Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:13
Hey. Friends I'm Scott Handsome and this is
0:15
another episode of Handsome Minutes today and chatting
0:17
with Jacob the priest his the deputy Chief
0:19
Security officer. get hub are you sir I'm
0:21
do a lot less revenue to. So.
0:24
You know, I always look at people's linked
0:26
in, which is the standard thing you do
0:28
when you fill up forty seven tabs with
0:30
questions for interview like this and not everyone
0:32
when you scroll on their linked in. I've
0:34
spent fifteen years at the an Essay of
0:36
all the three letter acronym. Agencies.
0:39
That is the one that I have. Some. Most
0:41
mysterious and shrouded in mystery. A
0:43
How has that experience. It. Was great.
0:45
I did a bunch of different things
0:48
there are over the years from software
0:50
to find radio to the and open
0:52
source and Dax projects and even running
0:54
some can a large scale I to
0:56
insecurity projects. I think the fun thing
0:58
about my time there particularly at end
1:00
as I actually pivoted and was more
1:02
open and was working on open source
1:05
activities and partnering with other agencies and
1:07
try to figure out a help developers
1:09
get more active in the open source
1:11
community from contributions and releasing projects. and
1:13
so I gave me an opportunity. To
1:15
be less mysterious face on behalf of the
1:17
agency. Yeah a you are that like the
1:19
senior I was as evangelist and I'm trying
1:21
to get my head around how you would
1:23
even pull that off. I mean I just
1:25
assume if you work for a three letter
1:27
acronym agency than you would just not even
1:29
tell your neighbors right? like we we see
1:31
the Tv shows. What do you do? I
1:33
work for the government that's all I can
1:35
tell you. but you again I'm evangelize, an
1:37
open source for the and to say how
1:39
did you connect the two. Yeah.
1:42
I mean I think it starts as many
1:44
of our stories do of just falling a
1:46
passion following an interest. We're. Working
1:48
on a project and we thought it would
1:50
be great open source It because we wanted
1:52
to partner with universities in the military and
1:54
other places that didn't naturally have access to
1:56
the internal networks we were working on. Anna
1:58
that you know, spawn. Eighteen months
2:00
effort to release a million lines of code and
2:03
I learned a lot in that process and wanted
2:05
to make it better for other developers and so
2:07
really just gonna leaned into that and spend some
2:09
time looking into and talking to folks and figure
2:11
out how we do more of it. You.
2:13
So what's cool about that is that it
2:15
fits nicely into why you will come to
2:17
get hub like you basically became so open
2:19
in so into open source that that passion
2:21
lead you into doing open source to get
2:23
up. Yeah. Exactly. I couldn't think
2:26
of a better place to come after
2:28
my time and the Federal government. And
2:30
the fun thing is to in some
2:32
of the other things that I was
2:34
involved in at the agency I really
2:36
got to understand and think about risk
2:38
at very high levels as it may
2:40
impacts nations or you know, critical infrastructure
2:42
and things like that. And so combining
2:44
the leadership training and the risk training
2:46
I got at the feet of some
2:48
very amazing leaders there with my open
2:50
source passion. Ah, working on security
2:52
Get help as been a really great and
2:54
natural next step for me. I think
2:56
actually we may not have met in person,
2:58
but we were both I think in all
3:01
things Open and Twenty Twenty in North Carolina.
3:03
Yeah, and you were talking about Dev Ops?
3:05
So. Where's Dev Ops fit into your
3:08
life Like I know that The named of
3:10
Op's is itself new used to call them
3:12
build servers are stl see but now it's
3:14
like Devolves is baked into the Zoc Geist
3:17
when it open source and develops can merge
3:19
view. It was again one of
3:21
those natural progressions where I was working
3:23
on open source and the prophecies and
3:25
legalities of how to do that better
3:27
inside a federal agency, and it became
3:30
evident that that was only one piece
3:32
of the puzzle and so without a
3:34
consistent developer experience platform for. The developers
3:36
inside the agency the open source piece was
3:38
more difficult to achieve and so of group
3:41
of us. actually two or three of us
3:43
got together and a simply kind of did
3:45
it start up inside the government. We put
3:47
a pitch deck together. We. Got funding.
