Day 2 Keynote - GitHub Universe 2019
Please. Welcome the chief operating, officer of github, Erica. Brush I. Good, morning, everyone, and, thank. You for being here and joining us to kick off day 2 of universe. I hope. You had a fantastic time yesterday. Meeting. Hubbard others, in the community and, learning from each other, at. Github our mission, is to be the home for all developers. All. Developers. That's. A pretty monumental, task, when, you think about what it really means as not. Shared yesterday there. Are over 40, million developers, on the github platform, today. 40. Million that's. More than the population of most countries, and. Those. Developers, are writing code in, over three hundred and seventy, different languages. And for. A huge, variety of purposes. From. Healthcare to machine learning to finance, video, games. Help. Sorry. Automotive. Mobile. Nonprofits. And more, and. These. Folks are developing, software all over, the world over. 80%, of, open, source is now developed, outside of the US so. There. Are all of these developers, building. All of this software, for, so many different reasons and, for, people all over the world these. Folks have different workflows, different. Tools that they depend on and different, ways that they collaborate, across their, teams. We're. Lucky to work with some incredibly. Talented developers. At github but. There's no way that their creativity, can match that of the over. 40, million developers. Using github today. That's. Why the ecosystem. Is so important, to us and why, delivering, an open platform with. Robust, api's, is so, core to what makes, github. Github. Now. We talked, a lot about developers. But another way to look at the ecosystem, is in the dependency, graph and, how. Packages. Depend, on one another, we. Might be working with vastly, different problems, in different, languages. From places all over the, world but. Everyone, building, software today is reliant. On the broader open source community, after, all. 99%. Of software, projects, depend. On open source so. Each time you pull in an open source package, you're pulling, in all of that packages, dependencies. As well in fact. Open, source projects, on github have, over, a hundred, and eighty different, package dependencies. And, some. Of the most popular open, source projects. Have a huge, number of projects. That depend on them for example. The. MDM packages, have over. 3.5. Million. Projects. That depend on them so. An issue in one of those packages, can. Cause problems, for thousands. Or even millions of, projects, that, depend on it at. Github, we, feel it's our responsibility to. Ensure we're giving developers to, build tool, great, safe software. So. That we can truly depend on, our dependency. Trees and. By. Safe I mean, secure, now. Normally. Security, conversations. Are about fear, but, I don't see it that way, security. Is the enabler, that allows, us to benefit, from the exponential, productivity. Impact of open source if we. Can build applications and. Consume, open source with confidence, then. Nothing, stands in our way now. We know that we can't secure, the world's code on our own no. One company can do that our. Goal, is enable, to enable the world software community. To, secure, the software, that we all depend on I'd. Like to invite Jayme cool our VP of security, offerings, to walk through how we're approaching, security. At github welcome. Jaime. Thanks. Erica, now, at. Github security, is something that we take incredibly, seriously, so. Much of the world's development now happens on github that it's something that we think of not just as an opportunity, but really a responsibility.
So. I want to spend the next few minutes and talk about our overall approach to security, and along the way I've got some pretty cool announcements. To show you as well, the. Place I want to start is really with the simplest. Of all possible, scenarios developers. Not leaking. The, credentials, to their application, and. The reason I want to start there is because even in this most simple, of examples, it shows, that it's a problem that we cannot solve by yourself so. The open web application security project keeps, a running list of the top 10 web app web app vulnerabilities, and it has the types of things that you would expect sequel, injection attacks, cross-site, scripting, but. I actually think that the next time they update that they need to have a special category all, to itself just. For developers, checking, in their application, tokens into their source repository, because, they do it all the time I know. This because just in the last month we've detected over, 800,000. Potential to mo tokens, that had been committed into github public, repos the. Reason why we're able to know this is that, we have a service that, scans, repos. Looking, for potential tokens so we'll sum find something that, looks like a token and then help go through a remediation, workflow to get the developer, yeah, to update the code to something like. What it should be but. Think about what it takes for us to really go and do this there are so many different services and so many different types of tokens out there how, do we get hub know that this was a token and even. If we knew it was a token how do we know it's actually an active, token that could be used it's not our service and even, if we knew it was an active, token, what. Do we do about it we can't go and remediate it it's not our token so the answer to this is we, partner so. We work with a, whole set of partners, to, secure this and the way that this works is that, they, tell us what their tokens look like when, we find one that matches we tell them about that possibility and they can go and check to see if it's an to token and then take the right action for their service and it, means that if you're a user of one of these services you, have to worry a lot less about your developers, leaking, your tokens and, I'm thrilled to announce that today we have four new partners, that are joining us to, detect tokens, hashey Corp postman, go, card 'let go cardless and Tencent cloud I'm thrilled to have them and if there's anybody listening, here that is interested, in participating in, this with their service please, reach out. Now. I want to talk about a problem that is just. Slightly, more complicated, which. Is trying to secure the open, source supply, chain, so. Like, Erika mentioned the depth and complexity of applications, today is exploding. And it's all powered, by open. Source and this is fantastic, the. Place where this really becomes real for me is with, the dependency graph you can go on any repo, today on github and look. And see what the dependencies of it actually are so pick your favorite repo, any open source project, for example and go, and you will see that there are so. Many dependencies, of dependencies, of dependencies, of dependencies, it's kind of crazy but, this is a great you get thousands of committers that are helping you go faster, and building your application, but, it also means you have thousands, of committers that you have to take, care of in terms of, in.
