At HackerOne’s recent 2021 Security@ conference, we spoke to Mike Hanley, CSO at GitHub. As a company that prizes security while serving tens of millions of developers worldwide, GitHub has spent years bringing security into development workflows. During a fireside chat, Mike explained GitHub’s approach to DevSecOps and what organizations can do to improve the security of internally developed code.
Below is a summary of the discussion.
Changing the Security Narrative
Historically, security has been considered a blocker—a set of obstacles that developers must overcome to release anything. This thinking can damage the competitive advantage of organizations that rely on releasing products.
Mike believes this situation arose because security teams didn’t “meet developers where they were.”
GitHub puts developers first. The company focuses on building unique experiences for developers, including building tools and processes that are developer-focused to use. GitHub does this by delivering security feedback and alerts inside the GitHub platform—both for the company’s developers and for customers of its platform. This process allows developers to focus solely on software development while still receiving the input needed to ensure secure code.
The Role of Hackers in DevSecOps
GitHub has a mature software development life cycle that includes many security components, including:
- Security review intake processes
- Security champions who partner with engineers throughout the SDLC
- Static code analysis
- Internal red teaming
- Threat modeling sessions
The company developed these components to fit seamlessly into its development workflows and has honed them over the years. However, GitHub believes that a genuinely outstanding DevSecOps program requires an additional component: ethical hackers.
GitHub has had a public bug bounty program for seven years, making it one of the longest established programs on the HackerOne platform. The company pays a range of bounties depending on the types of issues reported and regularly benchmarks against peers to ensure its bounties and program structure remain among the most competitive in the industry.
Ethical hackers aren’t biased by GitHub’s internal thinking and objectives. They bring a fresh set of perspectives, experience, skills, and expertise honed through their careers and by contributing to other bug bounty programs. These competencies allow them to provide insights that GitHub’s internal security team and controls might miss.
Mike describes hackers as “integral partners in our success from a product security perspective,” which explains why GitHub paid out over half a million dollars in bounties for more than 200 vulnerabilities in 2020.
He explains that the program feeds valuable security insight into GitHub’s development process in a format and location that works well with the company’s development practices. GitHub prizes the program because it provides a source of security data from outside the company’s own internal processes and controls.
“[The program] has been tremendously valuable for keeping us honest and helping us address gaps. It’s part of the comprehensive approach we have to the software development lifecycle here at GitHub.”
Mike Hanley CSO, GitHub
Supporting DevSecOps with Bug Bounty
Providing an impartial source of security information has clear benefits for shipping secure, effective code. To maximize the value of its bug bounty program, Mike’s team also focuses on leveraging submissions to learn about other categories of defects they can eliminate across GitHub’s codebase. For example, if a particular vulnerability is reported several times, the team can implement new controls designed to identify similar vulnerabilities earlier in the development process.
Taking things a step further, GitHub supplements its public bug bounty program with private programs designed to support specific product launches.
In 2020, GitHub launched its Codespaces tool as a commercial product and used a private bug bounty program to support its internal DevSecOps practices. The company invited 24 of its top bug bounty participants to test the product before release. GitHub gave the team freedom to explore the product but guided testing by providing additional incentives for vulnerabilities in specific areas.
“The program was a great mechanism to check our work and the efficacy of our internal security processes,” explains Mike. “It provided outside thinking and perspectives from the talented bounty community that we work with.”
How to Partner with Hackers
Mike emphasizes the importance of building long-lasting relationships with hackers to get the most out of a bug bounty program.
GitHub operates one of the most responsive bug bounty programs in the industry, triaging reported vulnerabilities within 24 hours and ensuring it pays bounties as quickly as possible. This attentiveness helps ensure hackers have a positive experience working with the company and want to continue to do so long term. In 2020, GitHub launched a dedicated team to support its bug bounty program.
“As our program grows, the best way to deliver a great experience to our hacker partners is to make sure they have a dedicated, consistent team that they can build relationships with and develop a shared understanding of patterns in submissions. We take pride in being developer-focused and customer-centric, and we want to have the same approach when dealing with hackers because they are such an important extension of our team.”
For organizations curious about bug bounty, having a strategy to sustain a program over time is essential. It takes time to build relationships and provide a valuable experience for program participants. Without this, organizations may struggle to cope with the volume of submissions, leading hackers to feel like their time isn’t appreciated, eroding relationships with hackers and diminishing program success.
With a strong strategy, organizations can avoid these pitfalls and get the maximum benefit from their bug bounty program—a consistent stream of high-quality submissions that improve security outcomes for the organization, its developers, and its customers.
“For us, each member of our developer community is a beneficiary of this work. If you are just getting started with bug bounty and wondering how to set your program up for success, encouraging repeat participation in the program should be your priority.”
Refine Your Security Program with Hackers
Hackers are the best-kept secret in cybersecurity. Whatever your role or industry, Security@ has a virtual session to help you refine your security program and reduce cyber risk by working with the global hacker community. Register here to watch the sessions on-demand.