3:49
We put all the the kind of
3:51
like pros and cons together and we
3:53
started a program called decks that ended
3:55
up can have. Been. Responsible for
3:57
all the the Dev Ups pipelines to.
4:00
For security. Collaboration.
4:02
Tools and can all the things that
4:04
you would need to be successful for
4:06
an agency or forty thousand posts, folks.
4:09
Is. It fair to say that even and twenty twenty
4:11
four like, there are companies that are just. Follow.
4:13
The building on someone's laptop and
4:15
then don't have any kind of
4:18
mature of off/build servers last even
4:20
to have sex. Cops can have
4:22
a practice within their organizations. I
4:24
think that's true. I think we
4:26
also see a lot of fragmented
4:28
approaches where there's ten or twenty
4:30
instances of get servers and things
4:32
are under people's desks and code
4:35
spread around enterprises. and they're not
4:37
getting the benefits of sort of
4:39
the central collaboration Tulane Security. Honestly,
4:41
the comes with. Some. Of the
4:43
things that you can do when you pull those things
4:45
together and take the burden off of individual developers.
4:48
Out the they under someone's desk like
4:50
totally resonates with me like this so
4:52
many times. As it's a story
4:54
that I tell a lot that like long story
4:56
short my blog I thought was a virtual machine
4:58
for many years. And. Then when it
5:01
finally died I called support. It turns out they
5:03
had never moved into a Vm. It always been
5:05
under someone's desk. It was little yet many tower
5:07
under someone's desk and they're like well you were
5:09
getting around to it was like a holster surface.
5:12
They. Never image it, it never backed it
5:14
up. so I'm ftp. Eat in. did it
5:16
Frantic back up and you know that the
5:19
little spinning hard drive finally just. Pooped.
5:21
Out at the end, but I can
5:23
visualize it under someone's desk. And
5:25
never been more true that the clouds to someone
5:28
else is computer than what is someone else as
5:30
well. Run computer right and that's the thing I
5:32
think people don't like my joke about that to
5:34
it is so miles as computer but it's a
5:36
best practice it's like of we are figuring out
5:38
those best practices as a community. Yeah.
5:40
Absolutely. Of. Town. Are
5:42
you mention one of the things you had me
5:44
you're talking about? like listing out because the pipeline
5:47
of all the things for regular Joes and Janes
5:49
like myself that have like with your small business
5:51
like this podcast. I got the website
5:53
or gonna build in get hub actions can apply. call
5:55
it a key point a belt server. My Dev Ops
5:58
is effectively I check it and to get haven't. Magic
6:00
pops out the other and that's kind
6:02
of as sophisticated as it gets, but
6:04
you mentioned things like governance and security
6:07
and like the supply chain should have
6:09
regular developer like me a regular Joe
6:11
or Jane be thinking about that level
6:13
of complexity within their own develops pipelines.
6:16
I mean you're asking the security
6:18
person discussion so I'm probably gonna
6:20
say yes to some degree. I
6:22
think the important part here is
6:24
that is is just only after
6:26
the core things are done so.
6:29
You. Know for the fitness folks have too much
6:31
in this before like don't do never skip leg
6:33
day like I said for me, that kind of
6:35
cool thing in the security translations things like to
6:37
fk. Is. Making sure the account
6:40
a secure, making sure that things like
6:42
we don't have storage accounts that are
6:44
open to the internet and things like
6:46
that many. Once all those things are
6:48
done for the average developer then like
6:50
leaning into some of the capabilities that
6:52
you know for instance on Get Hub,
6:54
a lot of get of advanced security
6:56
capabilities like dependable and Co scanning and
6:58
secret detection. Are all available for free
7:01
for public republicans. I think those are things that
7:03
folks should turn on. Buffer us. When. We
7:05
think about security can have for the product
7:07
and for the community. We. Always start
7:09
with the developer account and that's why of
7:11
last eighteen months or so, we've kind of
7:14
work through a campaign to turn on our
7:16
faith. For. All the contributors
7:18
on get up which was a huge effort
7:20
to basically say like know this is an
7:22
optional anymore if you're contributing actively him get
7:25
hub you have to turn on a fan
7:27
and that's that's why because we to see
7:29
too many things start with passwords for anger,
7:31
a breach or credential leak. yeah I've one
7:33
hundred percent all a on to have a
7:36
in the i used things like Aussie but
7:38
then I worry like it's becoming centralized like
7:40
author you just for example as pulling their
7:42
desktop app which makes sense I probably shouldn't
7:45
be too a thing with thing that I'm.
