Secure DevelopmentExtending GitHub to meet your Open Source Policy

Jamie Jones! @jbjonesjr

• GitHub for two and a half years• Previously Developer, Technical Lead &

Configuration Manager with Security-conscious Federal agencies.

• Casual Open Source enthusiast• Former Colonial Reenactor.

GitHub Solutions Lead, Public Sector

Not just open source codebut public development

GitHub + Secure Workflows= Secure Development

❖ GitHub ❖ Hosting ❖ Features

❖ Workflow ❖ GitHub Flow ❖ Compliance

❖ Extend ❖ GitHub API ❖ Probot

Hosting

GitHub

Team

Includes: Organization account

Unlimited public repositoriesUnlimited private repositoriesTeam and user permissions

Business

Hosted on GitHub.com

Organization accountSAML single sign-on

User provisioning24/5 support with 8-hour

response time

99.95% Uptime SLA

GitHubEnterprise

Multiple organizationsSAML, LDAP, and CAS

User provisioning24/7 support for urgent issues

Advanced auditing

Host on your servers, AWS,

Azure, or GCP

Uptime SLA

Top-Tier Support

GitHub Hosted

Corporate Identity Provider

GitHub for Business, Hosted

Rich Logging/Audit

Organization Support

Your Environment

Corporate Identity Provider

GitHub Enterprise

Security features built-in

GitHub

Pull Requests and Code Review

• Collaborative

• Code & human activity

• Code Review built-in

• Quick reactions

• Rich text markup

• Audit & traceability

Code Review as assistance

Code Review as documentation

Restrict with required approvals

Status Checks tracking history

Securing your project’s dependencies

• Code Review

• Unit/Integration testing , Static Code Analysis support

• Audit and traceability

• Dependency Protection

• Secret publishing prevention

• Configuration Manager approvals

• More 👀

GitHub has Security built in

WorkflowGitHub Flow

GitHub Flow

• Continuous Delivery

• Collaboration (DevOps? DevSecOps?) enabled end-to-end automation  across environments

• Automate Quality and Security Testing

• Integrations and solutions for not just code

• Repeatable and Dependable

• Supports long-running changes and zero-day patching

Improving quality with GitHubFlow

Minimizing Information imbalance

!

Code Review as security checks

Identifying Regular Expressions that might not lead to the expected validations.

Workflow preventing merges

WorkflowCompliance

• What code is running in production? • Do you have traceability from testing to deployment? • Can you better integrate security and processes without

impacting developer velocity? • How do you document your change management process

today?

It’s not about eliminating risk, it’s managing it

Let’s talk about compliance

NIST 800-53 ISO 27001

IA-3,4,5 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3

AU-6,12 A.12.4.1, A.12.4.3, A.16.1.2, A.16.1.4

SC-2,5,6,8 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

SA-10,11 A.12.1.2, A.14.2.2, A.14.2.4, A.14.2.7, A.14.2.8

RA-5 A.12.6.1

Project Boise

ATO in an

Instant

Safer Software Sooner

ATO in a Day

Boise

Extend GitHub

Identify process (and automate)

Extend GitHubAPI Introduction

Rest API WebHooksGraphQL GitHub Apps

Rest API WebHooksGraphQL

SDK

GitHub Apps

Extend GitHubProbot

Probot is a bot framework for GitHub. It’s the glue for interacting with GitHub, and everything else…

https://probot.github.io

Rest API WebHooksGraphQL

SDK

GitHub Apps

https://probot.github.io/probot/latest/index.html

Probot enables

• Webhook & event

registration

• GitHub authentication &

integrated SDK via secure

GitHub Apps

• Simplified API interaction

with syntactical sugar

module.exports = function(robot) { robot.on('issues.opened', async context => { // Get template from the repository const data = await context.github.repos.getContent(context.repo({path: ‘.github/ ISSUE_REPLY_TEMPLATE.md'})); const template = new Buffer(data.content, ‘base64').toString(); // Reply with the contents of the template return context.github.issues.createComment(context.issue({body: template})); }); }

Autoresponder app

https://github.com/probot/autoresponder/

4 Lines of code

Open Shift Branches

https://github.com/jbjonesjr/probot-openshift-github-branches

A probot app that utilizes the existing GitHub and OpenShift APIs to build a best of breed integration.

https://probot.github.io

production

test/qa

development A|B Testing A|B Testing

Continuous Delivery with GitHub and OpenShift

Upcoming Webinar : November 14th, 2017

EXTENDING WITH GITHUB: EASY INTEGRATIONS WITH PROBOThttps://githubuniverse.com

KEEP YOUR PROJECTS SECURED WITH THE DEPENDENCY GRAPH & SECURITY ALERTS

Queue and Aye!

! @jbjonesjr

jbjonejr@github.com https://www.linkedin.com/in/jbjonesjr/