Terms Of written risk exposure so. What. Happens when something goes wrong here open. Source has to be something that we can all use, with confidence, we can use with safety and because, so much of it lives on github this is a problem, that we really wanted to see what we could do about. So. We step back and we ask ourselves who. Are all of the types of participants, that are involved in this supply chain and there, are quite a lot from security, researchers, to developers, maintainer, x' and organizational. Security teams and they all have to be able to work together as, part. Of this if we. Look at what a typical workflow looks like, you. See all of these roles and you see all the problems that, come out let's. Start with security researchers, these are the folks that find the majority of the actual security vulnerabilities, but even today in 2019. And even, when you have access to much of the source code finding, those vulnerabilities, is often an extremely, manual process, and, then to find the issue what do you do like how do if you don't know anything, you don't know anybody in the project how, do you reach out and tell them about this security vulnerability, without disclosing it to the world and. Then maintainer, x' maintainer, is already are busy enough but, they now have to be responsible, for fixing, these vulnerabilities, and because, open-source, repos, are public, you. Don't typically, want to fix security vulnerabilities, in the open because you don't want to disclose them it means you often can't even use the same tools and workflows that, you're, used to when you fix these vulnerabilities and then you have to notify all of the people in the world that are using this vault using this project, how do you go and do that and, then. Finally developers, have to actually update to this application, and. How many times have we seen a security, vulnerability that was found. And fixed and months, later exploited. Because the application, simply didn't update to the new version and. Kind of the worst from my standpoint is that these, same type of vulnerabilities. Happen again and again and again how many times have we read an article about a buffer overflow issue, or, a cross-site, scripting issue the same types of problems come up and up up again and again so. We've been putting a lot of energy in to see what we could do that to help all of, all, of these roles work together to try and fix this problem but, it's easier to show than it is to talk about so let's go look at a demo. So. We're gonna go through that end-to-end, flow and we're gonna start as a security, researcher so I'm a security researcher I found a vulnerability and, let's. Say I found, the vulnerability, in the public web, pack project, and I want to report it how would I do that well. The logical, thing to do would be to go where, the web pack maintainer x' live which is at the web pack repo on github and, then, the logical thing to do would be to go where you report issues to wetback web pack which is on, their issues page so. If I create a new issue. You'll. See that there's something that's telling me the, path I should take for reporting a security vulnerability so. We support security policies, which allow maintainer, x' to specify, how they would like to see security. Vulnerabilities, reported, to their repository. Now. Once. You know about a security vulnerability as a maintainer, it's, time to fix it and that's where security.
Advisories, Come in, security. Advisories, are a concept, that provide, a mechanism for a maintainer, to, work in private. Even on a public repo to, fix that security vulnerability, and then ultimately to, publish it to the world, so, here I have an example of a draft security, vulnerability, where it. Hasn't been fixed quite yet and. I want to I want to color I want to actually go through collaborating, so this is a space much, like a pull request where. The team can come in and discuss the vulnerability, in, private, I can, invite whoever I want so if I wanted to invite even the person that originally reported the security vulnerability, I can, I can. Specify, metadata. Like how severe the vulnerability, is what package that applies to what versions it applies to and go, through fixing it and to fix it you also get a private Fork, which is a prilae. What it sounds like a private. Agate, fork for, you to make the change before. It's actually published in live now. Once you've made the change it's time to tell the rest of the world about it so, you can publish this advisory, which will tell us about it and then we will take the next steps which we'll get to in a second but, one of the things that I'm excited is now officially, live today is that, as a maintainer, you can request a CBE directly. From this page and what, this means is sea bees are the mechanism, that the broader security community uses, to communicate about vulnerabilities, but. The mechanism, for getting the CVE has a little bit of a tax, to it so, github. Can now issue CVEs, on behalf, of open source projects, and that will allow us, to connect the open source community to the rest of the security community so I'm very excited about that. Now. Once. You've published this advisory what happens well, it goes into. Our advisory database, so. The advisory database this, is a collection of all of the vulnerabilities, that we know about it github whether it was one that was reported directly, to us via.
Security, Advisories, or whether it was a saidit whether, it was one that we pulled in from one of the public, feeds like the national vulnerability database if. You've ever gotten a security, alert from github it's because it was part of our advisory, database. Now. We think this data is incredibly, important, and we think this vulnerability, data is something that everyone, needs to, help keep our software safe so I am thrilled to announce today, that the, github advisory, database, is available, for free for, everyone. You. Can access it via the web or you can access it via api's, you. Can search by CVE, or particular strings, you can filter it down to particular severity, levels or specific. Ecosystems. We. Were to look at the Python ecosystem, and then let's pick us one, of the recent more severe security vulnerabilities, you can drill in and you'll get a richness, you can get a description of exactly, what's wrong with that vulnerability and. Kind of the exciting thing for me is because this vulnerability it was reported, natively on github we have a level of traceability with. With vulnerabilities, that we have rarely had before so, I can see for this one the actual repo, that it was fixed on and in, fact because this one was filed by a security advisory I can go to the actual security, advisory on the actual repo that, this is reported on and in this case the team even has more information like links to issues where the vulnerability, is being discussed if you've ever tried to find out more information about a vulnerability. In. The owner. Ability online this, kind of connectivity. Is. Something, that has been sorely needed in my opinion. Now. The. Data the. Vulnerability. Is now in our advisory database the next step is to alert. The people that are using this particular dependency. That they need to take action so the way that we do that is we take the data in a debate in the advisory. Database and we, match that up with the dependency graph I Briand. This earlier but, this is where. You. Can view all the dependencies, and the dependencies, of the dependencies, of dependencies. Of the dependencies we could go for a while here as part of this but. If, any one of those dependencies, has, a version, that is that, has a vulnerability, in our database you will get a security alert you, will get a security, alert in. The web portal, you. Will also get, a security, email and, for. Those of you that have been receiving security, emails already I have, good news we've been listening to you so. In addition to all all of the security emails you already get we, will now send you an additional security, email every, 15, minutes until you, fix, that vulnerability. It's. Completely, configurable, it, 15, minutes is too frequent, you know you can dial it down to five minutes, our.