7:47
Haven't front of mention of another. Factor. But
7:50
and the cigar man like is they just
7:52
gonna stop caring about that. There's all these
7:54
are authenticator. For. And then of course the
7:56
sheet that we're supposed to print out the know and prince
7:58
out of their we have had tokens and. That there's a
8:00
lot of really freaked out people who will lose access
8:02
to stuff a good habit they don't print out there
8:04
backup keys. Yeah. I think this is
8:06
where I'm excited about pasties and some of
8:09
the innovations that are happening. There were some
8:11
of the bait major companies and and we're
8:13
actually involved to certain degree in in some
8:15
of the past key establishments are getting together
8:17
to pull the standardized way of doing this
8:20
together and you could argue that there's maybe
8:22
like more secure ways with you be keys
8:24
and you know biometrics and things like that
8:26
but as a step forward from username passwords
8:28
and set particularly when we can be stored
8:31
and a central as way. That secure
8:33
I think. I think it's a great progression
8:35
that we're excited about. again. I'm. Here.
8:37
In A you mention you be keys and I'm
8:39
sitting here and I just picked my it I'm
8:41
holding up my get hub you be key that
8:44
was mailed to me that I never really used
8:46
because it didn't fit into my lifestyle and I
8:48
know that there are people who are so excited
8:50
about that level that kind of security but it
8:52
just never worked for me than there was use
8:54
be A and see one of them say one
8:56
of them see and I just got tired and
8:58
now it sits your unused which means that I'm
9:00
somehow a bad security personnel. Now. Definitely
9:02
not. I don't I think my you be
9:04
he is sitting in my bag somewhere. but
9:06
because I've got all the pesky turned on
9:09
the him fido and and you know touch
9:11
id and so that's how I operate every
9:13
so security just don't have to find my
9:15
you buggy and that's the thing right? Security
9:17
has to fit into our lifestyles right if
9:19
it isn't, if it is inconvenient enough. Them.
9:22
Already saw going to use it at all.
9:24
Yeah, that's right, we have to make it
9:26
work for users and that's partly why even
9:28
a were required to have a for contributors
9:30
on get Hub were not requiring you know
9:33
you be keys or pass keys or anything
9:35
like that because the diversity of the population
9:37
that uses Get Off for Open Source is
9:39
huge and not everybody has access to a
9:41
mobile phone or modern tech and can afford
9:43
things like that. and so we want to
9:45
balance security here with the accessibility and and
9:48
I quit ability for user base. Yeah.
9:50
i appreciate that you call that out by
9:52
the way like echoed ability like even the
9:55
pricing is modest know get up prose it
9:57
for box and you know for time there
9:59
and for probably has toys were free, it
10:01
was like seven bucks. I mean, it's not
10:03
big money to support your small projects. Yeah,
10:06
agreed. And I think, you know, we're
10:09
still one of the few larger SaaS
10:11
providers in this realm that
10:13
offer free compute as well. So, free actions
10:15
minutes and free code spaces minutes and things
10:17
like that. And particularly for universities, they get
10:20
an even, you know, more attractive kind of
10:22
onboarding package there, which is intentional, right? We
10:24
want to support the educational use cases, but
10:26
it's great. It's a great way to get
10:28
started. Isn't it attracted to bad guys, though?
10:30
Like the second you say free compute, then
10:33
someone's going to go and start mining Bitcoin
10:35
or doing something naughty. And as an organization,
10:37
it is a giant
10:40
CMS, you're not only shipping binaries,
10:42
but you're potentially building binaries that
10:44
could be evil and then helping
10:46
distribute them. Are people abusing releases?
