What does protecting the more than 100 million developers on GitHub’s platform take? And what can your team learn from GitHub’s impressive security posture? 

On this week’s episode, co-host Conor Bronsdon is joined by Jacob DePriest, VP and Deputy Chief Security Officer at GitHub. Join them as they discuss Jacob's journey from the NSA to GitHub, delving into how AI impacts the security space and the future of Copilot's ever-expanding capabilities.

The conversation also explores how enhancing customer trust, investing in diversity within security teams, and bringing security to where developers work are critical in improving security industry-wide.

Whether you’re protecting dozens of users or millions, Jacob has practical advice for engineering leaders everywhere.

Episode Highlights:

  • 02:30 Intersection of DevOps and security
  • 06:00 Research in cybersecurity
  • 14:30 AI’s impact on the security space
  • 21:00 Jacob’s career at the NSA
  • 28:00 Advice for engineering leaders (focus on the fundamentals!)
  • 34:00 The future of security teams and industry collaboration

Episode Transcript:

(Disclaimer: may contain unintentionally confusing, inaccurate and/or amusing transcription errors)

Conor Bronsdon: Hey, everyone. Welcome back to Dev Interrupted. I am your co-host, Conor Bronsdon, and I'm delighted to be joined by Jacob DePriest. He is the VP and Deputy Chief Security Officer at GitHub. Jacob, welcome to Dev Interrupted.

Jacob DePriest: Yeah, thanks for having me. I'm really excited to talk today.

Conor Bronsdon: It's going to be a lot of fun.

I've heard some incredible things, like you help protect us from North Korean hackers, you spent 15 years in the NSA before your work at GitHub on the security side of things, and there's such an evolving threat. Area in this space currently and also opportunity so very exciting event and GitHub is obviously a company that needs no introduction to our audience.

It's own to over a hundred million developers and you're really responsible for leading the teams that keeps the platform product and users as well as customers safe. So I know you started that devsecops career long before GitHub at the NSA, and yeah because of that experience, you're the perfect person to talk to about how.

AI and these other trends are impacting the security space. You're joining us today live here at DevOps Enterprise Summit. If you're watching on YouTube, I highly recommend it. We're here in the Dev Interrupted Dome. It's a ton of fun. And you also gave a present presentation I believe today on how AI is impacting developers through capabilities like GitHub Copilot.

How AI is evolving the security space. And suggestions on how to move security into an AI assisted future. That's the hot topic, right? Let's just dive in right there. Tell us about your talk.

Jacob DePriest: Yeah, so we started today talking about how DevOps and security really mix together and need to happen together, right?

We can't have security without DevOps. As we think about the biggest security challenges that a lot of companies are facing, a lot of them Tie back to the software development process, developer accounts, account security, they tie to supply chain, right? It's not just an easy way to point and say there's this one area we gotta focus on.

It's the whole thing. And today we talked through how all those things fit together, and then a little bit of GitHub's journey, a little bit of my journey, and then how now that we have things like GitHub advanced Security at GitHub, we've really been pushing to shift security left in the developer workflow.

What's that look like now in 2023 and beyond as we're integrating AI into, many aspects of the software development life cycle?

Conor Bronsdon: Yeah, I'll share. I previously worked in the Microsoft Services organization on the cybersecurity piece here, particularly around the thought leadership of what's coming trend wise.

And it's so interesting for me, having left that org, four or five years ago now to, See these trends that we're seeing, the research that we're seeing, the things that people are thinking about start to be really real, particularly with AI, with Copilot, all these new things coming out of GitHub.

So I'd love to get an overview from you around Love to get an overview around what security looks like at GitHub today.

Jacob DePriest: Yeah, so we have, when I think about security at GitHub, I think about it as two different, two different angles. One is internal and product facing, and then the other is what we are providing to the open source community and to our customers.

And so on the internal side, that's the team I'm responsible for. We are running the day to day internal security for GitHub. And so that is things like our security operations team, so incident response, threat intelligence, threat detection and response counter abuse. We have an amazing counter abuse team.

