GitHub CISO on security strategy and collaborating with the open-source community

In this Help Net Security, Alexis Wales, CISO at GitHub, discusses how GitHub embeds security into every aspect of its platform to protect millions of developers and repositories, ensuring it remains a trustworthy platform for building secure software.

GitHub plays a central role in the software development ecosystem. How do you address security at the scale of millions of users and repositories?

Security is embedded into everything we do at GitHub, from ensuring the health and security of our platform and business, to our broader community. Knowing that software security begins with the developer, we’ve rolled out 2FA for all users who contribute code on GitHub as part of a platform-wide effort to secure the software ecosystem through improving account security.

Through GitHub Advanced Security, GitHub offers our customers AI-powered static analysis, secret scanning, and software composition analysis features, ensuring teams building on GitHub can help deliver secure software from the start. We also offer these tools free for open source maintainers, as vulnerabilities in open source code can have a global ripple effect across the millions of people and services that rely on it.

Ultimately, it’s critical that GitHub remains the most trustworthy platform for developers to build on and we’re deeply invested in making sure we stay that way. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our policies on malicious usage of the platform.

How do you ensure alignment between GitHub’s product roadmap and security goals?

At GitHub, we prioritize security in everything we do. We work closely with our engineering and product teams to ensure that security is integrated throughout the development process, from design to deployment. Our secure by design philosophy means that security is not an afterthought, but rather a fundamental part of our product roadmap. We understand that our customers and the open source community trust us to provide a secure platform, and we take that responsibility seriously. By partnering with our teams and keeping security top of mind, we ensure that our product roadmap aligns with our security goals and meets the needs of our customers.

How does GitHub collaborate with the open-source community to improve software security?

Much of the world runs on open source software, and securing it requires community effort between public and private sector organizations in support of and in collaboration with the open source community, many of whom are often volunteers.

GitHub owns its pivotal role within the open source ecosystem and has long been invested in programming, tooling, training, and infrastructure that powers the open source community. For example, GitHub is a founding member of the Open Source Security Foundation, the GitHub Security Lab regularly shares open source vulnerability research with more than 700 CVEs credited to our researchers, and the GitHub Advisory Database offers a free and open tool for the community to learn about and contribute to information on security vulnerabilities affecting open source software.

Most recently, we also introduced the GitHub Secure Open Source Fund, a program designed to financially and programmatically improve security and sustainability of open source projects. Launched with an initial $1.25 million with partners like American Express, 1Password, Stripe, and others, the fund offers financial support in addition to a three-week mentorship program, empowering maintainers to enhance their projects’ security and fostering a more resilient open source ecosystem.

How do you ensure transparency and trust when managing vulnerabilities reported on GitHub?

More and more, organizations are leaning further into transparency as a means to strengthen trust around their business, and this is no different for GitHub. We regularly engage with the security research community through our bug bounty program, investigating reported issues to ensure we continue to improve the security of GitHub and our products. GitHub also remains an independent issuer of CVEs and we regularly publish CVEs for vulnerabilities affecting our platform to ensure customers continue to leverage secure versions of features as we release.

Customers can additionally learn more about how we responsibly build our products through the GitHub Trust Center.

What are your top priorities for GitHub’s security strategy in the next 12-18 months?

Security is never something that is done – maintaining the trust of our customers remains a top priority, and our team is heavily invested in both the security of the platform and helping developers to build secure software. This includes ongoing improvements to ensure our platform remains available, accessible, and secure as well as continuing to showcase innovations like Copilot Autofix that help developer and security teams prioritize and orchestrate vulnerability remediation at unprecedented scale.

As we continue to bring more AI-native experiences across the platform, our focus remains on ensuring that secure by design and secure by default principles are baked into each product so customers can confidently use GitHub in a way that minimizes their security risk.