10:48
Are people abusing raw dot
10:50
whatever GitHub CDN and using it? And
10:52
are you constantly just slapping people down
10:54
for doing those kind of things? Yeah,
10:57
it's actually a huge, huge challenge for
10:59
the platform. With 100 million developers using
11:01
the platform and a massive amount of
11:03
compute, there is a lot of folks
11:06
who are trying to use this for
11:08
various purposes. So we have in
11:10
the security team, actually, inside GitHub, we
11:13
have a counter abuse team, and they are building
11:15
machine learning pipelines, auto detections, they're
11:17
working very closely with support and
11:20
trust and safety. So as
11:22
much as possible, automate, remediate and kind
11:24
of shut down both spam
11:27
and abuse, but also things like,
11:29
you know, crypto mining and also
11:31
things like hosting binaries or
11:33
content that don't meet our terms
11:35
of service. Yeah, it's definitely a
11:38
challenging both engineering and scale problem
11:40
across the board. So
11:42
GitHub advanced security is a product or a
11:44
collection of products. It's the name for looks
11:46
like you've got a friend there in the
11:48
background, I can hear. Sorry,
11:51
no, it's fine. That's the
11:53
kind of security that we're looking for, though, at the
11:55
company. And then someone you'll I assume that there's a
11:57
bark that you'll hear. That is the
11:59
I need to get up bark as a bad guy
12:01
versus the I see a squirrel bark. Unfortunately,
12:04
they're exactly the same. Also, friend bark
12:07
is the exact same. So that's not
12:09
not effective. You
12:11
may. We have my
12:13
I don't have a dog but my my niece does
12:16
absolutely useless as a security. Oh,
12:19
she's like, Oh, it'll warn me if no, it won't know it
12:21
will let them in and introduce the and
12:23
it like bring them over, you know, you
12:26
see those tiktoks with like the giant German Shepherd
12:28
and then like the delivery guy comes in like,
12:30
are you doing? Indeed,
12:33
that is exactly my dog. I
12:35
was gonna ask about GitHub advanced security and understand
12:37
like, is it a product? Is it a collection of
12:40
products? So GitHub advanced security
12:42
is a couple things. So one
12:44
for kind of our enterprise customers,
12:46
it's a product that can be
12:48
purchased that includes code scanning, which
12:50
is our SaaS capability based on
12:52
co QL. It includes kind
12:54
of our supply chain capabilities, which is
12:57
largely kind of depend about and dependency
12:59
scanning and then secret scanning, which includes
13:01
push protection. We just recently
13:03
announced that this is all being augmented
13:05
by AI as well. So code scanning
13:07
now comes with things like auto
13:09
fix, so suggestions. So instead of just like
13:11
highlighting the potential vulnerability in the code and
13:14
saying, Hey, developer, you should remediate this. It's
13:16
coming with an actual suggestion in the pull
13:18
request to say like, Oh, and here's how
13:20
we think you should remediate this, you can
13:22
just click accept and move on from there.
13:25
And then in the secret scanning space, we're
13:27
using AI to not just detect high confidence
13:29
patterns, which is kind of where we've been
13:31
to date, you know, things like Azure tokens
13:33
or AWS tokens or things like that, but
13:36
also lower confidence patterns like username and passwords
13:38
or SSH keys or RSA keys. So that's kind of
13:41
the full kind of GitHub advanced security
13:43
package. Most of that is also available
13:45
for free on public repos on GitHub.
13:48
You know, and I have to admit, I have used
13:50
all of those things. Like if there's a free thing
13:52
on a public repo, I turn it on and like
13:55
depend about, I could just gosh, I
13:57
could do a whole show on depend about, you know,
13:59
people don't realize how good it is because
14:01
it's not on by default. You
14:03
get the vulnerability dependencies on by default.
14:05
If you're an admin on a public repository, you
14:08
just go and you check and you turn it
14:10
on and then you get depend upon it. It's
14:12
like an employee that makes pull requests while you
14:14
sleep. It's amazing.
14:17
I gush about how awesome depend upon it
14:19
is. Yeah, it's really fantastic. And
14:21
then we're seeing just a huge... Secret
14:23
scanning is a newer capability for us, but
14:25
back in mind with push protection, we're just
14:28
seeing some incredible things happening. I'll just give
14:30
you an example inside of GitHub. We've really
14:33
worked to reduce and eliminate
14:35
secrets in code in our own code
14:37
base using GitHub Advanced Security. And
14:39
being able to keep it eliminated with push
14:42
protection so that nothing's getting in there after
14:44
we've cleaned everything up is just an absolutely
14:46
amazing capability. But being able
14:48
to offer that for public repos is critical
14:50
because it's not a cheap
14:52
thing for us to do from an infrastructure perspective,
14:54
but it's the right thing to do because we
14:57
take that responsibility kind of at the center of
14:59
a lot of the software development ecosystem very seriously.