Security, Our infrastructure, team has been laying fiber so that we can send as many emails as it takes to secure the world software. You. Guys think I'm joking don't you. Seriously. Though we, have heard your feedback that sometimes the number of security alert emails can be a little bit a little bit volumous, so, we recently shipped a feature, that internally, we lovingly called garden hose as opposed to fire hose and what. Garden hose lets you do is. Configure. How, you want to receive security, alerts so if you would rather receive a digest, of all, the security alerts and only get that once a day or once a week you, can now do that. Okay. So. I've gotten a security, alert the next thing is to get the developer, to fix it so, to make that easier, we now we support, a feature called automatic security. Updates and what automatic security updates does is it, will generate, a pull request which. Will update. The, version of the dependency, to, the one that has the security fix in it and in, this case it's showing me all of the changes in total that I'm going to pick as part of this change so, it means if you marry this with, actions. Or the CI system of your choice that's validating your change all the developers should have to do is come in to the pull request that was generated review it and Mergent. This. Is all powered, by dependable. Dependable, joint github, at satellite, last May and I am thrilled to announce that, it is now fully integrated, into github it is generally available and, it is protecting, millions of repositories. Today. Now. This was for a flow for one repo but many organizations out, there have, tens. Of repos hundreds, of repos thousands, of repos tens of thousands, and as a customer, yesterday told me in some cases hundreds, of thousands of repos and it, can be hard to keep track of the state of of the state of all of your repos so. We've been working on that problem with something we call dependency. Insights and what dependency, Insights does is give, you a view across all the repos or organizations, so you can see what, the total set of outstanding, advisories, are how, severe, they are and what the dependencies that. You have you can you can filter this with different views in this, case I can filter it down to see the dependencies, that have the most set of security advisories, I just, pick one and drill in I can, see that. In fact this particular version, of this dependency has 12 security, advisories, that's not ideal but, then I can also go see that there's actually only one repo in my organization. That's using that so I can decide what the next action to take is maybe I need to go give them a little kick maybe this repo needs to be archived and I had that data to be able to do that. Okay. Now. If, you were paying close attention you'll. Have noticed that we tackled a bunch of the problems that I talked about but there were two that we didn't, one. Was how new security, researchers, find the vulnerability, to begin with and the other is how, do we stop these vulnerabilities, from happening again and again and again so. Those two problems are exactly why in September, Cemil joint github so. How, the SEM will help us tackle those two problems it. Brings with it an amazing, technology, called code QL which is essentially, a semantic, code engine so what does that mean it.
Takes Your code and it transforms. It into a database that, is now queryable, so you can now query, that database as a security, researcher to go and hunt for vulnerabilities, in that code you, can then take those same queries, and use them to make sure as a developer, you're not introducing, similar. Types of vulnerabilities, so. I'm really excited about this but it's also way easier to show than it is to talk about so let's take a look. So. I am. On the. Net data repository. That, data is a popular. Real-time, monitoring, solution, and they've, been using code QL to, make sure that they don't introduce new security, vulnerabilities, into their changes so every time a pull request is created code. QL is run to go look for new potential vulnerabilities, and. At, some point in, this change which was a pretty big one we, actually detected, with code QL three potential, vulnerabilities, and one of them was a cross-site, scripting vulnerability, so. Let's go let's. Go look at that so I'm gonna jump over. And. We're gonna look, at those and this particular vulnerability is, in main je s main JJ s actually has two. Vulnerabilities. But in the interest of time we're just going to look at the. Second one and, we'll. Look at this cross site scripting one so this shows me the piece of text. Where, it thinks I have a vulnerability so, what, is a cross-site, scripting vulnerability, it's essentially, an attempt by an attacker to, take a string that they set in some form maybe a URL and get. It injected, into your Dom so that it can then run script and do things like steal your cookies, steal. Your cookies and data and. I can kind of see from this line why this might be a problem because it is setting, something into my DOM and there is a variable, that's got data coming from somewhere but this could be okay think. About what it actually takes, to find a real cross-site scripting vulnerability, you need to know where. The data is coming from and that that data might be unsafe. You, then need to know how. That data might be used that could be dangerous like put it into the DOM and then you need to be able to track that data as it moves through your program, however it goes from, point A to point B this, is a pretty hard problem but. That's exactly what code ql' does so. If I drill in I can see that the data from this source is actually coming, being read in from a variable from, a separate frame separate, frame different, URL URL potentially. This is where the cross-site scripting comes in and then, it gives me the sack Trey says that data flows from point A to point B through, different variables, and eventually. Getting down to the place where it is inserted.
