secret in the flow developer doesn't see anything different, get commit, get push just works, and so once we did, that test, we thought. Well. Maybe there might still be some complaints, but we actually took the jump.

A

We turned it on for the entire Enterprise. We enabled this across 8 000 repos for nearly 5 000 developers, and we have not had a single complaint about this workflow as we have watched the numbers tick up on cases where we're being protected and we were not before but I had this extremely high confidence from what we'd seen in our repo demonstration and also our ability to turn this off quickly and once again, when we get back to blast radius.

A

This idea that if I was wrong, when my gut feel my assumption and what I'd seen I could get this back out of the system just as quickly as it was put in, and this was all done in a single day from hearing about the feature: reading the blog post, giving it a try in a test repository and from the admin panel. Turning this on across the Enterprise I implore, you to think about adoption at the Enterprise level.

A

So once again, if you're a small Dev shop with 5 10 people, it's really easy to use informal communication and say hey. We had a leak. Let's not have that again. Let's all agree we're going to adopt the same git commit hook, and we essentially can recreate GitHub Advanced security. Go.

A

Try do that in an Enterprise of 75 000 people go try to do that when you're accepting code from vendors that don't work for you go try to do that when you're taking in libraries from communities from outside of your company, it's a very hard problem. It becomes a human change management problem.

A

So if we can reduce that to a single click to turn that on for everyone, if we don't have to worry about adoption- and we can instead worry about configuration- we can worry about the rules that we're putting in that is once again toil reduced and time better spent.

A

If you're going to assign someone a problem like hey, what is the next great thing in Internet that we could do in Canada? What's the next great thing in Virtual Healthcare, you want to free up as much of someone's brain, to focus on valuable and novel problem solving and, if you're cluttered up with what forms I need to fill in what processes I need to follow and more of that knowledge that you have in a system. You're gumming up the works of getting Innovative code out of people.

A

So much code is stored on GitHub, so many open source communities are talking and discussing on GitHub and so the context switching is minimal versus us having a competitor solution that is maybe on-prem or unhooked. We would have to be context switching to GitHub anyway, for all the amazing libraries that we're working with and interacting with on a daily basis, I pick GitHub by choice every day, because I think it's a great place to get work done, and so having that be, where I'm doing my work at Telus, it just makes sense.