Mike Hanley, CSO, GitHub on “guns, gates, guards”, AI, ignoring the “flashy stuff”
"You have to be intentional about designing for real people who are not security experts."
When Mike Hanley joined GitHub little more than two years ago, he was its first Chief Security Officer. This late appointment of a cybersecurity chief to such a high-profile software company is arguably indicative of the community which GitHub has traditionally served – one of developers looking to write code first, and think about security second, if at all.
Hanley has been working hard to ensure that a more security-centric culture takes root not just inside GitHub but among the developers it serves. He joined The Stack for a flying chat at GitHub Universe 2023 in San Francisco as the platform announced a slew of AI and security-centric updates that takes the idea of “shifting left” to code whilst it’s being written. (Interview lightly edited for clarity and brevity.)
What’s the biggest security challenge you face at GitHub?
I would reframe it as the biggest opportunity: we are the home for open source. The vast majority of open source projects live on GitHub.
We have a massive customer base building software on GitHub. There’s a very large community, but also, a very large opportunity to raise the bar and improve security across the ecosystem, like helping make sure everybody who uses github.com has two factor authentication (2FA) turned on. Today we’re [also] driving these AI-powered experiences that are giving you security superpowers that you may not have had before. So a huge opportunity across the board to make a big software impact…
“The developer tool space has not caught up”
If you look at any of the big security reports that come out annually summarising security incidents, phishing and account takeover are [still among] the primary causes of breaches. The IT landscape has been driving zero trust and strong authentication for a long time. The developer tool space has not caught up. We decided to drive adoption of 2FA across everybody who contributes to github.com and spent a lot of time and energy getting that right. With all the critical open source software and the communities that live on github.com – [there’s] really critical software that's powering critical infrastructure, mission-critical systems, the things that go into your iPhone, they go into your car, or they power your refrigerator; those open source pieces are built on github.com.
See also: Dell's Chief Security Officer on physical security, frameworks, burnout and incident response
So security really starts with the developer; securing them and their accounts and the communities that they're a part of is just as important as making sure that we help them write secure code… [Mike flags GitHub’s dependency graph which lets devs identify upstream dependencies and public downstream dependents of a repository or package and see these plus vulnerability information, on the graph for the repository. Customers can also choose to export the current state of the dependency graph for a given repository as a Software Bill of Materials (SBOM) using the industry standard SPDX format Via the GitHub UI or using the REST API]
How have you seen the threat landscape evolve in recent years?
The same stuff keeps working for bad guys [credentials abuse; application vulnerability exploits]... where there are things that have not changed, we're happy to be change agents, and help drive different standards and different expectations in that space. That's where you see innovation, like what you saw in the keynote today, where we're trying to make it easier not just for people to find vulnerabilities, but also to know how to fix them
See also: "Refounded" GitHub boasts new AI tools to spot insecure code in real-time, let devs use natural language
This is a superpower for developers. We know about the talent shortage in cybersecurity and we see how many hundreds of thousands of cybersecurity jobs are unfilled. This provides an opportunity to help developers who are not security experts get to a great security outcome.
[GitHub’s focus on credential security is born of hard-won experience. In 2022, hackers used 0Auth -- an industry standard authorisation protocol -- tokens stolen from software providers Heroku and Travis-CI to access and download private GitHub repositories belonging to dozens of victim organizations including GitHub itself; the attackers conducting the activity using the /user/repos and /orgs/{org}/repos GitHub API endpoints.]
Would you describe this as part of “shifting left?”
Shifting left has been around for 10 plus years as a buzzword, but it’s not that far left to say you’re doing security while you’re running continuous integration and testing. With Copilot, the best place for developers to receive feedback is as they’re bringing their idea to code... If I can get feedback on the line I’m currently writing, this is the least expensive, most effective, best experience for developers to have of security.
See also: A mystery threat actor is running an "abnormally" large freejacking campaign that taps GitHub, Heroku to mine crypto
But we also know that that's not that's not Level 5 self driving, right? I still have a steering wheel on this car, and I need to get my hands on the wheel. That's where improving the state of the other security tooling that you have throughout the software development lifecycle, including things like code scanning… Improving the user experience actually helps you get better coverage across the board. But you're ‘shifting left’ to say you're getting feedback at the onset of bringing your idea to life; it’s a big shift.
This is not just about AI. You think about things like using memory safe languages; we're moving in the right direction on that front. [But as an industry] we still rely on critical applications [with] code that was written years ago… we know that they're still that legacy technical debt that the ecosystem as a whole bears. But I think from here on out, for a lot of things that are new, we're going to see dramatic improvements in preventing vulnerabilities before they ever have a chance to start.
How do you balance speed and security?
In some organisations, speed and security are seen as opposing, but I think you can have both. You have to have a culture and an approach that says, ‘I want to have high security and for it to be easy for my developers to experience it.’ Maybe 10-20 years ago it was the ‘guns, gates, guards’ approach… But the more important job in many ways of the security team is to make sure the right things happen reliably and safely, while tending to making sure that the bad things don't happen. You have to be intentional about designing for real people who are not security experts.
What do you look for in a security team?
I'm a big believer that people do their best work when you set them up with clarity on what our goals are, you empower them to do their best work, and you really give the context, so that people can actually make decisions as close to the work as possible. We have a big engineering team and a big security team inside GitHub; I actually want people to make decisions close to the problems, because they have the best view of things.
And then I want to know, how can I help them map that back to what the company needs to accomplish? But also, how can I, as leader,support them, or their team with the right resources, prioritisation and clarity, context, etc, to make sure that those things get done?
But the fastest organisations are the ones that push decision making, down push context and information down and my job is to help them get things done.
What is the single biggest thing an organisation can do to improve their security posture?
Focus on being brilliant at the basics.
There are many things out there in security that are less effective and interesting than getting the basics right. If you’re buying something that’s going to tell you who’s breaking into your house, but you haven’t put a lock on the front door yet… My big advice is to think about a pyramid. Have an actual security strategy, hire and train the right people, empower them with the right tools. Get that stuff at the bottom right, it’ll let you build to the top. Far too much of the security space is focused on the flashy stuff, not the foundational stuff. Ignore the noise, focus on getting the basics right, your organisation will be way more secure.