Into The HTML thus, the potential cross-site, scripting attack, now. This vulnerability, was found by. Running. One of the many queries. That are available so this particular project, has three different languages in it each, of them have a different set of queries in, fact. We have over 2,000, built-in queries, that, have been authored to find different different, vulnerabilities and because, one. Of those queries existed, that knew how to detect detect, this type of vulnerability, the. Net data team was able to make, a fix to, not just insert you know straight but to make, sure it's coming in his text before. This change ever got merged into master. So. This, type of vulnerability when, you talk about static analysis, is the real kind that you want to find because it's not theoretical, it's a real exploitable. One they're also the hardest to find and the. Reason why we were able to find this one is kind of twofold one, because, the tech here is kind of cool. But the other one is because, someone. Authored. In this case a security, research or security, expert, authored. This query that, knew how to go and find it so that data is the, key thing that connection, between the work that a security, expert did to. The workflow of a developer. So. This. I think is one, of the key things and one of the key opportunities. Because. If you talk about the, entire, set of roles that need to participate in this there's. An incredibly. Important, one which is the security researcher, so, there's a great opportunity for us to take all of the amazing work that the security, community is doing the, security experts, the security researchers, and, connect. That directly. Into the work flow and the lives of, the millions of developers on. Github, to, help make the but make all of this software that we're using safer, so. I'd like to invite echo Wiseman on stage to tell us more about that Iko is one of the world's foremost security. Researchers, and I couldn't be more thrilled to have him here at github as a colleague, helping, us solve these problems, so, please welcome Eko Wiseman. Thank. You Jamie hi. My. Name is Nico I'm a part of a tribe I tried. That hunt for gaming, code but. Start for me now as a hobby in their 90's, somehow end up turned into a job and, that. Job eventually, turned into a career and today, some, 20 years later I, find, myself part, of an ever-growing, community whose. Skills have since became indispensable, in modern society. Initially. In those early days my, own little try focused mostly or never infrastructure. And managing, user access, but. Their natural next step was to focus, our effort to where what those users. Were actually, using to interface, to the infrastructure. That was under our care basically. A software so. With time a significant. Chunk of this drive focused, shift to integrated into the software, development, lifecycle and, it, was with that shift, that a vibrant, and thriving community. Spawned a community. That was solely focused, on insure. Software. Behave the way they actually intend, to behave. Our. Job, became, to explore, and document the, unintended, states, of the, sword around our world and most important. Well actually security. Impact, those. State, space my heart I'm sure. By now everyone, guess who my tribe is I'm a, hacker I mean a security, professional and my. Tribe is the information security community, the. Information, security community, started as a small group of people on IRC, that for those are young here, it's sort of like slack but with all the animated, gif, it. Has since grow into a massive. Community that attracts thousands. Of people to security, conference around the globe to discuss, the latest research, what.
Used To be a necessary, pursuit. Of gaining. Or preventing, access, in clarity, wave has, since became a full-blown. Industry. However. Along. The way my tribe has committed some cardinal, sins, these. Are the Hornets, to this day I have prevalence, from integrated. Effectively. Into, the very fabric we aim to protect. One. Of our largest things I believe is our historico, antagonistic, relationship with. IT QA. Support. And most important, the software development teams for. Too long have we as an industry taking. An ivory tower position. Dueling, out our judgement on code and product. Quality without, offering any tangible, deployable, solution. She's. Providing a single example of flows and expecting, people to just figure, it out the. Four major security industry, should be a facilitator. Not, an innovator, and. We. Decide to do something about that so. A certain really. Free to announce today they get cap security, lab, what. Is the key cap security lab. The. Key kept secure lab will be the home of security, researchers at github our. Mission, will be to hunt for bull amenities and open source projects, to, build tool and that will help secure code, bases as well, as partnering, with other security, teams across the industry, to, build bridges between, the research. Community and, the wider softball, community. We. Have a dedicated handpick. Of highly. Skilled security. Researchers, our, team will hand and fix bullet e in the most the. Most important, projects. We go beyond just racking, up CVS and also, enable, the open source community. To. Act as a force multiplier for. The security, research community, through, integrated, unity, bar and analysis, in. Essence, our, security. Research will be your security, research, to. Date disease. Has collect more than a hundred CVS. And some, of them are critical, moment is in really big projects, and this, is only a small example, of what we'll be able to achieve together, a. Spanish. Philosopher once, said that, those who cannot remember the past are condemned. To repeat it, this. Quote to me represents, the various sense of what coal coil is same to prevent the. Repetition of the past and as, a consequence, their mistakes, the. Main comes at behind QL. Is to. Model normal, abilities down, to their essence. Extracting, the cold patterns, and then. Convert. Them into queries, later. We use those queries assist, to uncover Mulla realities in your code base we. Want to help developers, write secure code I keep, the old tradition. Of killing. One moon amity at a time which, basically does, not scale especially. Consider. That codes are, not. Static, entities, they're, moving targets, that change continually, with every, commit to. That n I'm, very. Excited, to there that tell you that we are releasing Coquille for free for open, source and academic, years. Now. We. Are also releasing a, vehicle. Extension, that will help stream, like cocoa integrated. Into your workflow. Let. Me now invite Kevin. Backhouse, to stage gives, a fantastic security. Researcher, I have found whatever it is in a poorly beset you the, X a new kernel and many many other projects. Hi. I'm going to show you a quick demo of a vulnerability, that I found earlier this year in Facebook fizz fizz. Is Facebook's. Open source TLS, implementations so. That's the software. That does the HTTP, part of HTTP. Facebook.com/. As. You. Can imagine that's critically. Important, software for Facebook and the bug that I found could, have caused a serious outage at Facebook, and Instagram so. Because, face because, fizz is so important, Facebook, have put a lot of effort into making sure that it's secure so, it's been extensively, fuzz tested, and audited, and from, having a look at looked at the source code myself I'd say it's very high quality so.