15:01
Yeah, and this push protection, we should
15:03
explain that a little bit because one
15:06
of the number one questions on Stack
15:08
Overflow, like the top questions is,
15:10
I've pushed a secret into GitHub, I've pushed a
15:12
connection string, how do I make it go away?
15:15
Yeah. I mean, that's also
15:17
one of the number one questions we talk
15:19
to customers about a lot as well because
15:21
once it's in, it's in, right? It's super
15:24
expensive to remediate. It's super difficult to
15:26
know it's good. And if you talk to any security team,
15:28
they're going to say, well, like once it's there, you have
15:31
to deactivate it, you have to roll it,
15:33
you got to change the credential. And so
15:35
push protection basically sits in between the editor
15:38
and the GitHub service itself and inspects,
15:40
it's secure, it's encrypted, but it inspects
15:42
what's coming in looking for credential secrets
15:45
in the code before it actually goes
15:47
into the get system itself. And if
15:49
it finds anything, it'll block it. And
15:51
then there's options depending on what you're
15:53
doing, you can come back to the
15:55
developer and say, do you want to
15:58
override this or enterprise. to
16:00
have the ability to adjust some of the responses there
16:02
as well. So it's a pretty powerful tool. Yeah. And
16:04
it really this idea of these
16:07
SaaS, these shared access security tokens
16:09
and their potential vulnerabilities, it's just
16:12
a magic number. And
16:14
if somebody gets it, they own you and
16:16
the amount of like responsibility that can be
16:18
assigned to one of these tokens that
16:21
is just easily copy pasted and given to
16:23
someone is huge. And I understand I saw
16:25
some stuff because I work at Microsoft in
16:27
my day job. This is all public. There
16:29
was some nation state actor that got a
16:31
hold of some tokens and was running around
16:34
on some non-production build servers recently. And it
16:36
all starts with those freaking tokens that you
16:38
could paste to someone in a slack. So
16:41
you want to want to catch those. So it
16:43
makes me wonder though, as devs, how can we
16:45
have them without ever seeing them? Like I don't
16:47
want it in my clipboard because once it gets into my
16:49
clipboard, it could be given, it could be moved away. Is
16:52
there a way to have secrets that we simply can't see
16:54
that wouldn't even show up
16:56
in GitHub? It's a great question.
16:58
And I think when I think about the
17:00
proactive security space and kind of all the
17:02
advances that are happening, I think this is
17:04
an area that a lot of enterprises work
17:06
towards through things like enterprise vaults and kind
17:08
of accessing these secrets on demand through APIs,
17:10
which is probably that's one of the right
17:12
ways to do it. I won't say it's
17:14
the only right way to do it. But
17:16
having that accessible to a normal dev is
17:18
more of a challenge, I think, because it's
17:20
just it's so easy just to go grab
17:22
that token and toss it
17:24
in the repo and keep moving to
17:26
deploy the blog or do whatever. And
17:29
so I think this is where normalizing
17:31
things like secret scanning and normalizing and
17:33
making it clear where to put secrets
17:35
in places like GitHub or you know,
17:38
cloud compute, like Azure is
17:40
helping, but we can still do more I think
17:42
as a community here. Yeah, I
17:44
like the call out of like normalizing
17:46
it like right now, when I
17:48
start a new project, it usually ends up in
17:51
some JSON file. And that's just wrong, it should
17:53
be it's wrong by default. And
17:55
it should be right by default. And I need to get
17:57
that into my head so that it is normal. And of
17:59
course, GitHub will catch me 99.9% of
18:03
the time or as you said it will warn you and
18:05
say, are you sure you want to do this? This token
18:07
is used for testing. But even then
18:09
I shouldn't push it through. I should do
18:11
it correctly from the beginning. Yeah,
18:13
I agree. And for like that normal dev
18:15
out there at a minimum storing it as
18:18
part of the secret management capability inside GitHub
18:20
is a good first step. I think once
18:22
you start to scale that though, there's probably
18:24
more sophisticated ways to share that across the
18:27
enterprise team. So I'll also talk about the
18:29
third leg of that stool. We
18:31
talked about secret scanning and dependent bot, but
18:33
then CodeQL, it's this code analysis tool. And
18:36
it'll analyze your code, it'll give you quality. But
18:39
it's really becoming a security tool, like it's spotting
18:41
like bad practices. But you have to do this
18:43
across a plurality of languages, right? Like there's all
18:45
kinds of, you could be doing Erlang, you could
18:47
be doing Rust, you could be doing C Sharp.
