Found means fixed: Addressing security debt at scale

Introduction to GitHub Advanced Security (0s)

• Brian Sullivan, the Director of Product for GitHub Advanced Security, and Britney O'Shea, a member of the GitHub Advanced Security team, introduce themselves. (0s)
• They express gratitude to the audience for joining the session. (11s)
• The discussion is set to cover GitHub Advanced Security, with an initial analogy related to buying a dream home to illustrate the concept. (17s)

Security Debt Explained (33s)

• Initially, everything appears perfect, but over time, minor issues such as a dripping faucet or a loose roof shingle begin to emerge. (33s)
• These problems seem insignificant and easy to postpone, leading to procrastination with the intention of addressing them later. (44s)
• As time passes, these small issues accumulate, and what were once minor problems become more widespread and significant. (55s)
• Eventually, fixing these accumulated issues becomes a substantial task that cannot be completed over a single weekend. (1m0s)

Vulnerability Backlogs (1m4s)

• A crisis arises when there is a lack of expertise to fix security issues, which can be difficult and expensive to address. (1m5s)
• Delaying the fixing of vulnerabilities in software development leads to a growing backlog of security debt, similar to how home repairs can compound over time. (1m24s)
• Applications are consistently the primary attack vector, and breaches are costly, making it challenging for organizations to manage security debt alongside other priorities. (1m47s)
• Many organizations face a significant amount of security debt with numerous vulnerabilities to address, but they lack the time and in-house expertise to do so efficiently. (1m59s)
• GitHub is committed to changing the narrative by integrating security with software development and using AI to ensure that a found vulnerability is promptly fixed. (2m14s)

GitHub's Vision: AI for Security (2m36s)

• GitHub has introduced over 100 enhancements to improve code security, including features like Copilot Secret Scanning. (2m36s)
• Copilot Secret Scanning is designed to detect unstructured secrets, expanding on the existing capability to identify structured secrets such as AWS or Azure keys. (2m42s)
• The tool has successfully prevented the leakage of more than 3.3 million secrets across 300 token types. (3m4s)
• Detecting generic passwords reliably is challenging due to the risk of false positives, which can burden teams with unnecessary sorting tasks. (3m16s)
• An interactive segment was introduced to engage the audience in distinguishing between true positives and false positives in password detection. (3m33s)

New Security Features Overview (4m16s)

• The text discusses the difficulty in distinguishing between suspicious strings that contain uppercase, lowercase, numbers, and symbols, which can appear as real strings. (4m16s)
• It highlights the challenge of identifying whether a string is a realistic password or just a placeholder, using real-world examples. (4m58s)
• The text emphasizes the limitations of conventional secret scanners, which often produce false positives that are hard to eliminate. (5m27s)
• Co-pilot is introduced as a tool that excels in minimizing false positive rates by understanding the context behind each secret, thus saving teams significant time and effort. (5m34s)

Real vs. Fake Password Game (5m58s)

• GitHub Advanced Security's co-pilot achieves the lowest false positive rate in the industry, with fewer than half the false positives of the next tool. (6m12s)
• The general availability of co-pilot secret scanning has been announced, allowing GitHub Advanced Security customers to detect leaked generic secrets across their organization. (6m26s)
• Co-pilot autofix for pull requests, which was previewed last year, is now generally available. It helps prevent the introduction of new security problems by providing suggestions for customizing and fixing code snippets. (6m55s)
• Co-pilot autofix is available for all advanced security customers and public repositories. (7m22s)

AI-Powered Secret Scanning (7m45s)