The, Bug that I found with code QL had managed to slip through a very tight net. So. I'm going to do first is I'm just going to show you a demo of the exploit. Proof-of-concept that I wrote so I've got fizz fizz, server running here and in. This terminal. Here I'm going to run the attack so, you can see that that's extremely, cheap. For an attacker to run that, just sent off a 64, kilobyte, message to the fizz server and then, disconnected. And, you can see over, here now I've got top running that, the. Fizz server up, here is using, 100% of a CPU core and it's become completely unresponsive. So. Let me just shut that down. So. How did I find this vulnerability this is v/s code and, over. Here is the code, ql extension. And up. Here i've got a database, for fizz loaded, jamie mentioned these databases, earlier in his in, his talk so. What the database is is. The. Source code for Fears, converted. Into a form that is now queryable, and, over. Here I've got the query that found a vulnerability so. What I was looking for was integer overflows, in the fears source code. Integer. Overflows, are difficult. To find with a text-based search like, grab. Because. They tend to be implicit in the code but with code, QL it's easy because the. Database, contains not just the text of the source code but also other information like types, so, what I'll show you first is some. Query results, so this was a simple query that I wrote just looking, for potential, Institute integer overflows, you, could see that there's quite a lot of results and. What I really want to know is whether. It's. Possible for an attacker to put some malicious data into, an incoming message and. For. That to actually trigger one of these integer overflows. So. The. Query that found the bug is here. That I used our taint, tracking library, to, do that so, what would with, taint tracking what I'm able to do is I'm able to say I'm. Only interested, if there's, a source, of network data that. Flows to, a sink where there might be an integer overflow, and you. Can see the result of that query over. Here let, me just hide this yeah. And now. There's just one result. And it's. Given me a data flow path as well so this is the same data flow path technology, that you also saw earlier in Jamie's, demo, on lg, TM com. And these data flow paths are incredibly, valuable for me as a security, researcher because. They allow. Me to figure out why the query. Thinks that there might be a problem in the code and if. It has found a problem then it also helps, me to then construct, an exploit for it so. What you can see here is that the data flow path starts, out with. An engine this conversion there, and. That's often a telltale sign of data that's coming out of a network packet. And. Then that's used here to read, an unsigned 16-bit, integer into this variable length and then, the final step of the data flow path this, is where the integer overflow happens so this plus equals, what my proof of concept does is it, triggers an integer overflow, which causes length to wrap around and become zero and then. This, loop up here ends. Up going back to the beginning of the message and pausing it again, which is why there ends up being an infinite, loop in the code, so. You can see that this bug would have been very difficult to find without code, ql'. So. That was the end of my demo I'm going to hand back to Nico now who's going to talk about the impact this is going to have for software, security in general thanks. Thank, you Gary. This is a great bag but if you didn't understand, the back you have to worry about the. Whole idea of what we're trying to do here is that we will soon be able to transform the great work of our, research like cap and, leverage.
It Across multiple, code bases to, prevent those bugs to ever happen, again I would. Like to introduce now Ralph Fletcher, rob, is a head of product security at uber. Healing. His team are responsible for product security his, team mission is to help over developer, developers. Write more secure code a mission. That is very similar to our own and we, have the privilege of working with him in the past Rob. Why don't tell us more. Hello. Hello, my name is Rob Fletcher and I'm a security engineering manager at uber I'm excited, to speak for a few minutes today about how we've used two LG TM and code QL to really strengthen our applications security program. Several. Years ago we launched a three-part test phase to explore the efficacy of LG TM and we were really excited to, see the results that came from the control flow analysis, and the tainting of functionality, since. Then we've rolled out LG TM more broadly and it's become an important part of our vulnerability, management, strategy, helping, to create a more robust life cycle between manual findings, and automated. Findings, for, example we, take our. Manual findings, and plug that into code QL writing, and on, average we've been able to find three, true variants, for every individual, manual, finding that we write a query, for you. Know besides those obvious results of getting more vulnerabilities, it's really raised the ceiling to on how we can scale with the company when we couldn't do that as well previously, instead. Of finding one vulnerability, in one codebase we can write a code KL query that allows us to find that vulnerability, in all of our code bases in an ongoing basis. As modern. Development, workflows, and continue. To get faster, really, the only way security, teams can be successful, in scale with the company is automation, and LG, TM has really helped us there, besides. That LG TM has also allowed, us to be a little more creative in the way we find vulnerabilities, as. An example the idea of a dangerous, source making its way into a vulnerable sink, is a relatively, well known paradigm.