18:50
CodeQL has to manage all of that. It
18:52
does. It does indeed. And we have an
18:55
amazing team who is building essentially language models
18:57
for each one of the languages we support
18:59
and continue to evolve them. And it's not
19:01
just a once and done build
19:03
either. Because as you know, these languages evolve
19:05
all the time. There's new releases, there's new
19:07
versions of Python coming out, you know, constantly.
19:09
And so how do we keep up with
19:11
that? I think there's kind of two angles
19:13
here. One is how does the team continue
19:16
to model and create what is
19:18
considered a vulnerability? We approach
19:20
this a few different ways. One is we
19:22
actually have researchers inside of GitHub who
19:24
are doing vulnerability research on open source
19:27
projects. And they're actually actively contributing what
19:29
they're learning back into the CodeQL base,
19:31
which then is then made available to
19:33
all of our customers and open source
19:36
users, typical devs all the way to,
19:38
you know, big enterprises. And
19:40
then we have started to use
19:42
AI to help auto model languages
19:44
faster and open source projects that
19:46
are widely used so that
19:49
we can actually increase the rate
19:51
that we are modeling and supporting
19:53
new capabilities in that program. Now,
19:55
I was picking random languages, but I do want to
19:57
come and give a brief correction I ran. I call...
20:00
That rust and are like Richard new. I thought
20:02
about them a bit more in the far side
20:04
of the bell curve there but the those are
20:06
not supported You have Cc plus plus he sharp
20:08
Go! Caitlyn is in beta. you can swift and
20:10
beta which is pretty cool. Python. Ruby.
20:12
You know. what I'm struck by with this list
20:15
is you got both compiled and interpreted languages, which
20:17
are two different universes that you're going to have
20:19
to treat as if they're the same, but they're
20:21
very different. The. Really different terms
20:24
of we approach it. The team's making
20:26
some incredible progress to be able to
20:28
tackle even the compiled languages in a
20:30
faster and odyssey like easier to set
20:32
up ways because right now you often
20:34
have to like integrated into the build.
20:36
Ah as you're thinking about like a
20:39
java build. The goal here is to
20:41
really make this easy to turn on,
20:43
easy to use and and kind of
20:45
easy to get to that first meaningful.
20:48
Alert that move the needle on the security
20:50
here and the regular on a progress on
20:52
that so I'm I'm excited to see we're
20:54
headed as a as a A programmer. The.
20:56
Amount of like work happening to just push
20:58
a hello world like the back. The behind
21:00
the scenes work must be insane. You're talking
21:02
about free compute. like if I go and
21:05
make Hello.c and I check it in for
21:07
me it happens instantly. I see the file
21:09
I can set up a good have actions,
21:11
I can make a released executable pops out
21:13
and then I can start hitting raw.whatever whatever
21:16
and I can sort crop mean I can
21:18
curl it immediately. But behind the scenes you
21:20
run com que el. you scan for viruses
21:22
like it is a whole bunch of compute
21:24
that happen and you do that. Are public
21:26
repository is is gonna be sustainable he just
21:28
me more efficient and I understand how that's
21:31
gonna be something that would be around and
21:33
ten years but it needs to be. It's
21:35
a good question. I think some of it's
21:37
about the efficiency and I think some of
21:39
it is about the fact and and is.
21:41
One things I love of I Get Home
21:43
is that you know the leadership and the
21:45
company generally values this community and values the
21:48
work we're doing here and is investing in
21:50
that as well. And so I think you
21:52
know. It's not necessarily a question of like
21:54
can we make this cheaper to to run
21:56
or not for public repos It's like how
21:58
do we do it is. The scale will
22:00
at all you know, period. For some of the
22:02
capabilities I think it gets a little harder. We
22:05
talk about Jeep you Bound A I Features. But
22:07
generally you know it's an important part of what
22:10
we're doing as a company and as a
22:12
business to support the open source community and continue
22:14
to lean into that responsibility. So.
