It may be great to have advanced cybersecurity tools to help detect vulnerabilities, but securing your code starts with developers getting the basics right.
“Focusing on the foundation means things like enabling two-factor authentication (2FA) and adopting industry standards and best practices,” said Mike Hanley, GitHub's chief security officer and senior vice president of engineering. It means adhering to the basics.”
Also: The best VPN services (and how to choose the right one for you)
The Microsoft-owned software development platform has over 100 million users and accounts for a significant percentage of targeted cyberattacks. However, the form of these attacks has not changed significantly over the past decade. The majority of these attempts are phishing and social engineering attacks aimed at taking over the credentials and accounts of software maintainers, as well as exploiting vulnerabilities in web applications.
Cybercriminals stick to nearly the same tactics, so it's important to start security with the developer. “You can buy tools to prevent or detect vulnerabilities, but the first thing you need to do is help developers ensure they build secure applications.” Hanley said in an interview with ZDNET.
Also: The best password managers to save you the hassle of logging in
Key software tools, such as tools to power video conferencing and self-driving cars, are being built and libraries are made available on GitHub to ensure that the accounts of users managing these applications are properly protected. If not, malicious hackers could take over these accounts and compromise your system. library.
He noted that the damage is widespread and could lead to other breaches by third parties such as SolarWinds and Log4j. Hanley said he joined GitHub in 2021 and assumed his newly created CSO role as news of his massive SolarWinds attack spread.
“We still tell people to enable 2FA… understanding the basics is paramount,” he said.
He pointed to GitHub's efforts to require all users to use 2FA. This process has been underway for the past year and a half and is expected to be completed early this year.
Also: What is a passkey? The life-changing magic of going passwordless
With the security market currently flooded with “fancy” products, professionals often overlook the need for a simple deadbolt on your door.
He said basic controls, along with the adoption of industry standards and best practices, will become more effective in protecting an organization's environment. These practices include benchmarks published by the Cloud Security Alliance and are based on “common sense” basic security practices and input from both private and public organizations to help focus on the most important components. Includes Singapore's Safe App Standard, which is built on
Redefining shift-left development with AI
Artificial intelligence (AI), including generative AI, is also emerging as a key partner for software developers, especially when it comes to identifying potential vulnerabilities as they write code, Hanley said.
Also: How to write code using ChatGPT
He said AI can help redefine the shift-left model and prevent developers from writing vulnerabilities into code in the first place.
A shift-left approach involves testing software early in the development lifecycle, so software quality can be assessed and improved throughout the development stages.
While software vulnerabilities are often discovered after the code has been released to the public, sometimes taking years to discover, as was the case with Log4j, AI identify specific vulnerabilities and provide suggestions for resolving them. Hanley said the release of will be a game-changer for developers.
According to a GitClear study that looked at 153 million lines of changed code written between 2020 and 2023, the percentage of code that was reverted or updated within two weeks of being written was higher this year. is expected to double compared to 2021.
Also, do you want to bring AI to software engineering? Here's everything you need to know
Pointing to GitHub's AI-assisted software development tool Copilot, Hanley said the technology is not only meant to help developers write code, but also review and fix code.
GitHub Copilot is touted to provide code suggestions tailored to a project's context and style conventions, giving developers the ability to decide what to accept, reject, or edit. The tool can integrate with other editors like Visual Studio and Neovim and can suggest syntax and code in multiple languages including Python, JavaScript, Ruby, and C#.
GitHub Copilot was first introduced in October 2021 and is currently used by more than 1.3 million paid subscribers and 50,000 organizations, GitHub CEO Thomas Dohmke said in a recent LinkedIn post. AI-assisted tools have generated over 3 billion lines of approved code.
Citing a sample analysis of 934,533 GitHub Copilot users, Dohmke said in a June 2023 post that users accept almost 30% of code suggestions on average, and that as developers become more familiar with the tool, He said the numbers are rising.
He said generative AI developer tools will add 15 million “competent developers” to global production capacity by 2030, with a 30% increase in productivity and a projected 45 million developers by 2030. “This could boost GDP by more than $1.5 trillion,” he said.
Related article: How AI-assisted code development complicates IT operations
GitHub Copilot users also report coding 55% faster with the tool, he noted, and 46% of their code uses AI-powered technology in files enabled. It added that it was completed by.
However, like self-driving cars, AI-assisted development tools cannot replace human developers or code review processes, Hanley said. These are companion tools, and as the name suggests, software developer co-pilots become more effective when working in tandem with their human counterparts.