Our identity and access management team, all that's in that security operation space. And then we have our product security team, and they're focused on making sure that the products that we ship out to customers and the community are safe, secure, and continue to be operated that way. And then we have our Governance, Risk, and Compliance team, which is working through our company risk.

They're working through our compliance programs, all our certifications. And then finally, we have a really interesting team, which I love being part of the security team and being part of GitHub, is our security research team. And they're really focused out at the community. They're taking the tools and the talent that they have.

We have some world class researchers on the team. And they're going out and working with open source community, other researchers at other companies and universities. And they're looking for trends in vulnerability spaces. They're learning how to use things like CodeQL, which is our static analysis tool at GitHub as part of GitHub Advanced Security, and how to apply that at scale, or at very specific popular open source packages, and really raise the level of the security in the open source ecosystem.

Conor Bronsdon: Thank you for that great overview. I'd love to dive into the research piece to start off. Can you share a bit about what's been happening on the research team and what trends you're seeing or maybe examples of recent attacks you want to highlight?

Jacob DePriest: Yeah, sure. We start on the research side of things. I think it's really fascinating because supply chain is such a huge challenge, right? And we talk about open source and we talk about 100 million developers on the GitHub platform. How do you secure all the work that's happening there and all the different ecosystems and all the different dependencies that are happening?

And Things like DependentBot and GitHub Advanced Security help in that. And we also have to be part of the community that's looking for those vulnerabilities and trying to make the core services that so many companies and packages use more secure. And this team is out coaching and presenting and teaching and helping others learn how to do that inside their companies and for the community.

But then they're also the ones out looking for interesting zero days that we then will responsibly disclose. And, you get out and keep the community safe before they are exploited by threat actors. And I think that's a really interesting thing. On the broader security trend side of things, we see the developer account as one of the core security kind of pillars in that supply chain attack landscape.

And what I mean by that is, often, It's not necessarily a zero day that a threat actor is going to get and go in through the front door, right? Totally. That happens, but many times we're seeing social engineering campaigns, we're seeing phishing attacks, we're seeing all these things, and we have this really interesting, unique position in the, the ecosystem.

And, that's one of the reasons we are rolling out 2FA requirements for every developer who contributes code on GitHub.

Conor Bronsdon: Multi-factor authentication is crucial. It is. And it's like the simplest. Add-on, you can do to make it significantly harder for things to go wrong.

Jacob DePriest: And we support a lot of different kinds on GitHub, and we do that on purpose.

Arguably it would be great if we could all move to pass keys and things that are really more secure and reliable, but we have developers worldwide and not every one of those developers has access to the latest technology, right? Some of that technology is expensive, and so we really want to make sure that the developers in the open source community.

Everywhere in the world from every background can use the platform, but it's really important that the people that are contributing code have 2FA turned on. And so that's why it was slightly controversial, but we made the decision to say, no, we're going to enforce this because it's that important.

Conor Bronsdon: It's the right thing to do. In the ecosystem. I think it's really interesting. You mentioned social engineering, so this is obviously like. When we think about this one of the biggest vulnerabilities that we have is simple things like phishing attacks, where, you know, someone, clicks on the wrong link, or gives their credentials out, or, you may get those texts where it's saying, ah, it's your CEO, I need you to buy Amazon gift cards, or whatever it might be.

Jacob DePriest: We have a custom emoji inside GitHub for how many gift card scams that Hubbers get every day.

Conor Bronsdon: Ah, it's amazing. That's a very fun way to do it, and make it A game to respond to and make people encouraged by it and I'm fairly certain I mentioned the Vegas attack earlier, but I believe the initial vulnerability was they called IT and so they needed to reset someone's password.

Yep. And that's how they got in, this very simple social engineering.

Jacob DePriest: I think that's right, yeah.

Conor Bronsdon: And. It's a common story. Yes, as you mentioned, there are zero day exploits. We need to pay attention to those. Those will have massive systemic risk. But, we also need to improve training. We need to improve these basic security principles, like 2FA, like MFA, like you mentioned.