22:17
I have over all of this like
22:19
looming over all of this is get
22:21
Her Copilot which is generating code. There's
22:23
a large language model at it's base.
22:25
But. Large language models are tuned for
22:27
different stuff. Summer good at generating Shakespeare
22:30
and limericks and summary could have generated
22:32
code but Summer does. Confident. B.
22:34
S's. How do I know
22:36
that Copilot or some code language model
22:38
is not going to go and generate
22:40
insecure code and then run it down
22:42
my pipeline? My security pipelines sure so
22:44
kind of starting at the the left
22:46
side of this. The models were using
22:48
are very much focused and tune towards
22:50
software development and the way we're incorporating
22:52
those and so we're going to continue
22:54
to work on what's the right models
22:56
used for the right situations you're in
22:59
that will evolve as the product doubles
23:01
as well, but then kind of. If
23:03
you move a little bit to the
23:05
right, then we. Are working with Microsoft
23:07
and we've got our own filters and
23:09
places well that we partner with Microsoft
23:11
on a do things like security filtering
23:14
and toxicity filtering. So they're looking for
23:16
Com and my Sql injection vulnerabilities and
23:18
are going to prevent those from even
23:21
being suggested to developers before they even
23:23
get there. Are now is early days
23:25
and I think this is going to
23:28
continue to evolve and I'm really excited
23:30
actually to see overtime if we see
23:32
fewer and fewer vulnerabilities introduced in the
23:35
editor to. Begin work of actually think
23:37
we are. We're already seeing that now, but
23:39
you know I think getting these filters, getting
23:41
the tuning necessary after the suggestions to
23:43
make sure it's relevant to the context of
23:45
what the developers doing, what they're trying to
23:48
do, what question they asked. Is
23:50
something we're very focused on and in. In.
23:52
We always say even though the suggestions are
23:54
good and we're seeing huge acceptance rates here
23:56
it's it's a copilot so you should still
23:59
run advanced security. Still check the code.
24:01
you should still make sure your builds work
24:03
and your your normal to us as you
24:05
would normally. Appreciate the call it
24:07
up at the idea of context. I use
24:09
that in my talks about not just copilot.
24:11
The Ai in general is that if he
24:13
interview walk up to someone and you say
24:15
that they're gonna like a joke about this.
24:17
At my wife and I we finish each
24:19
other's sandwiches in on them are like maybe
24:22
it's context that we have because been married
24:24
for twenty five years but when you say
24:26
to get her copilot he write me a
24:28
for loop how much context is appropriate. Does
24:30
it need to know what I wrote last week?
24:32
Doesn't need to know. I wrote earlier today. Or.
24:35
Cannot produce what I needed to produce. Now
24:37
maybe it doesn't know that I'm in the
24:39
middle of read teaming. or maybe it doesn't
24:41
know I'm in the middle of whatever context
24:43
of get a copilot knows can get into
24:46
an Uncanny Valley of creepiness. Where. I
24:48
might feel uncomfortable that the I know
24:50
stuff. But. If it's permissive and
24:52
it says follow up questions, Like
24:55
I'm. alone I clip he that you know to me like.
24:57
Looks. Like you're doing some naughty things with
24:59
red teaming. would you like help vs? It
25:02
looks like you're really focused on security and
25:04
you want your code to be extra secure.
25:06
How much contest should Copilot have? one is
25:08
trying to help me sir. I think Universe
25:10
is something we we talk to customers about
25:12
and I know our product and engineering teams
25:15
are are really focus on as well and
25:17
some of this is gonna come down. the
25:19
were in the product and were in the
25:21
work flow that the developers engaging a I
25:23
as it is and so you know the
25:25
context going into copilot get a Copilot from.
25:28
Auto completion. May. Be open
25:30
files and the editor that they're working
25:32
on now. but if they've got shot,
25:34
get a copilot chat up as well.
