SlideShare a Scribd company logo

Code Security with GitHub Advanced Security

Download as PPTX, PDF
Luis Fraile
Luis Fraile

Move the security to the left during development can have a lot of challenges, as well as some pitfalls. With the tools of GitHub Advanced Security like, Dependabot, Secret Scanning or CodeQL we can start, step by step, security practices to the very first step in our developments.

Technology
1 of 15
# d o t N E T 2 0 2 3 Security + Github = Secure code best practices
C O L L A B O R A T O R S O R G A N I Z A T I O N # d o t N E T 2 0 2 3 G O L D S P O N S O R S
# d o t N E T 2 0 2 3 @lfraile lfraile@lfraile.net (Tenía foto de influencer según Unai Zorrilla así que la cambié por la de ciclista) Luis Fraile Help dev teams to deliver value
# d o t N E T 2 0 2 3 Q. Why is DevSecOps harder to adopt than DevOps?? A. Solutions aren't built for developers Security at the expense of usability comes at the expense of security.
# d o t N E T 2 0 2 3 Everyone wants to shift security left… Breach Production Test Q/A Build Development $ Millions $7,600 $960 $240 $80 Source: NIST, Ponemon Institute 2012 Remediation Costs SDLC Stages Security Shifting Left Breach Production Test Q/A Build Development
# d o t N E T 2 0 2 3 GitHub embeds security in the developer workflow Supply Chain Secret Scanning Code Scanning Platform Security
# d o t N E T 2 0 2 3 Shift security left with developer-first tools Commit changes Submit Pull Request Update new branch merge into main Dependency Scanning: automatic CVE identification & remediation Secret Scanning: locate and invalidate exposed tokens Code Scanning: find & warn about risky patterns in code GHAS GHAS Detect and remediate vulnerabilities before new code is introduced to the main branch!
# d o t N E T 2 0 2 3 Secure the Supply Chain • Advisory database • Dependency graph • Dependabot alerts and updates
# d o t N E T 2 0 2 3 Secret scanning • Secret scanning scans your entire git history for API keys and credentials in your code • Push protection blocks pushes that contain secrets GitHub can identify with a <1% false positive rate
# d o t N E T 2 0 2 3 Preventing secret leaks on git push
# d o t N E T 2 0 2 3 • Code scanning displays static analysis results to developers as part of code review • CodeQL finds vulnerabilities with greater precision than other tools and is highly customizable Code scanning
# d o t N E T 2 0 2 3 Security information and event management (SIEM) Tool Integrations • Leverage GHAS API to stream vulnerability data into SIEM tool • Reference Work Books • Most Critical vulnerabilities • Mean Time to Remediate (MTTR) • Best/Worst Repositories • etc…
# d o t N E T 2 0 2 3 Security overview • Security overview provides data on security features across all your repos • Identify and drill down on areas of risk and determine overall security coverage
# d o t N E T 2 0 2 3 Demo time!
Thank you!

Recommended

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Janusz Nowak
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
SBOM, Is It 42?
SBOM, Is It 42?SBOM, Is It 42?
SBOM, Is It 42?Bill Bensing
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevOps 101
DevOps 101DevOps 101
DevOps 101Ernest Mueller
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 

Recommended

How to Get Started with DevSecOps
How to Get Started with DevSecOpsHow to Get Started with DevSecOps
How to Get Started with DevSecOpsCYBRIC
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...
Continues Integration and Continuous Delivery with Azure DevOps - Deploy Anyt...Janusz Nowak
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
SBOM, Is It 42?
SBOM, Is It 42?SBOM, Is It 42?
SBOM, Is It 42?Bill Bensing
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DevOps 101
DevOps 101DevOps 101
DevOps 101Ernest Mueller
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream FlowLearn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream FlowDevOps.com
 
Introducing DevOps
Introducing DevOpsIntroducing DevOps
Introducing DevOpsNishanth K Hydru
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Edureka!
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOpsMujahed Al-Tahle
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsMarc Hornbeek
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
 
Software Engineering - chp0- introduction
Software Engineering - chp0- introductionSoftware Engineering - chp0- introduction
Software Engineering - chp0- introductionLilia Sfaxi
 
Api observability
Api observability Api observability
Api observability Luca Mattia Ferrari
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Devops
DevopsDevops
DevopsDaniel Fikre
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
The Observability Pipeline
The Observability PipelineThe Observability Pipeline
The Observability PipelineTyler Treat
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionDocker, Inc.
 