How do you see... Those trends around training, the need for people to up level around this, and for better systems affecting the future of security.

Jacob DePriest: Yeah, so I think the foundations are really the key here, right? It's fun at conferences and in books and other places to talk about these really wild and esoteric emerging threats, but fundamentally, a lot of the core security principles are just getting to the basics.

Let's do the basics well. So let's get 2FA turned on. Let's get secret scanning turned on. Let's get a, let's get these kind of core things there that threat actors continue to exploit over and over again. And we absolutely need to look to the future and the more advanced techniques as well.

And, it would be remiss to not do that. But I think sometimes we see teams get out ahead of themselves and they're focused on... The advanced threats and they haven't put the basics in place, right? And every time I talk to a partner, another CISO, another, customer, one of the things I say is Hey, have you turned on secret scanning yet?

Is it on your open source repositories? And if they're advanced security user, That they have it on their internal repositories. Because we just see that also being a way that threat actors get in. They, whether it's social engineering or stolen credential or whatever it is, they get into a developer's account.

And normally the risk of that is fairly low. Unless there's secrets in there. And if there's secrets in there, they can take those secrets often and pivot and do much more damage than they otherwise could have done. And that's why we're so Persistent in trying to talk about that and make those services even better.

And we just rolled out push protection for secret scanning to all open source public repos on getup. So now everybody can use it so that it will stop the secrets before it even gets into the repos, which is even better, so you don't have to remediate it afterwards.

Conor Bronsdon: This is a great topic because I think it's something where we take relief from national defense, where we say, look, like compartmentalization of information is a crucial thing when it comes to nation states. If you look I'm sure you, you're obviously worked in the NSA for 15 years. Like you're very familiar with this. This is a crucial thing in warfare and simply like nation state actors.

This is exactly what we're talking about here with secret screening, where it's like, Hey if there is crucial information on this account that could make other accounts vulnerable, like we need to be aware of it and be able to shut it down. And it's the same concepts coming through. And A lot of businesses, though, don't realize how important that is or don't have the focus on it that maybe a national security group would.

Jacob DePriest: Yeah, and I think, defense in depth and zero trust come into play as well. So it's, it's not enough just to put one measure in place, you want two-factor authentication and preferably strong biometric backed two, two-factor authentication. And then you also want things like just in time access and then conditional access, so is the laptop, did it do impossible Travel?

Did it log location? What's it from? Boston and then Las Vegas within three hours. That's not likely. So factoring all those things into every one of these just helps the IT departments and the security departments make better decisions, have less things they have to think about and be trained on, and it gets more automated, and we can have more signals to think about as a security team.

Conor Bronsdon: As you put it, these are the foundations we need to put in place, and a lot of folks like to build on top of that without actually putting the foundations fully in. I'm curious, you mentioned Zero Trust obviously this is a really important concept that's being, I think, more and more discussed, whether that's Zero Knowledge Proofs or other approaches here.

Do you see Zero Trust being taken up by the community and actually leveraged, or is it something where you, a lot of folks are still resistant to actually taking this approach to security?

Jacob DePriest: Yeah I think it's happening slowly but surely. I think the principles there of zero trust and things like secure by design, secure by default, I think all of those are starting, we're starting to see those in the products vendors are selling.

We're starting to see those be just accepted best practices now. And I think how far companies are in their journey. It's really dependent on what tech that they had, where did they start, where are they coming from, what's the culture? Because the culture has such a huge, I think, impact to all these technical discussions.

Is the culture ready to adopt some of these security things? Are they comfortable talking about, just in time access and conditional access and, dealing with that in terms of training and access? And so I think it's all coming together. I do think it's really important though.

I think. Allowing the, least privilege in the right situations for developers, for IT administrators, for security administrators, right? Having that in place, having the auditing in place, and then, being able to reduce blast radius if something goes wrong. I think those are all the core principles that we're seeing come out of Zero Trust and come out of Secure by Design that just make sense and, need to happen.

Conor Bronsdon: And it's encouraging to see it happening now.

