Move the security to the left during development can have a lot of challenges, as well as some pitfalls. With the tools of GitHub Advanced Security like, Dependabot, Secret Scanning or CodeQL we can start, step by step, security practices to the very first step in our developments.

1. # d o t N E T 2 0 2 3
Security + Github = Secure code best practices

2. C O L L A B O R A T O R S
O R G A N I Z A T I O N
# d o t N E T 2 0 2 3
G O L D S P O N S O R S

3. # d o t N E T 2 0 2 3
@lfraile
lfraile@lfraile.net
(Tenía foto de influencer según Unai Zorrilla así que la cambié
por la de ciclista)
Luis Fraile
Help dev teams to deliver value

4. # d o t N E T 2 0 2 3
Q. Why is DevSecOps harder to adopt than DevOps??
A. Solutions aren't built for developers
Security at the expense of usability
comes at the expense of security.

5. # d o t N E T 2 0 2 3
Everyone wants to
shift security left…
Breach
Production
Test Q/A
Build
Development
$ Millions
$7,600
$960
$240
$80
Source: NIST, Ponemon Institute 2012
Remediation Costs
SDLC Stages
Security Shifting Left
Breach
Production
Test Q/A
Build
Development

6. # d o t N E T 2 0 2 3
GitHub embeds security
in the developer workflow
Supply Chain Secret Scanning
Code Scanning
Platform Security

7. # d o t N E T 2 0 2 3
Shift security left with developer-first tools
Commit changes Submit
Pull Request
Update
new branch merge into main
Dependency Scanning: automatic
CVE identification & remediation Secret Scanning: locate and
invalidate exposed tokens
Code Scanning: find & warn
about risky patterns in code
GHAS
GHAS
Detect and remediate vulnerabilities before
new code is introduced to the main branch!

8. # d o t N E T 2 0 2 3
Secure the Supply Chain
• Advisory database
• Dependency graph
• Dependabot alerts and updates

9. # d o t N E T 2 0 2 3
Secret scanning
• Secret scanning scans your entire git history for API
keys and credentials in your code
• Push protection blocks pushes that contain secrets
GitHub can identify with a <1% false positive rate

10. # d o t N E T 2 0 2 3
Preventing
secret leaks
on git push

11. # d o t N E T 2 0 2 3
• Code scanning displays static
analysis results to developers as
part of code review
• CodeQL finds vulnerabilities with
greater precision than other tools
and is highly customizable
Code scanning

12. # d o t N E T 2 0 2 3
Security information and event management
(SIEM) Tool Integrations
• Leverage GHAS API to stream
vulnerability data into SIEM tool
• Reference Work Books
• Most Critical vulnerabilities
• Mean Time to Remediate (MTTR)
• Best/Worst Repositories
• etc…

13. # d o t N E T 2 0 2 3
Security overview
• Security overview provides data on
security features across all your repos
• Identify and drill down on areas of risk
and determine overall security
coverage

14. # d o t N E T 2 0 2 3
Demo time!

15. Thank you!