Understanding and Using GitHub Security

Security is a fundamental concern and requirement in all aspects of software development today. And GitHub is the industry-leading collaboration platform for software development. So, it’s crucial that anyone working with/in GitHub understands how to use it securely.

Join expert technologist, trainer and author Brent Laster to survey and learn to use the controls, policies, and automation that GitHub makes available to work securely in its platform. Learn about managing access, dealing with vulnerabilities in your code or dependencies, preventing sensitive data from getting into your repositories, automatically creating needed security updates, and more! This will be a hands-on workshop so you get real experience working with the mechanisms in GitHub. All you need is a GitHub userid and a browser!

Security must be top of mind as you work in GitHub whether you are working in the public site or in an enterprise instance. As the industry leading platform for development and collaboration, GitHub provides a wide variety of security features and options.

But without understanding them, it is very easy to work in GitHub in an insecure way and expose your code and other assets to vulnerabilities. It's also necessary to be able to respond to security issues that arise outside of your control - in your dependencies, in hacking attempts, and in accidental misuse as others collaborate with you. This workshop will provide you with the insight and understanding you need to be able to work in GitHub securely.

Part 1: Introduction and Overview

Topics include:

  • Welcome
  • Workshop overview and setup
  • Importance of having and managing security in GitHub

Part 2: Protecting your access

Topics include:

  • How GitHub approaches security - user vs repositories
  • Securing access with tokens and keys

Hands-on lab: Securing your account - managing authentication with fine-grained personal access tokens

Part 3: Protecting your repositories

Topics include:

  • Understanding repo security risks
  • Best practices for securing repos
  • Using branch protection and rulesets

Hands-on lab: Setting up branch protection and rulesets and trying it out

Part 4: Protecting your code

Topics include:

  • GitHub's Advanced Security offering
  • Scanning for vulnerabilities with CodeQL

Hands-on lab: Setting up CodeQL and responding to issues

Part 5: Protecting your credentials

Topics include

  • What secrets are in GitHub
  • Setting up and using secrets scanning
  • Responding to secrets scanning alerts

Hands-on lab: Setting up secret scanning for your repos and responding to alerts

Part 6: Protecting your dependencies

Topics include

  • Code scanning and dependency vulnerability assessments
  • Setting up and using Dependabot for automated dependency updates

Hands-on lab: Using Dependabot to manage your dependency vulnerabilties and updates

Wrap-up and other security topics (as time allows)


Brent Laster

About Brent Laster

Hi, I'm Brent Laster - a global trainer and book author, experienced corporate technology developer and leader, and founder and president of Tech Skills Transformations LLC. I've been working with and presenting at NFJS events for many years now and it is always exciting and interesting.

Through my decades in programming and management,I've always tried to make time to learn and develop both technical and leadership skills and share them with others Regardless of the topic or technology, my belief is that there is no substitute for the excitement and sense of potential that come from providing others with the knowledge they need to help them accomplish their goals.

In my spare time, I hang out with my wife Anne-Marie, 4 children and 2 small dogs in Cary, North Carolina where I design and conduct trainings and write books. You can find me on LinkedIn (linkedin.com/in/brentlaster), Twitter (@brentclaster) or through my company's website at www.getskillsnow.com.

More About Brent »