I know, I think we, anyone in the security space would love to see it happening faster, but... I think we often get distracted by some of these flashier trends that are also hugely impactful. One example is AI, which I know you featured in your Heavily in your talk.

Can you talk a bit about how AI is impacting the security space now as LLMs are now public knowledge and spreading rapidly?

Jacob DePriest: Yeah, absolutely. We think about this in a couple different ways, and I think about it a couple different ways. With my security hat on, thinking about AI and, like, how threat actors are adopting it or not adopting it.

It's making bots way easier. It's making bots way easier. Things like that. I think that is one of the aspects there, but then from a developer perspective, it's also having a huge impact, right? And one of the things that we're seeing with Copilot is that GitHub Copilot, which is our in editor auto completion capability is that developers are moving a lot faster.

They're accepting a lot of the suggestions that are happening. They're even... reporting that they're being more fulfilled, like 75 percent more fulfilled, which is amazing. But one of the effects of that on security is, the boilerplate code that developers are spending all that time, on web search and on man pages and on docs doing.

It's just happening. And then we've got security filtering as part of GitHub Copilot as well. And it's blocking some of the basic security mistakes that a developer may or may not make. And What they're able to do is spend more time on higher order problems. They're able to free up more time to look at things like SAS scanning tools, or review dependency alerts, and things like that.

And the net effect, I think, is we're seeing security shift further left than we ever thought possible with some of these tools.

Conor Bronsdon: You referenced the phrasing secure by design earlier, and I think this is a really crucial thing for the audience to understand because Microsoft and GitHub have been really investing in this for years now and saying this is a base level foundation for us.

We're going to create security and bake it in from the very start of our products. And particularly now with AI being enabled through Copilot and these other usage, is it's exactly what has been thought of for a while now in the security space, where AI and ML can be applied to And then providing humans more signal, more information and letting them focus on these key tasks where the human brain is really good at that, that strategic analysis and taking those insights going, okay, here's what to do next.

And I think that's the really exciting thing for me is looking at how AI has also been baked into security technology and starting to understand that. And I know the flashier part is the LLMs and frankly, Copilot too. Copilot's amazing. But some of these very simple usages of just Hey, we're going to help you identify risks faster than the human mind can necessarily find it.

And then give you that signal are also really exciting to me.

Jacob DePriest: Yeah, absolutely. And I think there's also a whole element of refactoring code and like these kind of secondary. Like developer concerns as well that also have security impacts. And how many times have, has a developer shown up to a new team?

It's in a different language than they expected. They're bringing their old toolkit with them. Or the team is mostly new. And they're like we don't want to code in this language. We want to move it to another. And. That refactoring process, how many security vulnerabilities are introduced in there?

How much time is lost that could have been spent on a secure architecture, secure model, where things like GitHub Copilot are just saying okay, we're going to take this super old Cobalt function, and we're just going to turn it into Rust, and we're going to keep moving, or whatever the language is.

And so I think those are things that we aren't really going to understand the impacts of until we start to see the results at scale, but I think they're going to be pretty big.

Conor Bronsdon: I'll say it's something LinearB is really looking into is like the impact of AI code. We are, we're very fascinated to continue to bring out numbers on it, because we're excited by it.

Like to your point, it's such a massive potential. The signal we're getting from devs about happiness and fulfillment, these things that are so important to high performing teams, success, long term retention, it's really wonderful to see. How do you think Copilot can refactoring process? Because, to your point, there's a lot of code that maybe has minor vulnerabilities throughout it.

How can we leverage AI tooling to go back and solve some of this technical debt?

Jacob DePriest: Yeah, it's a really, I think, big space for us to think about. And at GitHub, we're not really The way we're thinking about it at GitHub is the in editor auto completion's, just the beginning. And so we're looking to figure out how to apply co-pilot and LLMs and this AI technology to every aspect of the developer workflow.

Yeah. And so you can extrapolate and imagine as you're working on GitHub with through poll requests, issues, the security tools. Having that AI helper in every stage of that, how powerful that could be. And those are the things we're really looking at now. We're so excited about what that can do because then once you have all that context from a developer repo or some of the things Nicole Forsgren talked about yesterday in terms of being able to get even more context in and through the AI capability, some of the research Microsoft research is doing there.

