Dont Ignore GitHub Security Alerts, Automate Them Into Your - - PowerPoint PPT Presentation

don t ignore github security alerts automate them into
SMART_READER_LITE
LIVE PREVIEW

Dont Ignore GitHub Security Alerts, Automate Them Into Your - - PowerPoint PPT Presentation

Jan 30, 2023 300 likes •604 views

Dont Ignore GitHub Security Alerts, Automate Them Into Your Workflow. Verizon Media March 13, 2019 Quick Intro Ashley Wolf Open Source Program Manager Twitter: @Meta_Ashley Verizon Media 2 Verizon Media Open Source Program Office 440

slide-1
SLIDE 1

Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.

Verizon Media

March 13, 2019

slide-2
SLIDE 2

2

Ashley Wolf

Open Source Program Manager Verizon Media

Quick Intro

Twitter: @Meta_Ashley

slide-3
SLIDE 3

3

Verizon Media Open Source Program Office

7K

All engineering employees benefit from OSPO services

330

Support tickets quarterly

440

Active Open Source Projects published by Verizon Media

25

GitHub organizations that we manage

200+

Mobile and TV Applications that rely upon our services for compliance

slide-4
SLIDE 4

4

What does an OSPO do?

Program Management Community development License inbound review New project publication

Reviewing publication steps completed prior to publication Reviewing the use of

  • pen source in our

products and platforms Promoting projects via blogs, podcasts, and speaking events Supporting internal engineering groups with open source issues

Contributions to projects Issue support and resolution Compliance Management

Security Alerts GitHub alerting us about vulnerable dependencies Responsible for mobile and TV app compliance engineering and automation Ensuring issues are addressed on our external repos Reviewing contribution policies and CLAs

slide-5
SLIDE 5

5

What’s an information security issue to an OSPO?

slide-6
SLIDE 6

6

InfoSec people care about production issues

Bug Bounty Code Scanning Red/Blue teams, etc.

slide-7
SLIDE 7

7

We’re talking about vulnerabilities that are in a published piece of code.

slide-8
SLIDE 8

8

OSPOs need to care about security issues in their published code.

slide-9
SLIDE 9

9

GitHub can help It’s limited and not designed for OSPOs,

  • nly for project owners.

Good News, Bad News

slide-10
SLIDE 10

10

  • What GitHub does to help your companies’ open source

security issues

  • Where the alerts and APIs fall short
  • A call for you to help develop a better solution

Agenda

slide-11
SLIDE 11

11

GitHub Provides Security Alerts

slide-12
SLIDE 12

12

GitHub Security Alerts

https://github.blog/2017-11-16-introducing-security-alerts-on-github/

slide-13
SLIDE 13

13

The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version

https://arxiv.org/abs/1808.09753

slide-14
SLIDE 14

14

GitHub Email Alerts

slide-15
SLIDE 15

15

Some of the problems that OSPOs will have

  • Opt-in only for private repos
  • Vulnerability Alerts API cannot turn on notifications
  • Email give you only 10 repos in daily digest
  • Not all project languages supported
  • No dashboard of alerts including notification dismissal

reasons

  • Not automated!
slide-16
SLIDE 16

16

e.g.: The project owner ignores issues

slide-17
SLIDE 17

17

Automating Security Workflow Project

slide-18
SLIDE 18

18

Automate Security Workflow

slide-19
SLIDE 19

19

Automating the Alert Workflow

slide-20
SLIDE 20

20

Automate Security Workflow

GraphQL API v4

Security Alerts Depency Graph

GitHub

Raw DB of GitHub Alerts with CVE info JIRA Tickets Email

JIRA API

Slack POCs on GitHub Projects and Related Info

Screwdriver Cron Job

slide-21
SLIDE 21

21

Repository Vulnerability Alert Event Security Advisory Event

slide-22
SLIDE 22

22

If you are in the audience or you work for GitHub, help us automate OSPOs workflows.

slide-23
SLIDE 23

23

We’d love your help

  • Add automation for different solutions

○ JIRA ○ Email ○ Slack

  • Contribute GitHub security alerts to GHCrawler

Project: https://github.com/yahoo/GitHub-Security-Alerts-Workflow

slide-24
SLIDE 24

24

Open Source has more potential to be secure

slide-25
SLIDE 25

25

But that’s only if you take advantage

  • f the information available in the
  • pen source community and patch

vulnerable dependencies. And contribute back.

slide-26
SLIDE 26

26

Thank You

  • Gil Yehuda, Verizon Media
  • Justin Hutchings, GitHub
  • Jamie Jones, GitHub
  • Jeff McAffer, Microsoft
  • James Siri, Amazon
  • Manikandan Subramaniam, Verizon Media
  • Henri Yandell, Amazon
  • Simon Maple, Snyk
slide-27
SLIDE 27

Thank You

Ashley Wolf Open Source Program Manager Verizon Media awolf@verizonmedia.com Twitter: @Meta_Ashley

slide-28
SLIDE 28

28

References

  • https://github.com/jamesiri/github-cve-report-poc
  • https://github.blog/2017-11-16-introducing-security-alerts-on-github/
  • https://help.github.com/en/articles/about-security-alerts-for-vulnerable-

dependencies

  • https://arxiv.org/abs/1808.09753
  • https://github.com/microsoft/ghcrawler
  • https://www.oreilly.com/library/view/securing-open-

source/9781491996980/ch01.html

  • https://www.emojione.com/emoji/v