This article was contributed by Erica Anderson of GitHub. It was originally published on the GitHub blog and is available in its entirety HERE.
We all play a role in securing the world’s code. No one company can solve things alone, including GitHub, which is why it is critical to combine the energies of teams, companies, and individuals that share a common interest in ensuring secure software development. A comprehensive security approach must leverage community knowledge and partner technologies for the best vulnerability coverage, deliver best-in-class integration and automation capabilities, and function as an enabler for innovation.
Still, security is often seen as the opposite–an obstacle to innovation. And keeping up with multiple solutions, multiple vendors, and conflicting results can add an additional challenge, resulting in loss of productivity and increased levels of risk. Securing the world’s code may sound daunting, but it doesn’t have to be. With three changes, here’s how your organization can contribute.
Start with your supply chain
Today 99 percent of all software projects consume open source. Incorporating open source dependencies reduces time to market, but brings inherited security risks. There’s a 71 percent increase in open source-related breaches in the last five years. Understanding your open source inventory and identifying risks is key to securing your supply chain.
Using lessons learned and community knowledge, it is possible to proactively identify security issues and automate security fixes at scale, minimizing distractions and removing obstacles to productivity for developer teams. “It is a key part of our vulnerability management strategy and acts as a force multiplier for our manual findings, offering us a creative solution in how we surface vulnerabilities. In one single instance, we were able to find 11 true variants of a bug, resulting in significant cost savings for our organization,” says Rob Fletcher, head of application security at Uber.
The open source community is an incredible one, and one that largely wants to develop secure code. Another option is to open your project (or part of your project) to the broader developer community to leverage minds from around the world. “Just by being open source and publicly visible on GitHub, we have developers who directly contact us with bugs,” says Gianluca Varisco, Chief Information Security Officer at Arduino.
Make sure your own code is secure
You can secure custom code and dependencies by empowering your developers with security solutions that work within the developer workflow. Traditional security tools bolted onto the development process can cause friction and add manual processes, but integrating them into the workflow can streamline development.
Thermo Fisher Application Security Manager, Keith Hoodlet, uses GitHub’s security solution that “integrates directly into the developer workflow, allowing our software engineers to focus on resolving issues in code they’ve written, and empowering individuals with the greatest knowledge of how the code is intended to function to address security and quality issues.” The earlier you’re able to get security feedback within context, fix security issues, and avoid larger disruptions closer to release, the more you’re able to improve productivity and speed–and save money, a true win-win.
By focusing on actionable and high priority security issues within the developer workflow, you can reduce risk, improve time-to-market, and increase developer productivity. It also enables development and security teams to collaborate on fixing the issues together. “Security is just as much the responsibility of the developers as it is of the security team: The sooner we can catch vulnerabilities and product issues, the better for the company in the long run,” says James Hurley, Director of Developer Services at McKesson.
Build security into your entire pipeline
Projects are only as secure as the software development lifecycle they are created in. By investing in organization-wide visibility and customizable governance and policies, you can effectively manage application security without slowing down business.
“We want to make sure that we have our security controls baked into our pipelines, all the way from the first line of code you’re writing,” says Miguel El Lakkis, Chief Information Security Officer at Dow Jones. By creating and enforcing policies that can govern security, you are able to have peace of mind and trust you’re developing secure software at every stage of the lifecycle.
Software powers virtually everything around us. At GitHub, we believe that security is a shared responsibility between developers, security professionals and businesses. To succeed, we must all contribute as individuals, organizations, and as a community. We can start by adopting and implementing solutions that secure the supply chain, custom code, and software lifecycle, creating a safer future everyone can trust.