Enhancing Software Security and Transparency on GitHub

25min Snip

00:00

Play full episode

Summary

Transcript

Episode notes

The chapter delves into the importance of proactive security measures, like verifying user identities and monitoring ownership changes on platforms like GitHub, to ensure the integrity and trustworthiness of software builds. It discusses the introduction of a new feature called attestations for builds, offering cryptographic verification of build sources to enhance transparency and deter malicious actors. The conversation emphasizes the responsibility of organizations in adopting secure coding practices, collaborating within the industry, and supporting the open-source community through advanced security features on platforms like GitHub.

Jacob DePriest, VP and Deputy Chief Security Officer at GitHub, joins the show this week to talk about securing GitHub. From Artifact Attestations, profile hardening, preventing XZ-like attacks, GitHub Advanced Security, code scanning, improving Dependabot, and more.

Leave us a comment

Changelog++ members save 14 minutes on this episode because they made the ads disappear. Join today!

Sponsors:

Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
Neon – Fleets of Postgres! Enterprises use Neon to operate hundreds of thousands of Postgres databases: Automated, instant provisioning of the world’s most popular database.
Cronitor – Cronitor helps you understand your cron jobs. Capture the status, metrics, and output from every cron job and background process. Name and organize each job, and ensure the right people are alerted when something goes wrong.
Fly.io – The home of Changelog.com — Deploy your apps and databases close to your users. In minutes you can run your Ruby, Go, Node, Deno, Python, or Elixir app (and databases!) all over the world. No ops required. Learn more at fly.io/changelog and check out the speedrun in their docs.