And Security for finding vulnerabilities but, the flexibility, of code KL allowed us to kind of start thinking, in a more creative way on how we could flip that paradigm, on its head and so, what we started doing is looking for leaky, our, sensitive, sources, making their way into leaky, sinks as a way to identify sensitive. Data leakage --is and things like request, handlers, so. Borrowing a friend's quote code quelle is a really great way to ask questions, about your code base and I'm excited to see how we can continue to use code QL and creative ways as our application, security program, grows it's. With all that context, that we're excited to be partnering with github on the open source coalition, and I look forward to seeing. What the future of code QL holds thank you. Thank, you're up. We. Are excited, to have an initial set of partners today that all have commits to contribute, in different forms. Such as stooling, computer, infrastructure, funding. And hours. Of research time, all to, help secure the open source software for the community. We. Want to invite others, to join the same effort. With. Our partners. Commitment, to open source security really. Constitute, a formula, results, to, really make the difference we, need our entire, community or, more and but. Better way to invite, the community participation. Then, offer intangible, incentives. To us as a security of open source software and who, better to discuss, the subject that me Kushan director, of product management a hacker one. Thank. You Nico at hacker. One as a part of our mission to make the internet safer, we, believe that protecting open-source. Is our social responsibility, after. All like, most companies open-source. Software powers, hacker 1 and that's. Why we are thrilled to see how much github, is investing, in open-source security. They're really in one of the best positions, to have meaningful, change in. Case. You're not familiar with us are ready at hacker 1 we work with a community of over half a million hackers, or security, researchers, to. Help them disclose vulnerabilities. To programs, often. Programs. Pay a bounty, for the security, research that they received. One. Of the ways that we support open-source is by sponsoring, the internet bug bounty, along, with github that, pays down bounties, to some of the most important, open source projects. Another. Is that open source projects. Can use a version of our popular bounty offering, for, free called, a hacker, one Community Edition and, today. I'm happy. To announce that, we're upgrading, the Community Edition to, include the best feature suite that we offer and. We're. Not stopping there we're also eliminating. The majority, of our program, fees so. That more of the bounty, goes to the hacker which. Will increase incentives. For open-source security. Research. And. Finally. I want to briefly talk about two things we've learned running bug bounty programs, the. First is transparency. The. More open a program is meaning. The more that it discloses vulnerabilities. And the, more people it invites to hack the. Better results. It gets. The. Next is that put simply it, helps. A lot, to get paid. When. Programs, start paying bounties, or when, they start increasing, their bounties they, get better results, which means more secure, code. That's. Why facilitating, payments will, have such a deep impact on open source security and, with. That I'd like to hand it back to Nikko. There. Is a famous Linux, law among security, people that state that given, enough ice all, bags, are shallow really. This to be true that. Is why we are fully committed to rewarding, your time for, looking at open source code. And to, that end we. Are establishing two main mountains to reward blue narrative research on an open source project the. First one we call it the Box layer this. Vanity will reward a security. Researchers that create boring, queries, that have found multiple, real-world.
Boon Abilities, with. Associated CVE numbers, the. Second one we, call the alpha one one for all these, money will reward security, researchers who create courage, that are such of high quality and, instability that. Can be mainlined, to our shipit' tool chain thus, directly, benefiting. The entire open-source community. Finally. I want, to invite everyone, maintainer. Developers. Security, researchers and everyone. Else involved. Into software, development community. To visit our website, where you can download tools, such as Cole QL and the newbie SEO extension, receive. Information, about it coming, events and learn about the commitment, that some of these key players in the open source community have, made to improve the security, of our share ecosystem. Please. Check out our website follow. Us on Twitter and stay tuned for the amazing, things are coming we, have. Capture the flag at connect, space after Kino you can met the security, team so, please visit us and now let, me welcome back Erika. Thanks. Nico. Jamie me too Rob and Kevin I couldn't. Be more excited, about the work that we're doing in the security, space it's, great to see this range, of companies coming, together to. Work on issues for, the benefit, of the broader community and, this, is just, the beginning I can't, wait to see this community, grow and flourish, so please do check it out. Now. Let's, look at another way, to get involved in the ecosystem. And that's via actions, actions, lets. You automate, any part, of your development workflow. From. Running tests to triaging, issues, to deploying to a cloud, we. Build actions, to be fundamentally. Extensible. In fact. The github repo, graph, is the, actions, ecosystem. You, can take actions, from anywhere, in the open-source community. Edit, them and reshare. When, you fork a project, with an action in it the, action comes right along with it. To. Date over. 1,200. Actions, have been published, in the github marketplace. That's. Up over. 250. Percent since August, I'm. Going to invite Erica kado who, runs our partner engineering, team to the stage to, talk to us about some of the work our team has been doing with partners, to enable some really, cool actions, for github welcome. Erica. Now. Just, to set the record straight I'm, Erica, bee this, is Erica kay and, we are not to be confused with Erica, a our SVP, of sales, there's, so many areas. Hi. Erica we, have been thrilled by how many of embraced actions so quickly, here. Are just a few of our partners, our. Partners, have created actions to let you build very, cool work flows between, github. And their products and projects, yeah. I love seeing the engagement, around actions, it's, such a great example of how the ecosystem. Can provide new functionality. To get hub users and make it easier, to use other products, and projects, with github Erica. What are some of your favorite actions you've seen so far well. To. Start I'd like to highlight terraform. Managing. Infrastructure, has always been, complex, now, imagine, having large, multi-tier, applications, or multi cloud deployments. Hashi. Curves terraform, allows you to codify infrastructure. Unless, you deploy to any cloud this. Simplifies, a provisioning. Process so much in. This. Example we. Want to inverse the color scheme on this octocat, site and have it automatically, deploy, the necklace I with our development, workflow. When. A pull request is made in github the, terraform, plan is triggered from github actions, which will check to make sure your plan really matches, your expectations. Then. When. The pull request is merged the, github actions, will kick off the terraform apply and you're good to go I know. This is a simple example but, this totally automates, your deployment, from code to cloud, it's. Impressive, how terraform. Allows you to deploy to, multiple platforms. So simply, great, work a she Court. Another. Action that I'm excited about is a white source action, with. Github, packages, you can discover and publish packages, within github, white.
