))
Changelog Interviews: Securing GitHub
Manage episode 424438178 series 3506872
Content provided by interfluidity, subscribed podcasts. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by interfluidity, subscribed podcasts or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://player.fm/legal.
Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.
Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!
Sponsors:
- Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
- Neon – Fleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
- Cronitor – Cronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
- Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.
Featuring:
- Jacob DePriest – Twitter, GitHub
- Adam Stacoviak – Mastodon, Twitter, GitHub, LinkedIn, Website
- Jerod Santo – Mastodon, Twitter, GitHub, LinkedIn
Show Notes:
- Where does your software (really) come from?
- Keeping secrets out of public repositories
- GitHub Advanced Security
- Dependabot
- Introducing Artifact Attestations–now in public beta
- Software Bill of Materials (SBOM)
- 😶🌫️ Who in the world is Jia Tan?!
Something missing or broken? PRs welcome!
Chapters
1. This week on The Changelog (00:00:00)
2. Sponsor: Socket (00:01:46)
3. Let's talk GitHub security (00:05:28)
4. The responsibility of security (00:08:11)
5. Securing change of ownership (00:13:51)
6. Applying Attestation to XZ (00:16:39)
7. XZ-like attacks are scary (00:18:05)
8. The challenge of the defender (00:21:57)
9. Behind code scanning (00:28:40)
10. GitHub Advanced Security features (00:31:34)
11. Sponsor: Neon (00:33:40)
12. Dependabot signal vs noise (00:39:27)
13. Attestations from a maintainer's POV (00:40:42)
14. Attestation tracking the binary (00:43:52)
15. Attestation goes beyond SBOM (00:46:55)
16. Are SBOMs widely used? (00:48:42)
17. 45-ish minutes to AI! (00:49:29)
18. Proactive vs reactive security (00:54:41)
19. Sponsor: Cronitor (00:59:28)
20. AI red teams (01:00:58)
21. Jacob's security war stories (01:05:35)
22. Wave a magic security wand (01:10:57)
23. GitHub as a security centerpoint (01:14:04)
24. How to partner on security with GitHub (01:15:46)
25. Closing thoughts from Jacob (01:24:28)
26. Outro and what's next (01:26:45)
143 episodes
Share
