Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow. Verizon Media March 13, 2019
Quick Intro Ashley Wolf Open Source Program Manager Twitter: @Meta_Ashley Verizon Media 2
Verizon Media Open Source Program Office 440 7K Active Open Source Projects published by Verizon Media All engineering employees benefit 25 from OSPO services GitHub organizations that we manage 330 200+ Support tickets quarterly Mobile and TV Applications that rely upon our services for compliance 3
What does an OSPO do? Program License inbound Contributions to Compliance Management review projects Management Supporting internal Reviewing the use of Reviewing Responsible for mobile engineering groups open source in our contribution policies and TV app compliance with open source products and platforms and CLAs engineering and issues automation Security Alerts New project Community Issue support and publication development resolution Promoting projects Reviewing GitHub alerting us Ensuring issues are via blogs, podcasts, publication steps about vulnerable addressed on our and speaking completed prior to dependencies external repos events publication 4
What’s an information security issue to an OSPO? 5
InfoSec people care about production issues Bug Bounty Code Scanning Red/Blue teams, etc. 6
We’re talking about vulnerabilities that are in a published piece of code. 7
OSPOs need to care about security issues in their published code. 8
Good News, Bad News GitHub can help It’s limited and not designed for OSPOs, only for project owners. 9
Agenda ● What GitHub does to help your companies’ open source security issues ● Where the alerts and APIs fall short ● A call for you to help develop a better solution 10
GitHub Provides Security Alerts 11
GitHub Security Alerts 12 https://github.blog/2017-11-16-introducing-security-alerts-on-github/
The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version https://arxiv.org/abs/1808.09753 13
GitHub Email Alerts 14
Some of the problems that OSPOs will have ● Opt-in only for private repos ● Vulnerability Alerts API cannot turn on notifications ● Email give you only 10 repos in daily digest ● Not all project languages supported ● No dashboard of alerts including notification dismissal reasons ● Not automated! 15
e.g.: The project owner ignores issues 16
Automating Security Workflow Project 17
Automate Security Workflow 18
Automating the Alert Workflow 19
Automate Security Workflow Slack Email Security Alerts GitHub Raw DB of POCs on GitHub GitHub Alerts Projects and JIRA Tickets with CVE info Related Info Depency Graph GraphQL JIRA API API v4 Screwdriver Cron Job 20
Security Advisory Event Repository Vulnerability Alert Event 21
If you are in the audience or you work for GitHub, help us automate OSPOs workflows. 22
We’d love your help Project : https://github.com/yahoo/GitHub-Security-Alerts-Workflow Add automation for different solutions ● ○ JIRA Email ○ Slack ○ ● Contribute GitHub security alerts to GHCrawler 23
Open Source has more potential to be secure 24
But that’s only if you take advantage of the information available in the open source community and patch vulnerable dependencies. And contribute back. 25
Thank You Gil Yehuda, Verizon Media ● Justin Hutchings, GitHub ● Jamie Jones, GitHub ● Jeff McAffer, Microsoft ● James Siri, Amazon ● Manikandan Subramaniam, Verizon Media ● Henri Yandell, Amazon ● Simon Maple, Snyk ● 26
Thank You Ashley Wolf Open Source Program Manager Verizon Media awolf@verizonmedia.com Twitter: @Meta_Ashley
References https://github.com/jamesiri/github-cve-report-poc ● https://github.blog/2017-11-16-introducing-security-alerts-on-github/ ● https://help.github.com/en/articles/about-security-alerts-for-vulnerable- ● dependencies https://arxiv.org/abs/1808.09753 ● https://github.com/microsoft/ghcrawler ● https://www.oreilly.com/library/view/securing-open- ● source/9781491996980/ch01.html https://www.emojione.com/emoji/v ● 28
Recommend
More recommend