More Related Content

What's hot

Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream FlowLearn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream FlowDevOps.com
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...Edureka!
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Edureka!
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsMarc Hornbeek
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsWeaveworks
 
Software Engineering - chp0- introduction
Software Engineering - chp0- introductionSoftware Engineering - chp0- introduction
Software Engineering - chp0- introductionLilia Sfaxi
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
The Observability Pipeline
The Observability PipelineThe Observability Pipeline
The Observability PipelineTyler Treat
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...SlideTeam
 

What's hot (20)

Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream FlowLearn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
Learn from the Experts: Using DORA Metrics to Accelerate Value Stream Flow
 
Introducing DevOps
Introducing DevOpsIntroducing DevOps
Introducing DevOps
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
What is DevOps | DevOps Introduction | DevOps Training | DevOps Tutorial | Ed...
 
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
Introduction to DevOps Tools | DevOps Training | DevOps Tutorial for Beginner...
 
intro to DevOps
intro to DevOpsintro to DevOps
intro to DevOps
 
Rapid Strategic SRE Assessments
Rapid Strategic SRE AssessmentsRapid Strategic SRE Assessments
Rapid Strategic SRE Assessments
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
Software Engineering - chp0- introduction
Software Engineering - chp0- introductionSoftware Engineering - chp0- introduction
Software Engineering - chp0- introduction
 
Api observability
Api observability Api observability
Api observability
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Devops
DevopsDevops
Devops
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
The Observability Pipeline
The Observability PipelineThe Observability Pipeline
The Observability Pipeline
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
 

Similar to Code Security with GitHub Advanced Security

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionDocker, Inc.
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfJavier Perez
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOpsWeaveworks
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試Secview
 
Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...James Anderson
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrewLibbySchulze
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 

Similar to Code Security with GitHub Advanced Security (20)

The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Talking TUF: Securing Software Distribution
Talking TUF: Securing Software DistributionTalking TUF: Securing Software Distribution
Talking TUF: Securing Software Distribution
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
Continuous Security for GitOps
Continuous Security for GitOpsContinuous Security for GitOps
Continuous Security for GitOps
 
The Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
HITCON Defense Summit 2019 - 從 SAST 談持續式資安測試
 
Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
Cncf checkov and bridgecrew
Cncf checkov and bridgecrewCncf checkov and bridgecrew
Cncf checkov and bridgecrew
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 

More from Luis Fraile

GitHub Codespacescon .NET Core
GitHub Codespacescon .NET CoreGitHub Codespacescon .NET Core
GitHub Codespacescon .NET CoreLuis Fraile
 
Bilbostack 2020 - El camino de l a entrega en DevOps
Bilbostack 2020 - El camino de l a entrega en DevOpsBilbostack 2020 - El camino de l a entrega en DevOps
Bilbostack 2020 - El camino de l a entrega en DevOpsLuis Fraile
 
Un ciclo "casi" completo on Azure DevOps
Un ciclo "casi" completo on Azure DevOpsUn ciclo "casi" completo on Azure DevOps
Un ciclo "casi" completo on Azure DevOpsLuis Fraile
 
Cultura DevOps - Conferencia Agile Spain 2017
Cultura DevOps - Conferencia Agile Spain 2017Cultura DevOps - Conferencia Agile Spain 2017
Cultura DevOps - Conferencia Agile Spain 2017Luis Fraile
 
