Artwork

Content provided by Changelog Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Changelog Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Player FM - Podcast App
Go offline with the Player FM app!

Securing GitHub (Changelog Interviews #596)

1:29:38
 
Share
 

Manage episode 424437830 series 1280399
Content provided by Changelog Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Changelog Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.

Join the discussion

Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

  • Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
  • NeonFleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
  • CronitorCronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
  • Fly.ioThe home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.

Featuring:

Show Notes:

Something missing or broken? PRs welcome!

  continue reading

Chapters

1. This week on The Changelog (00:00:00)

3. Let's talk GitHub security (00:05:28)

4. The responsibility of security (00:08:11)

5. Securing change of ownership (00:13:51)

6. Applying Attestation to XZ (00:16:39)

7. XZ-like attacks are scary (00:18:05)

8. The challenge of the defender (00:21:57)

9. Behind code scanning (00:28:40)

10. GitHub Advanced Security features (00:31:34)

11. Sponsor: Neon (00:33:40)

12. Dependabot signal vs noise (00:39:27)

13. Attestations from a maintainer's POV (00:40:42)

14. Attestation tracking the binary (00:43:52)

15. Attestation goes beyond SBOM (00:46:55)

16. Are SBOMs widely used? (00:48:42)

17. 45-ish minutes to AI! (00:49:29)

18. Proactive vs reactive security (00:54:41)

19. Sponsor: Cronitor (00:59:28)

20. AI red teams (01:00:58)

21. Jacob's security war stories (01:05:35)

22. Wave a magic security wand (01:10:57)

23. GitHub as a security centerpoint (01:14:04)

24. How to partner on security with GitHub (01:15:46)

25. Closing thoughts from Jacob (01:24:28)

26. Outro and what's next (01:26:45)

2175 episodes

Artwork
iconShare
 
Manage episode 424437830 series 1280399
Content provided by Changelog Media. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Changelog Media or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.

Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.

Join the discussion

Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

  • Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
  • NeonFleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
  • CronitorCronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
  • Fly.ioThe home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.

Featuring:

Show Notes:

Something missing or broken? PRs welcome!

  continue reading

Chapters

1. This week on The Changelog (00:00:00)

3. Let's talk GitHub security (00:05:28)

4. The responsibility of security (00:08:11)

5. Securing change of ownership (00:13:51)

6. Applying Attestation to XZ (00:16:39)

7. XZ-like attacks are scary (00:18:05)

8. The challenge of the defender (00:21:57)

9. Behind code scanning (00:28:40)

10. GitHub Advanced Security features (00:31:34)

11. Sponsor: Neon (00:33:40)

12. Dependabot signal vs noise (00:39:27)

13. Attestations from a maintainer's POV (00:40:42)

14. Attestation tracking the binary (00:43:52)

15. Attestation goes beyond SBOM (00:46:55)

16. Are SBOMs widely used? (00:48:42)

17. 45-ish minutes to AI! (00:49:29)

18. Proactive vs reactive security (00:54:41)

19. Sponsor: Cronitor (00:59:28)

20. AI red teams (01:00:58)

21. Jacob's security war stories (01:05:35)

22. Wave a magic security wand (01:10:57)

23. GitHub as a security centerpoint (01:14:04)

24. How to partner on security with GitHub (01:15:46)

25. Closing thoughts from Jacob (01:24:28)

26. Outro and what's next (01:26:45)

2175 episodes

所有剧集

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Quick Reference Guide