Source Offers, containers, securities, to canning so, when you include the white source action, those docker images, you're, publishing, can, be scanned for you when. The scanning is complete. You will receive a full report back with, known security vulnerabilities. And license. Information. This. Example workflow, demonstrates. The white source action being kicked off when, a docker container, is published, to github, packages. The. Workflow, will, then add the security, report to an artifact, and github. You. Can also visit the white source site to see the visual representation. Of your report, this. Essentially. Lets you bake security. Into your workflow and it's, so, simple I think. We've shown that security. Is paramount, to us at github it's, great to see this partner, integration and enables you to scan, your containers, for known security, vulnerabilities. Before, you put them into production, well done white source, and. Last but. Not least Twilio. Lets you build really cool communications. Work flows via api's, they. Have written an action, that makes triggering, an SMS, from github super, simple having. An automated workflow is great but, there may be times when you need to alert someone through SMS, for some high priority, item. We've. Created a workflow here when app or quest is made for a slide presentation it, can count how many errors are included, and send. A notification when, it detects, a threshold value. Clearly. There, are too many erica's in this presentation, I don't, think you're gonna ever have too many Erica's, seriously. Though how cool is it that you can trigger an SMS, from github so simply, this is awesome work from Twilio. Thanks. So much Erika. And. Of course that's just a small sample of, the over 1,200, actions, available, today and now, that actions, is generally, available they're, available to everyone so please go ahead check, them out in the marketplace, and even, build your own thanks, so much Erica, I. Talked. Earlier about our mission, at github to, be the home for all developers, and we, know that developers, want choice who. Doesn't, we're. Committed, to delivering, on this and ensuring. That every, part of your development life cycle is, swappable, when you're using github, this. Includes CI providers. Security. Solutions, cloud platforms. And more actions. Takes this to heart you can automate anything replace, any part, of your workflow and integrate. Easily with other tools on that, note I'd like to invite Claire a principal, engineer from, Amazon Web Services, to, the stage to show us an awesome cloud, code to cloud workflow, that they've built welcome. Claire. Hi. I'm, Claire Liguori I'm a principal, engineer on the aid of youth containers, team and I'm. A big fan of containers, I love. That containers, can help us to share our applications. With others and I, love that containers, can help us to deploy our applications. To the cloud I, like. That there's this easy, standardized. Way to describe, how to build my application for, a container with, all the dependencies, built right into the container image, I like. That when I share that image with you I don't have to make any assumptions, about what Linux flavor you're running or libraries. You have installed, I can simply share this image with you and then. It's, as easy as darker, pole and docker run for, you to have my super cool application. Running on your laptop so. It's. That easy, and then when you get to the cloud, now. You can scale out to multiple. Copies of your application, running in containers, for high scale you. Can scale out to multiple applications. Across many different containers. But. You start to need something to manage, all of these containers, for you to, help you deploy, and, scale and, keep them running all the time. At. AWS. We have a broad portfolio of services to, help you run your containers, in the cloud the. Elastic, container registry ECR. Will help you to store your container, images and share those applications, with others, we. Have two services to help you manage and deploy and, scale containers. The. Elastic, kubernetes, service eks. For your kubernetes, workloads, and the, elastic container service, ECS. We. Have two options for ecs for where your containers, run easy, to and Fargate. So. For example if you use ECS, to deploy and manage your containers, you, can create a resource, called a service where, you tell ECS I want to run fifteen application.
Fifteen Copies of my application, all the time ECS will keep those containers running and you. Can give three easy two instances, to ECS to run those containers, or. You. Can take advantage of Fargate, Fargate. Is serverless, compute, for your containers, so. You can tell, ECS, i still want to run 15 copies of my application, but, i want to use Fargate so. You don't have to have any ec2, instances, to scale or, manage, or patch, those instances. You. Can simply focus, on building your applications, packaging. Them into containers, and deploying, them to the cloud without, worrying about the underlying compute, for those containers, I. Specifically. Focus on developer, tooling for ECS and Fargate, so I'm super excited to be here today talking, about github. Actions, for ECS Fargate, and EC are I think. That github actions, can, help us to smooth. The way to getting, our code into the cloud I think, a lot in my day to day life about what are those little frustrations. We have as developers, every day, what, are those things that slow us down from. Getting our code into the cloud and I think about what are the integrations. That we can create for ECS to. Help make that a smooth, process. So. Today I'm really excited to announce that AWS. And github have collaborated, on a set of for github actions, that, are in the github marketplace, today. So. In order to show you these four actions, I'm gonna take you through a sample day in the life of a developer, who's, using ecs, Fargate. ECR. And these github actions. So. To do that I'm going to use mythical, misfits calm this. Is an online adoption, agency, for mythical creatures, you. Can select different characteristics. To find your favorite, mythical creature and then, view, their profile, to find out more information about them I happen. To like koko the dragon quite a bit I think she's pretty cute so, I'm gonna go ahead and hit this like button this little heart. So. This is a containerized, application. With multiple micro services behind it so. I have a like, micro, service. So. This is generating. The the, API that's driving, that heart button that like button so. We can go ahead and try it out and I'll paste in the ID for, Coco the dragon she's pretty cute, so. Now Coco has two likes. So. As I said this is a containerized, application. This micro service is running on e CS and Fargate, ecs, is keeping three copies of my application, running at all times and, it's, running on Fargate. So. If I go over to the ec2, console, I have no instances, running I can, simply, focus on deploying, my applications. And containers, and not on those instances. Here's. My docker file so this is such an easy way for me to specify, here, my Python dependencies, here's, my Python code do. A little bit of linting, in there to make sure my style is good and then, here's the command to actually run that and. Then. This is the actual Python flask, code that's driving, that API. But. One of the things we have a problem here there's no unlike, API, I can't, actually unselect. That heart if I decide I don't like Coco anymore so, I'm gonna go ahead and build that today and push that out to my application. So. The first thing I do on my laptop I run docker build I got to get my workspace set up but. It looks like the build is broken looks. Like some linting rules have failed. So I'm gonna go ahead and see who actually broke, the build who, on my team broke it, and. It's Coco the dragon that's weird what is she doing in my git repository.
