Go offline with the Player FM app!
Securing GitHub (Changelog Interviews #596)
Manage episode 424437830 series 1280399
Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.
Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!
Sponsors:
- Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
- Neon – Fleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
- Cronitor – Cronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
- Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
Featuring:
- Jacob DePriest – Twitter, GitHub
- Adam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, Website
- Jerod Santo – Mastodon, Twitter, GitHub, LinkedIn
Show Notes:
- Where does your software (really) come from?
- Keeping secrets out of public repositories
- GitHub Advanced Security
- Dependabot
- Introducing Artifact Attestations–now in public beta
- Software Bill of Materials (SBOM)
- 😶🌫️ Who in the world is Jia Tan?!
Something missing or broken? PRs welcome!
Chapters
1. This week on The Changelog (00:00:00)
2. Sponsor: Socket (00:01:46)
3. Let's talk GitHub security (00:05:28)
4. The responsibility of security (00:08:11)
5. Securing change of ownership (00:13:51)
6. Applying Attestation to XZ (00:16:39)
7. XZ-like attacks are scary (00:18:05)
8. The challenge of the defender (00:21:57)
9. Behind code scanning (00:28:40)
10. GitHub Advanced Security features (00:31:34)
11. Sponsor: Neon (00:33:40)
12. Dependabot signal vs noise (00:39:27)
13. Attestations from a maintainer's POV (00:40:42)
14. Attestation tracking the binary (00:43:52)
15. Attestation goes beyond SBOM (00:46:55)
16. Are SBOMs widely used? (00:48:42)
17. 45-ish minutes to AI! (00:49:29)
18. Proactive vs reactive security (00:54:41)
19. Sponsor: Cronitor (00:59:28)
20. AI red teams (01:00:58)
21. Jacob's security war stories (01:05:35)
22. Wave a magic security wand (01:10:57)
23. GitHub as a security centerpoint (01:14:04)
24. How to partner on security with GitHub (01:15:46)
25. Closing thoughts from Jacob (01:24:28)
26. Outro and what's next (01:26:45)
2175 episodes
Manage episode 424437830 series 1280399
Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.
Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!
Sponsors:
- Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
- Neon – Fleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
- Cronitor – Cronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
- Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
Featuring:
- Jacob DePriest – Twitter, GitHub
- Adam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, Website
- Jerod Santo – Mastodon, Twitter, GitHub, LinkedIn
Show Notes:
- Where does your software (really) come from?
- Keeping secrets out of public repositories
- GitHub Advanced Security
- Dependabot
- Introducing Artifact Attestations–now in public beta
- Software Bill of Materials (SBOM)
- 😶🌫️ Who in the world is Jia Tan?!
Something missing or broken? PRs welcome!
Chapters
1. This week on The Changelog (00:00:00)
2. Sponsor: Socket (00:01:46)
3. Let's talk GitHub security (00:05:28)
4. The responsibility of security (00:08:11)
5. Securing change of ownership (00:13:51)
6. Applying Attestation to XZ (00:16:39)
7. XZ-like attacks are scary (00:18:05)
8. The challenge of the defender (00:21:57)
9. Behind code scanning (00:28:40)
10. GitHub Advanced Security features (00:31:34)
11. Sponsor: Neon (00:33:40)
12. Dependabot signal vs noise (00:39:27)
13. Attestations from a maintainer's POV (00:40:42)
14. Attestation tracking the binary (00:43:52)
15. Attestation goes beyond SBOM (00:46:55)
16. Are SBOMs widely used? (00:48:42)
17. 45-ish minutes to AI! (00:49:29)
18. Proactive vs reactive security (00:54:41)
19. Sponsor: Cronitor (00:59:28)
20. AI red teams (01:00:58)
21. Jacob's security war stories (01:05:35)
22. Wave a magic security wand (01:10:57)
23. GitHub as a security centerpoint (01:14:04)
24. How to partner on security with GitHub (01:15:46)
25. Closing thoughts from Jacob (01:24:28)
26. Outro and what's next (01:26:45)
2175 episodes
所有剧集
×Welcome to Player FM!
Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.