• The code discussed involves parsing arbitrary XML provided by a user, which poses security risks such as potential malicious XML with malformed inline DTD definitions that could lead to denial-of-service attacks or data theft from the server. (7m46s)
• Initially, a SQL injection attack was used as an example, but it was replaced with an XML external entity (XXE) attack for demonstration purposes. Despite SQL injection being prevalent and critical, the change was made following feedback from GitHub CEO Kyle Daigle. (8m25s)
• The demonstration highlights how CodeQL identifies an entity expansion attack in the code and alerts the developer. (9m23s)
• GitHub Copilot's autofix feature provides a significant advantage by not only alerting the developer to the vulnerability but also offering a specific code snippet to fix the issue, tailored to the developer's codebase. (9m46s)

Co-Pilot Autofix for Pull Requests (10m4s)

• Co-Pilot Autofix provides options to either commit suggested code fixes directly or edit them, offering significant time savings. This feature was previewed at Universe last year and is now generally available. (10m7s)
• Co-Pilot Autofix is effective for preventing new vulnerabilities at pull request time and addressing existing issues in the codebase. It provides customized guidance and code snippets for various vulnerabilities, such as code injection and SQL injection, allowing users to commit fixes directly. (10m28s)
• Both flavors of Co-Pilot Autofix, for pull requests and historic alerts, are available to advanced security customers and are free for public repositories. It supports all languages that CodeQL supports, including Java, JavaScript, C, C++, and Python. (11m43s)
• On average, developers fix vulnerabilities three times faster using Autofix compared to manual methods. For specific vulnerabilities like SQL injection, fixes are completed 12 times faster. (12m38s)
• The tool's impact is significant in changing how vulnerabilities are remediated, freeing up time for organizations. However, statistics do not fully capture the complexities teams face daily. (13m9s)
• Linda Fay, Director of Product Security at Asurion, was scheduled to discuss securing their extensive infrastructure with GitHub, but was unable to attend. Her colleague Eric will present on this topic. Asurion manages over 8,000 repositories, highlighting the scale challenges many organizations face. (13m36s)
• Features like Autofix are beneficial for scaling security efforts across numerous findings and repositories. Last year, improvements were made in detection with code security configurations and build analysis, and this year, the focus is on supporting remediation at scale. (14m29s)
• Security managers face challenges in prioritizing which vulnerabilities to address first, similar to deciding between fixing a potential roof collapse or an immediate electrical issue. (15m37s)

Security Campaigns for Priority Fixes (16m0s)

• A new feature called GitHub Advanced Security Campaigns is introduced to help prioritize and manage security vulnerabilities by focusing on the most critical issues. (16m1s)
• The feature allows users to filter vulnerabilities by repository, tool, rule, severity, or team, and create targeted campaigns to address specific security concerns. (17m15s)
• GitHub provides out-of-the-box campaigns to address critical alerts, known exploitable vulnerabilities, and common vulnerability classes, which can be customized with organization-specific context. (17m31s)
• Users can set deadlines for resolving security issues and assign a campaign manager to track progress, ensuring that teams are alerted to priority tasks. (18m1s)
• The campaigns feature includes autofix capabilities, allowing teams to automatically resolve vulnerabilities without manually tracing their origins, thus streamlining the process of addressing security debt. (18m51s)
• The implementation of these campaigns aims to reduce technical debt over time by efficiently managing and resolving security risks. (19m34s)
• A new feature called security campaigns for CodeQL has been introduced, which is supported by GitHub and is popular among users. (20m7s)
• CodeQL supports many popular programming languages, but there are some languages it does not currently scan, such as Ada, VB, and COBOL. (20m21s)
• GitHub provides extensibility for advanced security code scanning, allowing users to integrate any tool that outputs conforming SARIF, with results integrated into the GitHub developer experience. (20m42s)
• Users receive alerts for newly detected vulnerabilities and historical security debt in their codebase, and can create campaigns to address large amounts of systemic security debt. (21m2s)
• The concept of "found means fixed" is emphasized, highlighting the importance of remediation and ensuring GitHub is a platform where security issues are resolved. (21m29s)
• GitHub aims to be a platform where security issues are fixed regardless of the analysis tools used, and has announced the expansion of Copilot Autofix for partners. (21m52s)