The possibilities are really incredible with being able to accelerate even more complex tasks that developers are dealing with. But arguably things that still aren't providing direct company value, right? Refactoring a repo or upgrading to the latest, service technology. It's the output.

It's the user interfacing work that's going to provide the value to the customers and value to the company. It's not that kind of core work behind the scenes. And so we want developers focused on those bigger, harder, more challenging, outcomes than we do some of these kind of core day to day things that are maybe more boilerplate.

Conor Bronsdon: It's really interesting to see the early impacts because it's clear there's so much more potential here.

I think I'm not the first person to say this, but... Everyone's going to have a copilot like thing in their life, whether you're a developer, whether you're a writer, like you're seeing this evolve all over the place, and it's very clear that we're going to just continue to have this AI tooling in here, and so I love that GitHub's taking this approach of saying, How can we inject this across the software development life cycle?

How can we understand the ROI and just free up the human brain to focus on higher order tasks? Because that's really what we want to get out of this, right? Let's leverage robots, bots to help us. And that's what we've been doing for years. And now we're just having more success with being able to pull those matrices together and say, Okay we can get more in depth.

We have better data sets. We can understand more. So it's an exciting time, honestly. I am I... I can't wait to see where we're at in five years, because there's going to be so much incredible change.

Jacob DePriest: Yeah, I'm really excited, and I'm a little biased, but I think GitHub's a fun place to be in the middle of all this as well.

Because, LLMs and AI have such a huge potential across so many sectors. But, I've always been in the developer space and the DevOps space, and so I started out more in engineering leadership. And DevOps and that have moved into the security space the last few years. So being able to see all of that come together through some of these technologies as a place like GitHub is just really exciting and being able to apply it at a scale with a hundred million developers and 90 of the top.

100 Fortune companies, there's some exciting things I think on the horizon and we're already seeing them now. So some of the folks that have already adopted it are just coming back and are like incredible stories about productivity gains that their teams are seeing.

Conor Bronsdon: I want to talk more about those trends, but you alluded to your background and I'd love to just feature that a bit for the audience because I think it's fascinating.

So I mentioned you spent 15 years at the NSA, you started more on like the DevOps engineering side and moved into leadership and have really transitioned now to not only doing leadership but also security. Can you tell us a bit about your career journey? And anything you're able to share about your time in the NSA, I think we'd be fascinated to hear about.

Jacob DePriest: Yeah, Sure. Yeah like you said, I was there 15 years. I started out in hardware and computer engineering, building software defined radio systems. And we were building the tools and the frameworks and the systems themselves as well. And Part of that I loved was still building tools for other developers.

And so it wasn't just the software defined radio systems, but like how do you build a framework that's reusable? How do you build tools that other people can use? And we ended up open sourcing a lot of that, which was really fun as well. It was an interesting experience open sourcing hundreds of thousands of lines of code from inside NSA.

It took it took a while and I learned a lot. But it was a lot of fun. And that's really when I started getting into Agile and, what we now call DevOps, and continuous integration, continuous delivery, and some of the concepts now that are just so core to the software development industry.

But, leading engineering teams who are solving these hard problems was really how I started. And then, when you think about doing that in a place like NSA, where the security requirements are, Critical, right? They're important to every company, everywhere. But you think about some of the potential risk and things we had to think about when we were building these systems.

We really had to bake in security into everything we were doing. And so I learned that along with my DevOps journey as well. And then pivoted into the open source space. And one of the lessons and kind of the outcomes of open sourcing the work that we did inside the Software Defined Radio group was, how do we make this better?

It was a little too long and a little too hard to do. I started spending time trying to understand what those processes were. How could we make it faster? Working with other agencies and other departments to figure out how they were doing it. And then building those processes into how we were doing it inside NSA.

