Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Secure DevelopmentExtending GitHub to meet your Open Source Policy
Jamie Jones! @jbjonesjr
• GitHub for two and a half years• Previously Developer, Technical Lead &
Configuration Manager with Security-conscious Federal agencies.
• Casual Open Source enthusiast• Former Colonial Reenactor.
GitHub Solutions Lead, Public Sector
Not just open source codebut public development
GitHub + Secure Workflows= Secure Development
❖ GitHub ❖ Hosting ❖ Features
❖ Workflow ❖ GitHub Flow ❖ Compliance
❖ Extend ❖ GitHub API ❖ Probot
Hosting
GitHub
Team
Includes: Organization account
Unlimited public repositoriesUnlimited private repositoriesTeam and user permissions
Business
Hosted on GitHub.com
Organization accountSAML single sign-on
User provisioning24/5 support with 8-hour
response time
99.95% Uptime SLA
GitHubEnterprise
Multiple organizationsSAML, LDAP, and CAS
User provisioning24/7 support for urgent issues
Advanced auditing
Host on your servers, AWS,
Azure, or GCP
Uptime SLA
Top-Tier Support
GitHub Hosted
Corporate Identity Provider
GitHub for Business, Hosted
Rich Logging/Audit
Organization Support
Your Environment
Corporate Identity Provider
GitHub Enterprise
Security features built-in
GitHub
Pull Requests and Code Review
• Collaborative
• Code & human activity
• Code Review built-in
• Quick reactions
• Rich text markup
• Audit & traceability
Code Review as assistance
Code Review as documentation
Restrict with required approvals
Status Checks tracking history
Securing your project’s dependencies
• Code Review
• Unit/Integration testing , Static Code Analysis support
• Audit and traceability
• Dependency Protection
• Secret publishing prevention
• Configuration Manager approvals
• More 👀
GitHub has Security built in
WorkflowGitHub Flow
GitHub Flow
• Continuous Delivery
• Collaboration (DevOps? DevSecOps?) enabled end-to-end automation across environments
• Automate Quality and Security Testing
• Integrations and solutions for not just code
• Repeatable and Dependable
• Supports long-running changes and zero-day patching
Improving quality with GitHubFlow
Minimizing Information imbalance
!
Code Review as security checks
Identifying Regular Expressions that might not lead to the expected validations.
Workflow preventing merges
WorkflowCompliance
• What code is running in production? • Do you have traceability from testing to deployment? • Can you better integrate security and processes without
impacting developer velocity? • How do you document your change management process
today?
It’s not about eliminating risk, it’s managing it
Let’s talk about compliance
NIST 800-53 ISO 27001
IA-3,4,5 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.3
AU-6,12 A.12.4.1, A.12.4.3, A.16.1.2, A.16.1.4
SC-2,5,6,8 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
SA-10,11 A.12.1.2, A.14.2.2, A.14.2.4, A.14.2.7, A.14.2.8
RA-5 A.12.6.1
Project Boise
ATO in an
Instant
Safer Software Sooner
ATO in a Day
Boise
Extend GitHub
Identify process (and automate)
Extend GitHubAPI Introduction
Rest API WebHooksGraphQL GitHub Apps
Rest API WebHooksGraphQL
SDK
GitHub Apps
Extend GitHubProbot
Probot is a bot framework for GitHub. It’s the glue for interacting with GitHub, and everything else…
https://probot.github.io
Rest API WebHooksGraphQL
SDK
GitHub Apps
https://probot.github.io/probot/latest/index.html
Probot enables
• Webhook & event
registration
• GitHub authentication &
integrated SDK via secure
GitHub Apps
• Simplified API interaction
with syntactical sugar
module.exports = function(robot) { robot.on('issues.opened', async context => { // Get template from the repository const data = await context.github.repos.getContent(context.repo({path: ‘.github/ ISSUE_REPLY_TEMPLATE.md'})); const template = new Buffer(data.content, ‘base64').toString(); // Reply with the contents of the template return context.github.issues.createComment(context.issue({body: template})); }); }
Autoresponder app
https://github.com/probot/autoresponder/
4 Lines of code
Open Shift Branches
https://github.com/jbjonesjr/probot-openshift-github-branches
A probot app that utilizes the existing GitHub and OpenShift APIs to build a best of breed integration.
https://probot.github.io
production
test/qa
development A|B Testing A|B Testing
Continuous Delivery with GitHub and OpenShift
Upcoming Webinar : November 14th, 2017
EXTENDING WITH GITHUB: EASY INTEGRATIONS WITH PROBOThttps://githubuniverse.com
KEEP YOUR PROJECTS SECURED WITH THE DEPENDENCY GRAPH & SECURITY ALERTS