Gestiona tus dependencias con NuGet, VSTs y MyGet
Gestiona tus dependencias con NuGet, VSTs y MyGetGestiona tus dependencias con NuGet, VSTs y MyGet
Gestiona tus dependencias con NuGet, VSTs y MyGetLuis Fraile
 
Creación de tareas personalizadas para Team Build y Release Management
Creación de tareas personalizadas para Team Build y Release ManagementCreación de tareas personalizadas para Team Build y Release Management
Creación de tareas personalizadas para Team Build y Release ManagementLuis Fraile
 
Gestion paquetes NuGet con Visual Studio Team Services y MyGet
Gestion paquetes NuGet con Visual Studio Team Services y MyGetGestion paquetes NuGet con Visual Studio Team Services y MyGet
Gestion paquetes NuGet con Visual Studio Team Services y MyGetLuis Fraile
 
DevOps con Visual Studio Team Services
DevOps con Visual Studio Team ServicesDevOps con Visual Studio Team Services
DevOps con Visual Studio Team ServicesLuis Fraile
 
Validando la escalabilidad de la arquitectura
Validando la escalabilidad de la arquitecturaValidando la escalabilidad de la arquitectura
Validando la escalabilidad de la arquitecturaLuis Fraile
 
ALM la parte olvidada de la arquitectura
ALM la parte olvidada de la arquitecturaALM la parte olvidada de la arquitectura
ALM la parte olvidada de la arquitecturaLuis Fraile
 
Exploratory testing myths Romanian Testing Conference 2014
Exploratory testing myths Romanian Testing Conference 2014Exploratory testing myths Romanian Testing Conference 2014
Exploratory testing myths Romanian Testing Conference 2014Luis Fraile
 
[ALM09] Calidad en el código con Visual Studio 2010
[ALM09] Calidad en el código con Visual Studio 2010[ALM09] Calidad en el código con Visual Studio 2010
[ALM09] Calidad en el código con Visual Studio 2010Luis Fraile
 
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008Luis Fraile
 
Team Foundation Server Build 2010
Team Foundation Server Build 2010Team Foundation Server Build 2010
Team Foundation Server Build 2010Luis Fraile
 

More from Luis Fraile (14)

GitHub Codespacescon .NET Core
GitHub Codespacescon .NET CoreGitHub Codespacescon .NET Core
GitHub Codespacescon .NET Core
 
Bilbostack 2020 - El camino de l a entrega en DevOps
Bilbostack 2020 - El camino de l a entrega en DevOpsBilbostack 2020 - El camino de l a entrega en DevOps
Bilbostack 2020 - El camino de l a entrega en DevOps
 
Un ciclo "casi" completo on Azure DevOps
Un ciclo "casi" completo on Azure DevOpsUn ciclo "casi" completo on Azure DevOps
Un ciclo "casi" completo on Azure DevOps
 
Cultura DevOps - Conferencia Agile Spain 2017
Cultura DevOps - Conferencia Agile Spain 2017Cultura DevOps - Conferencia Agile Spain 2017
Cultura DevOps - Conferencia Agile Spain 2017
 
Gestiona tus dependencias con NuGet, VSTs y MyGet
Gestiona tus dependencias con NuGet, VSTs y MyGetGestiona tus dependencias con NuGet, VSTs y MyGet
Gestiona tus dependencias con NuGet, VSTs y MyGet
 
Creación de tareas personalizadas para Team Build y Release Management
Creación de tareas personalizadas para Team Build y Release ManagementCreación de tareas personalizadas para Team Build y Release Management
Creación de tareas personalizadas para Team Build y Release Management
 
Gestion paquetes NuGet con Visual Studio Team Services y MyGet
Gestion paquetes NuGet con Visual Studio Team Services y MyGetGestion paquetes NuGet con Visual Studio Team Services y MyGet
Gestion paquetes NuGet con Visual Studio Team Services y MyGet
 