And then the thing that I realized through that, through part of that process was... We were missing an element, which was a developer experience team. And so without a developer experience team as like the nucleus to drive some of these decisions and momentum, it was difficult to see the success we wanted to see in the open source work.

And so myself and a few other colleagues started the DevEx program. And we did this entrepreneurial thing where we created a pitch deck, we created a financial plan, a contract plan, how many headcount we needed, what it was going to look like, what was the five year roadmap. And then we did pitches to execs around the agency, essentially asking for money and funding and resources and also tying in the data back to here's how it makes developers more productive.

Here's the value, here's the tools they're using today, and here's what consolidation would bring us in terms of mission outcomes. And we were able to pull that team together, and we had a developer security team, which was super amazing. We had a productivity team, a DevOps pipeline team, and we just kept going and building that.

And that was really just an amazing journey of bringing the developer side of things and the security side of things together, because we had to help developers at the agency do all this in a secure way.

Conor Bronsdon: Hearing that, it really just makes sense that you're now at GitHub, right? Where it's okay I've gone this whole journey and now I'm going to say let's protect even more developers across the world.

Let's broaden this work and bring it out and continue to focus on the open source piece. It's, this, looking back in hindsight, I'm like, oh, your career just makes total sense here.

Jacob DePriest: Yeah, it's fun how that works in hindsight. Yeah, it is. You're like, oh, okay. But yeah, I totally agree. I think I loved working at the agency.

The mission was great and it was really fulfilling. And when I was considering leaving, I was like, where could I possibly go that would have a really interesting mission? That has this kind of impact and yeah. Wow. GitHub's been that place for me, which is awesome.

Conor Bronsdon: Any highlights from your time working security at GitHub or the NSA you wanna share?

I think there's some amazing stories in this space. We've alluded to a couple of examples, but I'd love to hear from you what are the moments that really stick out for you as they were a zero trust vulnerability that you solved? Is it a particular social engineering network that you've fought back against?

Those stories I think are so powerful 'cause they help. Evoke for engineering leaders who are listening, why this matters.

Jacob DePriest: Yeah, so what's interesting is the stories that we have are daily happening behind the scenes inside the GitHub security team, right? So we have a team that is continually combating abuse on the platform.

Because we still offer a lot of free services, and that's fantastic for education and new developers getting started and small teams who are trying to do a startup. But it's also a challenge because they get abused by threat actors and people trying to take advantage of the compute that's there and things like that.

And the teams produce weekly reports every week, and I read every single one of them. And just the stories that happen there of, hey, we took down... This abuse campaign that was, A, it was costing a lot of money, but B, it was really, reducing the performance or the expectations of our customers and how that was happening on the platform.

And they fixed that, right? And so that's like this daily occurrence. And then if we go to the threat detection side of things and threat intelligence side of things, like a constantly working to keep the platform safe and keep our company safe, but also keep our customers safe. And there's always something happening in the space.

We have a lot of customers across a lot of industries. And so there's always a security incident somewhere in the industry. And often, they come to us and say Hey, what are you seeing? Like, how, what happened to our GitHub accounts? Is everything good there? And, we do what we can to help in those instances as well.

And I don't know that there's any one story that captures that, but I think there's this shared responsibility in the security team, and really almost all Hubbers share this, of showing up and just keeping the home of all developers safe. What's it going to take? What do we have to do that?

Who do we have to partner with? It's not just us, right? We want to partner with the rest of the industry. We have to.

Conor Bronsdon: Yeah, I think that's a really important point to bring up, and I know it's something that GitHub and Microsoft are both very invested in, which is this long term security partnership across the whole industry and sharing research, sharing information because, threat actors continue to evolve every year, we're seeing the amount of cybersecurity attacks evolve every year, the cost of them evolve every year.

And frankly, we can't do it alone.

Jacob DePriest: Yeah, absolutely. And I think, one of the things that like, tying back to my public service time, it's a public private partnership too, right? So companies have to work together across all the different sectors, not just the tech sector, but finance and manufacturing and automotive.