She. Says I tested, this locally, on my laptop so it totally works I promise, and haven't. We all heard that from our teammates and maybe for ourselves at one point or another so. You think this is one of those first things that slows us down day, to day as developers. From getting our code into the cloud, so. I'm going to automate, this away with github actions, so. The first thing I do is I have this check workflow, on every. Pull request it's just gonna run docker build this, is such an easy way for me to make sure that, that build has never broken and I don't get slowed down by my other teammates. So. To see this in action I have my unlike, API ready to go it's in a pull request my. Teammates, can review, this code and github, have, written that unlike API and my applied on flask application. And. Then my teammates can see that the checks have passed and they've seen that my custom. Github, action check, has, has, run successfully, and, it's. Ran that docker build, command. So, this is the same thing that I could do for any containerized, application, that I store it in a github repository I can, have that really simple check run every, time there's a pull request. So. Now we've seen that it's successfully. Built. Now. I need to deploy, now. Is the second time where I have a something, slowing, me down from getting my code into the cloud what. We're looking at here is a task definition file, for ECS this. Is basically the configuration. I need to give to ECS to, run my container things. Like what image do I want to run what environment, variables, do I want to set, but. The image ID changes, every time I have a unique image ID that, I need to go and fill in to this file then. I need to deploy this file to. ECS, so. This is a multi-stage. Process it's. Kind of manual, it's error-prone. I don't really like to do it I just want to focus on writing my code so. I'm gonna again automate, this away, with github actions. So. This is using those four actions. That AWS, has published today this. Is going to run on every push to the master branch. First. Thing that happens is it's checking out my source code that just got pushed to the master branch. Next. Is the first github action we've published today configure. A degress credentials, this, is taking eight of those credentials, that I've stored and github action, secrets, and configuring. The environment, so that other actions can use them. Next. I'm logging in to ECR this is where I'm storing my container images. Next. I'm going to go build and push that image into ECR, so.
The Tag for this image is going to be the commit ID and it's going to push it into the registry, that came out of that login ECR, action, so. This is pretty much what you would do for any containerized, application. Docker. Build and docker push with this unique ID and. Then. I need to take that ID and fill it in to the task definition so. This is the third action that we've published render. Task definition it's. Gonna take that unique image ID that was generated, from the commit ID and fill, it in to my task definition for me replacing. That to do fill-in string. And. Then. Last but not least the fourth action deployed, task, definition, so. This is going to take that file deploy, my image and the configuration around, it to ECS and wait, for that deployment to be successful. So. Let's look at it in action I'm gonna. Merge in my unlike, API pull request and, because. I'm merging into master, that's actually going to kick off automatically. My deploy. Action. Here. So. As soon as I push into my my, repository, I can see that this deployment is in progress and, we're. Quickly going through checking, out the code configuring. Those eight abyss credentials, logging. Into ECR, and we're on to the build for the docker image, so. It's pulling in all of my Python, dependencies. Copying. In all of my Python code running. Linting, and then, finally it's going to push into, er so. At this point I could share this application, with others and now, I'm going to deploy this application to, the cloud. So. Now that I have this unique image ID with that commit ID for the commit it's, filled it into my task definition automatically. And now, my deployment, is in progress. So. Looking on the ECS console, we can watch this deployment in progress. So. Ives told ECS, I want three copies of my application, so I, now have three copies of the old and three copies of the new while, the deployment, is in progress and. Then. We can go and we can look at the events tab and actually watch what's, happening, under the hood, so.
Now. If you'd like to see it working live you could stop by and see us at the partner. Innovation. Connect event, this afternoon from 12:00 to 2:00 and thank. You very much well welcome Erika back to the stage. Thanks. Dad. And. Thanks to all of our presenters today it's, so cool to see the way that different members of the community are coming together to work on addressing challenges such. As software security via, token, scanning, security. Research, container. Scanning, and more I also. Love, seeing how the combination, of products, and projects, from across the ecosystem can. Automate, manual, work for developers, via solutions, for cross browser testing. Code. To cloud, notifications. And more. In. A world with over a hundred, million developers. On github, by 2025. The, creativity. Of our development, team can never match that the. Creativity, of the world's developers, it's, only through collaboration. That we can jointly deliver, everything, needed to support all of the different ways that people want, to build software together we. Look forward on to continuing, on our mission to be the home for all developers, and to, work with the software development, community, to, provide, the canvas, on which the world's developers, can do their best work. Now. Before. I wrap up just, a few quick notes. First. Stop by the partner, innovation, area as Dan mentioned from, 12:00 to 2:00 we have a variety of partners who will be showing their actions, and they can also answer your questions, about what it was like to build actions, and give you some pro tips and, also, stop, by the ask github, booth where we're staffed with support folks engineers. And others from across github, to answer all your questions and also, of course to collect your feedback and hear what you'd like to see next from github with,