DevOps con Visual Studio Team Services
DevOps con Visual Studio Team ServicesDevOps con Visual Studio Team Services
DevOps con Visual Studio Team Services
 
Validando la escalabilidad de la arquitectura
Validando la escalabilidad de la arquitecturaValidando la escalabilidad de la arquitectura
Validando la escalabilidad de la arquitectura
 
ALM la parte olvidada de la arquitectura
ALM la parte olvidada de la arquitecturaALM la parte olvidada de la arquitectura
ALM la parte olvidada de la arquitectura
 
Exploratory testing myths Romanian Testing Conference 2014
Exploratory testing myths Romanian Testing Conference 2014Exploratory testing myths Romanian Testing Conference 2014
Exploratory testing myths Romanian Testing Conference 2014
 
[ALM09] Calidad en el código con Visual Studio 2010
[ALM09] Calidad en el código con Visual Studio 2010[ALM09] Calidad en el código con Visual Studio 2010
[ALM09] Calidad en el código con Visual Studio 2010
 
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008
[ALM09] Integración continua en entornos .NET y Java con TFS 2010 y TFS 2008
 
Team Foundation Server Build 2010
Team Foundation Server Build 2010Team Foundation Server Build 2010
Team Foundation Server Build 2010
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Code Security with GitHub Advanced Security

  • 1. # d o t N E T 2 0 2 3 Security + Github = Secure code best practices
  • 2. C O L L A B O R A T O R S O R G A N I Z A T I O N # d o t N E T 2 0 2 3 G O L D S P O N S O R S
  • 3. # d o t N E T 2 0 2 3 @lfraile lfraile@lfraile.net (Tenía foto de influencer según Unai Zorrilla así que la cambié por la de ciclista) Luis Fraile Help dev teams to deliver value
  • 4. # d o t N E T 2 0 2 3 Q. Why is DevSecOps harder to adopt than DevOps?? A. Solutions aren't built for developers Security at the expense of usability comes at the expense of security.
  • 5. # d o t N E T 2 0 2 3 Everyone wants to shift security left… Breach Production Test Q/A Build Development $ Millions $7,600 $960 $240 $80 Source: NIST, Ponemon Institute 2012 Remediation Costs SDLC Stages Security Shifting Left Breach Production Test Q/A Build Development
  • 6. # d o t N E T 2 0 2 3 GitHub embeds security in the developer workflow Supply Chain Secret Scanning Code Scanning Platform Security
  • 7. # d o t N E T 2 0 2 3 Shift security left with developer-first tools Commit changes Submit Pull Request Update new branch merge into main Dependency Scanning: automatic CVE identification & remediation Secret Scanning: locate and invalidate exposed tokens Code Scanning: find & warn about risky patterns in code GHAS GHAS Detect and remediate vulnerabilities before new code is introduced to the main branch!
  • 8. # d o t N E T 2 0 2 3 Secure the Supply Chain • Advisory database • Dependency graph • Dependabot alerts and updates
  • 9. # d o t N E T 2 0 2 3 Secret scanning • Secret scanning scans your entire git history for API keys and credentials in your code • Push protection blocks pushes that contain secrets GitHub can identify with a <1% false positive rate
  • 10. # d o t N E T 2 0 2 3 Preventing secret leaks on git push
  • 11. # d o t N E T 2 0 2 3 • Code scanning displays static analysis results to developers as part of code review • CodeQL finds vulnerabilities with greater precision than other tools and is highly customizable Code scanning
  • 12. # d o t N E T 2 0 2 3 Security information and event management (SIEM) Tool Integrations • Leverage GHAS API to stream vulnerability data into SIEM tool • Reference Work Books • Most Critical vulnerabilities • Mean Time to Remediate (MTTR) • Best/Worst Repositories • etc…
  • 13. # d o t N E T 2 0 2 3 Security overview • Security overview provides data on security features across all your repos • Identify and drill down on areas of risk and determine overall security coverage
  • 14. # d o t N E T 2 0 2 3 Demo time!