But also the public and private partnership is so important as well, is what are the government's learning that they can share with industry and vice versa? And how can we make each other's security programs better? How can we share the data we're seeing faster? And how can we just level up the entire industry, both private and public, in a faster, more productive way?

Conor Bronsdon: Yeah, especially because we're starting to see more and more nation state supported hacker groups coming after companies and elsewhere trying to either siphon funds or secrets. There's it's such a problem that Most smaller companies, or even large ones, can't protect against a nation state on their own, and so this is where these alliances become so crucial.

Jacob DePriest: Yeah, it's really interesting, too. There's another aspect of this that's, I think, starting to emerge over the last few years, which is internal security teams are starting to become a business differentiator as well for companies. How your security team approaches threat actors, be they nation state or crypto miners or whatever it is, And how they talk about it, how they disclose it, what's the tone in the blogs, how quick is it, how transparent is it?

These things are starting to become not just nice to have, but expected from security teams. And start to be things that if you're evaluating a set of vendors for, a choice to come help you out. You start to think about how are they approaching this? How do they tackle the security challenges and how are they approach and how do they think about it?

And is that a team I wanna partner with? If think when things go bad, right? 'cause something's gonna go bad at some point, and who are you gonna partner with to do it right? And so I think that's an interesting trend that I think we're seeing as well.

Conor Bronsdon: If you were advising engineering leaders in the audience who maybe are building a cybersecurity team or working with them closely about what their approach should be for their team around cybersecurity what would you advise them?

Jacob DePriest: I think it probably comes down to three things. One we already talked about, focus on the fundamentals. Don't skip the fundamentals. Don't skip leg day for those of you in fitness. And I think number two would be get educated, right? So if you're an engineering leader working with a security team, ask for a postmortem on a security incident.

Go sit in and listen to the gory details of the last red team exercise and understand what the red team did and how they did it. Get smart on How threat actors, be they like external threat actors or, a red team internally are approaching your systems and understand how that, that you can engineer towards a better solution and be more productive and learn from it.

Exactly. And then I think the third one comes down to. A close partnership, so I was having a conversation with one of our engineering leaders at GitHub the other day. And we were talking about some core kind of fundamental approaches to security and engineering. And one of the things we were talking about is that engineering really has to drive the roadmap, the architecture, the vision for the product, along with their product partners.

That's not securities to drive, right? Like I don't, as a security leader, particularly with a developer background, I don't want to drive The architecture of what we need to ship amazing co pilot features to our customers. But what our team does need to do is come alongside those engineering leaders and architects and help design it in a safe way from the beginning.

What are the guardrails? Okay, cool, we're going to do this automation to kick off a new service that developers can ship to customers quickly. How is the default state of that? More secure than it was last month. How do we evolve that and make those paths secure?

Conor Bronsdon: How do we ensure we're baking in those fundamentals, those foundations from the very start when we're building products?

Jacob DePriest: That's right. That's right. And that ties into compliance too, right? So compliance and, things like ISO are such a public attestation of your internal security program. And I think, one of the things that Coming alongside between security and engineering brings is the opportunity to have that continuous compliance happening.

So if you've got a core set of approaches and systems that are already compliant, evolving those and building into those is a much more straightforward path than reinventing the wheel with every new system you ship. And so that's where that partnership comes into play, because that may not be something an engineer would think about.

At the beginning is how does this affect my compliance that a customer would see? I certainly never thought that about that on engineering teams. And so that partnership becomes really important there when you can have a GRC person say Hey if we did it over here, it just it comes for free or at least comes with less cost.

Conor Bronsdon: Yeah. I love that you mentioned compliance because it is it becomes the, I'll use the phrase redheaded stepchild a little bit too often occasionally. And I think compliance is obviously such an important thing for us to consider as we take these steps forward because no one wants to be at risk and we do need to put these foundations in place.

I'm curious if you see the trend of policy as code around compliance becoming increasingly important or what you're seeing on that edge.

Jacob DePriest: I think it is important in the sense that Having developers and the security teams understand all of the, not all of, but many of the implications of compliance, I think, comes into play.

