Interviews | November 13, 2023

Some of the Best Security Decisions Happen Outside of the Security Team


GitHub

Michael Hanley
CSO and SVP, Engineering

GitHub

Q1. You are responsible for all of GitHub security and all of GitHub engineering. What opportunities has that created for you and how have you leveraged those opportunities to improve both security and engineering practices at GitHub?

In today’s world, having a security team and an engineering team is table stakes – it’s how they work together that can make or break innovation at scale. The two must be inextricably linked as a part of the standard workflow, with security baked in from the earliest stages of product iteration. Too often, security teams are known as the “department of no,” or are brought into the fold when it’s already too late. The reality is that the best security work happens within engineering teams.

To this end, we’ve brought our security and engineering teams closer together, empowering our teams to rapidly innovate without compromising strong security or engineering velocity. This includes bringing security in earlier in the planning cycle and developing our own security solutions that are baked into the developer lifecycle in order to both improve product security and react quickly to new threats.

As the home of 100M developers and more than 420M total projects, underpinning the vast majority of the world’s software and applications, the work we do to secure our platform and the communities building on it can have a base level impact for the software development ecosystem. By bringing our teams closer together, we’ve ultimately developed a stronger security culture, closer integrations with engineering, and faster innovation to combat attacks from malicious actors.

Q2. You have talked previously about the need for organizations to democratize security. What exactly does that mean and why is it important for security leaders to foster such an environment?

Within a typical organization, security teams are siloed in their departments, addressing issues as they arise and implementing practices in the background, but rarely interacting with other teams outside of those instances. On the other side of that, engineering teams are shipping to meet their sprint deadlines and continue innovating, aware of security but viewing it as an afterthought. But as mentioned above, some of the best security decisions happen outside of the security team and making security easy and effective for everyone is close to my heart.

Within GitHub, we’ve aimed to make security understandable and manageable for all employees at all steps in the product development process, and even for teams outside of technical roles. For example, we’ve established a security partners model to foster pathways between the security team and developers, empathy, and a shared understanding of goals, which is especially crucial in times of crisis.

I firmly believe security culture eats security strategy for breakfast, and the culture companies curate will yield better returns than any strategy document over the long run. Democratizing security involves building a supportive company culture anchored in transparency and collaboration.

Q3. What does GitHub plan on highlighting at Black Hat Europe 2023? Are there any new plans, tools or strategies around security by design that GitHub plans to showcase?

GitHub has been at the forefront of bringing AI to individuals, teams, and enterprises alike, and security has never taken a backseat. Now we’re bringing the power of AI to GitHub Advanced Security with new AI-powered security features: code scanning autofix, secret scanning for generic secrets, and regular expression generator for custom patterns.

  • Code scanning will propose AI-generated fixes right in the pull request, enabling developers achieve faster fix times as they code.
  • Leaked passwords are challenging to detect, and as a result are unfortunately a common root cause of malicious attacks. We’re leveraging AI to detect generic or unstructured passwords, making it easier to detect potential leaks in developers’ code with low false positive rates.
  • With secret scanning, enterprises can now also auto-generate custom patterns with a new AI-powered experience, making it easier and faster to get the coverage they need to ensure their secrets are secure.

Too often security and velocity are thought of as opposing concepts, but it shouldn’t be a choice of one or another for development teams. With our new AI-powered security features, which are now in preview, we’re further enabling developers with AI at every step of the development process, ensuring security is built in, not bolted on.

Sustaining Partners