GitHub and Application Security
- Streamlines the development process
- Allows for easier collaboration
- Enables external parties to see these changes and contribute to the code
- Version control - allowing for monitoring of the latest revisions
Fundamentals of GitHub
Before we dive into the benefits of GitHub it is important for AppSec teams to be aware of the terms that they might run into, so let’s start with some key glossary terms:
Repository – A repository (or “repo” for short) is the most basic element of GitHub, containing all of the project files (including documentation), and stores each file’s revision history.
https://docs.github.com/en/get-started/quickstart/github-glossary#repository
Dependency graph – A repository graph that shows the packages and projects that the repository depends on.
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
Branches – Branches allow you to develop features, fix bugs, or safely experiment with new ideas in a contained area of your repository. You always create a branch from an existing branch. Typically, you might create a new branch from the default branch of your repository.
https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-branches#about-branches
Forking – This is one of the features that developers love about GitHub, Forking is when you create a new project based on one that already exists. It is a copy of a repo that sits in your account rather than the account from which you forked the data from, allowing you to edit the contents of your forked repository without impacting the parent repo.
https://docs.github.com/en/get-started/quickstart/fork-a-repo
Pull Requests – Pull requests (PRs) notify others about changes you’ve pushed to a branch in a repo. Once a PR is opened, you can discuss and review potential changes with collaborators and add follow-up commits before your changes are merged into the base branch.
https://docs.github.com/en/get-started/quickstart/github-glossary#pull-request
Merging – After a pull request, the changes you have made to your repository should be merged to the original repo. There are three ways to merge repos, depending on the merge options enabled for you. You can: merge all of the commits into the base branch; squash the commits into one commit; rebase the commits individually onto the base branch. Detailed information about this can be found on GitHub official documentation.
https://docs.github.com/en/get-started/quickstart/github-glossary#merge
Changelogs – The nature of GitHub is such that it allows many people to work on the same project, contribute and change it. In order for everyone involved to stay on the same page regarding everything that happens to the repository, the platform enables changelog, keeping track of all changes.
https://github.blog/changelog/
Code Owner – A person who is designated as an owner of a portion of a repository’s code. The code owner is automatically requested for review when someone opens a pull request (not in draft mode) that makes changes to code the code owner owns.
https://docs.github.com/en/get-started/quickstart/github-glossary#code-owner
CODEOWNERS file – You can use a CODEOWNERS file to define individuals or teams that are responsible for code in a repository.
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
Teams – Teams are groups of organization members that reflect your company or group’s structure with cascading access permissions and mentions.
https://docs.github.com/en/organizations/organizing-members-into-teams/about-teams
GitHub Actions – GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
https://github.com/features/actions
Benefits of Using GitHub
Now that we have covered some of the main terms that AppSec teams will run into, let’s chat about the benefits of GitHub from a developer perspective so we can understand them a bit more.
Ease of Use & Collaboration
One of the things about the platform that attracts so many developers to GitHub, is that it allows them to easily exchange code, review each other’s project, and manage software code in real time. Additionally, teams can leverage GitHub’s native issue tracking, real-time analytics, feature requests, commenting and notes, feedback management, and more to enable collaboration.
Cloning and Time-Saved
Traditionally, developers had to interact with the main server while working on their own project or when contributing to someone else’s. With GitHub developers have the ability to clone a GIT Project through the command-line tool so developers have access to the entire history and changelog. This saves time and allows for less disruption during development.
Version Control
Version control allows developers to track changes made to their code and allows them to easily see who made it, while simultaneously keeping and providing a full version history. This is something extremely useful in terms of collaboration.
GitHub Actions and CI/CD Pipelines
Another reason why devs use GitHub is because of its powerful Actions capability which makes it really simple to automate software workflows. Additionally, users can easily set up a CI/CD so once they commit changes, Github Actions can easily automate the tasks of building, testing and deploying the code right from within Github.
Common AppSec Challenges with Using GitHub
Scaling AppSec at the speed of DevOps has been a challenge for most organizations. Modern source control systems like GitHub have enabled developers to go from code-to-cloud in a matter of hours, changing the dynamic between developers and AppSec teams. The ability to build and deploy code with a self-service foundation leaves AppSec teams with no visibility and control, leaving the questions of who created code, where that code resides, and the context around why.
Visibility
With the scale in which developers create new code repos, AppSec teams cannot keep up with what is being added to the asset inventory. Which means, AppSec teams have no visibility into what is being created, who is responsible for that code, and traditional AppSec tools impede this fast paced modern software development lifecycle (SDLC).
Ownership
The biggest question from most AppSec teams is, who the heck owns this code? Often, AppSec teams spend hours/days tracking down which developer owns or can help remediate a vulnerability because there is not appropriate ownership data.
Dependencies
Software dependencies allow developers to more quickly deliver software by building on previous work, making software dependencies a key ingredient of modern applications. But, the challenge for AppSec teams is how do you influence developers to understand the security risks that are being introduced in dependencies and how do you manage that risk.
Lack of Security Control & Influence
AppSec teams today are left on the sidelines as developers deploy code. Without any visibility or any way to influence developer behavior, there is no way for AppSec teams to drive adoption and enforce the use of secure defaults or security controls to prevent risk from being introduced in SDLC.
Additionally, security teams should always make sure that GitHub is configured correctly, but that is a whole different topic altogether.
How Tromzo Enables Visibility and Control within GitHub
GitHub has helped increase the speed of DevOps, but there is little to no visibility and control for security teams. This is where Tromzo can help organizations with a unified developer-first application security management platform to enable:
- Centralized Visibility – centralizes all software assets from dependencies and SBOMs to cloud services in one easily digestible UI, associates true ownership, and prioritizes them based on risk. This empowers AppSec teams with the foundational context needed to truly improve security risk posture.
- Security Guardrails – influences developer behavior by using pre-built and customizable security policies, defined by security teams and applied within developer workflows across Github. Enabling developers to go from code-to-cloud, securely.
- Workflow Automation – eliminates manual processes around implementing and managing security controls in Github with Tromzo’s no-code security automation. Automation is the only way to scale AppSec at the speed of DevOps.
- Reporting & Analytics – provides critical analytics via the insights from out-of-the-box and customizable dashboards for security accountability across engineering.
Additionally, in this series of how Tromzo can help with visibility and control within GitHub, we will be covering:
- GitHub Dependabot
- GitHub CodeQL, and
- GitHub Secret Scanner
Recent articles
On a recent episode of the Future of Application Security podcast, Chad Girouard, AVP Application Security at LPL Financial, talked about some of the challenges to overcome...
Read moreOn a recent episode of the Future of Application Security podcast, Dave Ferguson, Director of Technical Product Management, Software Supply Chain Security at ReversingLabs, explained why the...
Read moreReady to Scale Your Application Security Program?
Sign up for a personalized one-on-one walkthrough.