The way we approach this at GitHub, and the way I approach it, is essentially, compliance is that public view. It's almost like the attestation of what you're doing, but it's not the goal, right? The goal is security, right? We want secure systems that are resilient against attacks, that are resilient against supply chain attacks or threat actor attacks, whatever it is.

And so the way we show that and demonstrate that is through the compliance program. And so those things are very intertwined, but we don't want to make a security decision or an engineering decision. Purely because it has a compliance outcome, but that's an artifact of a good security decision, if that makes sense.

And so I think it's really important for us, as we're partnering with engineering teams from the security side, is to focus on the why, right? Why is this thing important that we go solve? What set of attacks could this prevent? Why is this a good security outcome? And oh, by the way, this also lends towards our compliance story, which is also really important.

In terms of customer trust and how we talk about this publicly.

Conor Bronsdon: I love that you keep bringing it back to customer trust too, because it's such an important element that I think we sometimes underestimate when we have these conversations. What other trends are you seeing or key elements do you think are coming in the security space over the next couple of years?

Jacob DePriest: We talked a little bit already about security teams being a differentiator, I think, in this space. And I think it is because of customer trust. I think that when you have the opportunity to hear from security teams directly about the security posture, both what went wrong and what went well and what went wrong, you learn a lot about how a company approaches this.

And so I think we're going to see... More of that. I think we're also going to see more diverse security teams. At GitHub, we already see this. So we have machine learning and AI experts on our counter abuse team because we need to. That's how we can keep up. We can't keep up any other way.

And having developers and analysts and AI experts. In security teams, and I think also having security teams that are made up of people with different backgrounds. Maybe a mix of, legal and technical and non technical backgrounds, I think is really important. Because it gives that diversity of thought and approach.

And it avoids a situation where you end up in a corner of thinking that you didn't mean to, right? And so I think having a diverse security team is really important. So I think we're gonna, we are seeing that. We're certainly seeing that at GitHub and we... Invest in that and think about that in our hiring, but I think we're going to see that trend continue.

Conor Bronsdon: That increased collaboration is so crucial and it adds a strength and depth to teams. So I love that we're, and GitHub's here, is thinking about how do we not only build strategic partnerships outside of GitHub, but how do we bring in experts from different fields and diverse perspectives that can help reinforce our thinking here.

So it's very smart. What would be your closing thoughts or advice for engineering leaders who are listening to this conversation?

Jacob DePriest: So we've talked about a lot of it today. I think get to know your security partners is one that I always love to pitch. I think the other one too is, We really believe at GitHub, and I think it's true across a lot of the people that attend this conference in particular, that bringing security to where the developers are working is really important.

And understanding how developers work, how to keep them in flow state, How to keep their productivity high while bringing security to it, I think is just incredibly important, and that's one of the goals that we have with GitHub Copilot. It's definitely one of the goals we have at GitHub with our security products and then inside of our security team.

Even internally at GitHub Security, we try and get our vulnerabilities that in our Vuln program and all the things that we find to help internal developers, we try and get it to developers. In the way that they work in repos and pull requests and issues. And I think getting that relationship and collaboration happening where developers work is just critical to how we are going to continue to shift security left and improve security for all of our industries, but also the open source community.

Conor Bronsdon: Awesome. That's a wonderful

note to close on. And Jacob, thank you so much for joining us to share your expertise and talk through the approach GitHub's taking. It's fascinating to hear about. Really excited to put this episode out. It's been great talking to you.

Jacob DePriest: Yeah, thanks for having me. This was a blast to talk through all this.

Conor Bronsdon: Yeah, and if you ever want more information about stuff Jacob's doing or the team at GitHub, We'll feature it in our newsletter on Substack at devinterrupted. substack. com. It comes out every Tuesday. We'll have this podcast, plus more information in the newsletter. And we'll also have Thursday Deep Dive, so we'll talk about concepts like Secure by Design and many more.

So definitely make sure you're checking it out. If you're enjoying this podcast, you would probably enjoy our Substack. Thanks so much for listening, everyone, and we'll talk to you next week.