Expanding Autofix Capabilities (22m0s)

• GitHub is introducing a public preview for Co-pilot Autofix integration with the open-source tool ESLint, with upcoming integrations planned for JFrog SAST and Black Duck's Polaris platform. (22m7s)
• Co-pilot Autofix aims to help developers not only find but also fix vulnerabilities faster and with less effort, integrating with a wide range of developer tools beyond just CodeQL. (22m31s)
• The vision for Co-pilot Autofix includes interfacing with various security tools to streamline workflows and improve security posture, with ongoing refinements and optimizations planned. (22m52s)
• A demonstration shows how ESLint, when integrated with Co-pilot Autofix, can identify problems in code and provide customized code snippets for fixes, which can be applied with a single button click. (23m18s)
• The Co-pilot Autofix for partner tools is currently in public preview, and developers using ESLint can try it out immediately, with plans to expand to more tools and partners soon. (25m8s)
• Developers and tool vendors are encouraged to reach out if they want to see Autofix capabilities for their preferred analysis tools, as GitHub is eager to expand its integrations. (25m31s)
• GitHub aims to be a central hub for remediation, where identifying an issue means it is automatically fixed. This is demonstrated through the integration of Copilot Autofix with CodeQL, partner tools, and open-source static analysis tools. (26m11s)
• The approach is being extended to supply chain security alerts, particularly through Dependabot, which detects vulnerable open-source packages and suggests updates. Most updates are minor and API compatible, but major updates can break builds due to incompatibility. (26m32s)
• Copilot Autofix for Dependabot is introduced to suggest code changes that handle breaking dependency updates, preventing the need for manual code rewrites or living with vulnerabilities. (27m25s)
• The Log4j vulnerability is used as an example of the challenges faced when dealing with major updates that are not API compatible. Copilot Autofix for Dependabot aims to simplify such situations by suggesting necessary code changes to maintain compatibility. (27m40s)
• In future scenarios with major breaking version updates, Autofix for Dependabot will facilitate updates by suggesting code changes, helping to prevent potential disasters from vulnerabilities being exploited. (28m48s)

Dependabot and Major Version Updates (29m0s)

• Dependabot can now handle major version updates quickly, similar to how it handles minor updates, allowing for faster resolution of vulnerabilities. (29m1s)
• An example is provided with TypeScript code using an outdated version of Lodash (3.10.1), which has many vulnerabilities. Dependabot suggests updating to a more secure version (4.7.21), but this version is not API compatible with the current one. (29m18s)
• Previously, updating to a new major version required manually identifying and fixing API incompatibilities in the codebase. Now, Copilot Autofix for Dependabot automates this process by suggesting code changes to refactor the code for the new API. (30m0s)
• This automation is particularly beneficial in urgent situations, such as critical security threats, as it saves significant time. (30m34s)
• Copilot Autofix for Dependabot is not limited to security updates; it can also assist with updating SDKs, changing components due to licensing issues, or switching to better-maintained packages. (30m58s)
• The feature is currently in private preview, and interested users can join the waitlist on GitHub. (32m4s)
• The introduction of AI tools like Copilot Autofix for Dependabot marks a new era in application security, helping developers build stronger and safer software. (32m46s)

Concluding Thoughts on AI Security (33m0s)

• Organizations are encouraged to adopt a mindset where identifying a security issue means it is promptly addressed, emphasizing the importance of proactive security measures. (33m1s)
• Options for enhancing security include enabling code security configurations and signing up for features like the Dependabot autofix. (33m3s)
• Attendees are invited to explore future sessions at the conference to gain insights from practitioners on utilizing GitHub Advanced Security. (33m14s)
• An upcoming session titled "Mission Co-pilot Autofix: Securing the World Software" will be presented by Nick and Nero at the Cwell Theater, promising engaging content. (33m25s)
• Gratitude is expressed to the attendees and the team for their efforts in securing software throughout the year. (33m40s)