I attended a conference for the first time since the remote-era and two things were very apparent: first, I am going to need to remember how to “people” again (I lost count of the number of times I embarrassed myself over those two days 😅) and second — and on a more serious note — is that security is more prevalent and in the forefront of people’s minds. I don’t think this is surprising with all of the different attacks happening on the digital front these days. From prevention of social engineering scams to emerging Zero-day exploits, companies are trying to fight back and protect their customers. The good news is building more secure applications has gotten easier. Liatrio has been working with GitHub Advanced Security (GHAS) and it is one of the ways we think companies can build safer and higher quality applications. Yes — This is the first in a series of blogs covering GHAS and the ways that it helps secure your apps; but we also think this is pretty cool stuff that could make your teams’ and your customers’ lives better. Lessgo!
GHAS is a set of extra security features designed to help improve the quality of your code above the standard security features offered. These extra features include secret scanning, code scanning, and dependency review. Not to get too ahead of the game here but the final 3 parts of this series are deeper dives into each of these topics. These features do require that you have GHAS licenses for your org, and these features are also available on public repos as well — kudos to GitHub for giving back to the Open Source community 💪. Check out the next 3 blogs for more details on each one.
I can already hear “Security is great, but it always slows us down” and I have to say, I get where you’re coming from, but so does GitHub. They’ve done a great job of building these tools in such a way that they can work alongside your current flow. For example, you can have multiple GitHub Actions workflows running in parallel, so a CodeQL scan can run alongside your existing workflows (shameless plug here: check out our previous blog post on getting started with CodeQL and actions specifically). On the other hand, secret scanning works behind the scenes, and using dependency review should fall right in line with your workflow if you’re using the GitHub flow. Check out this example dependency review catching vulnerabilities in a pull request 😱.
I can hear the whispers: “this is great for developers but how does it help security teams and admins?” First, there are plenty of policies and settings that can be set at the enterprise level, organization level, and repo level to make sure the correct level of adjustability is given. Second, there are plenty of data points that get rolled up into the organization and enterprise levels, allowing security and admin teams to get a high level view of what is happening below. Check out this example organization security overview:
The back and forth between developers and security teams can be distilled into Trust but Verify. For example, as a developer I can dismiss alerts and provide reasoning for the dismissal.
Seems like a lot of trust but what about verify? An admin can go into the organization and run filters in the security tab to find out what has been happening across the repos in the org. This is also available at the repo level. For example, this filter checks for Dependabot alerts that have been closed with the resolution of tolerable-risk.
This is just some of the ways that GitHub has built a better ecosystem for teams to work better together and build solid applications. The high level view seems cool, right? Now that we’ve seen how it works in your flow, let’s get into the details of how GHAS actually handles security. The next blogs will walk you through more detail on how code scanning, secret scanning, and dependency review (with some other supply chain tools) work. See you there!