25:37
And. They're asking questions the not can tune
25:39
in, help it understand a bit more and
25:41
so as we can have. Are. Building
25:43
Get a Copilot into more and more
25:45
of the get A platform in terms
25:48
of enabling developer productivity and and I
25:50
think we're gonna hopefully see that be
25:52
more evidence to developers were it's getting
25:54
it and how it's helping them be
25:57
more productive. I like that the evidence
25:59
part like I don't. want magic. I
26:01
want CodeQL or Dependabot or
26:03
any number of these tools
26:05
and GitHub advanced security and my pipeline to let me
26:08
know, hey, I found a thing. Here's
26:10
why I think it's a thing. And here's what
26:12
I think you should do about it. Like don't
26:14
just say, this is a problem. Tell
26:16
me why you figured it out so then I
26:18
can learn and be better myself. Sure.
26:20
Yeah. No, I totally agree. And I think,
26:23
you know, when I will pull up copilot
26:25
chat and start asking questions, that's one of
26:27
my favorite parts about it, actually, is it's
26:29
explaining to me, here's what we're suggesting. Here's
26:31
why, hey, this is vulnerable. If you want
26:33
to read more about why it's vulnerable, go
26:35
click this link. And it just honestly, it's
26:38
a much richer experience than going to a
26:40
search engine and trying to find help
26:42
for the thing I'm trying to do. And it's also
26:44
way, way faster. I was editing a
26:46
Jupiter notebook the other day to like
26:49
analyze some data for the teams. And
26:51
I needed to make some changes to it. And I wasn't
26:53
super familiar with the language. And I was like, oh, this
26:55
is gonna take me hours. I'm not even gonna bother with
26:57
this. And I was like, oh, wait, actually, let me fire
26:59
up copilot and see what I can do. I had it
27:01
fixed in like five minutes. I did exactly what
27:03
I wanted it to do. And I understand why
27:05
it did it. And that was just a fun
27:07
thing for me, given that I don't really develop
27:09
every day anymore in my day job. You know,
27:12
it's interesting that you call that out, though, because
27:14
you know that idea that there are co workers
27:16
or relatives who are really good Googlers, you know,
27:18
I'll have like non technical relative try to Google
27:20
for something and they'll just keep banging their head
27:22
against the wall. And then I just all
27:24
noticed like you used too many words, use less,
27:26
and then I'll find it on the first try.
27:29
Or there's a particular term. Hopefully,
27:31
copilot and the eyes will equalize that more so
27:33
that everyone will get the answer that they want.
27:35
Because what happens now is my non technical relative
27:37
will be like, Oh, you're just a really good
27:39
Googler. It's like, well, no, you know, I want
27:41
I want to teach you how to be able
27:43
to do that. But I noticed that their solution
27:45
is to simply restart and try
27:47
again. Yeah, like give up on the query
27:50
and phrase it differently. But
27:52
with with with an AI or with a co
27:54
pilot, I don't just give
27:56
up and start a new conversation, I try
27:58
to refine it. I think that's a scale,
28:00
we're gonna have to teach our non-technical brethren. I
28:03
agree. I also think at least to me, it feels
28:05
more intuitive to do that with an AI copilot. I
28:07
mean, just being able to have that context we were
28:09
talking about a few minutes ago that it's already got,
28:11
it already sort of knows roughly what I'm trying to
28:14
do, or at least what I'm seeing on my screen
28:16
to a certain degree and say like, hey, can you
28:18
explain this file to me? I don't have to tell
28:20
it which file it is. Or
28:22
can you help me rewrite this file from
28:25
COBOL to Python? There's things like that where if
28:27
I went and Googled that, it would take me
28:29
hours and hours and hours to figure out roughly
28:31
the same thing because I would have to keep
28:34
doing that iterative thing. And even though I'm not
28:36
quite as good of a Googler as my wife
28:38
is, I'm still fair at it. Very
28:40
cool. Well, I think that our in conclusion, what
28:42
I'm hearing is I need to make sure that
28:44
I've got advanced security turned on, on
28:47
all of my repositories, which I can do if
28:49
I'm an admin on a public repository, I can
28:51
turn these on. And that'll give me dependent bot,
28:53
which I already love, CodeQL, which I
28:56
can use. And if I interact with it, I
28:58
will get nothing but good stuff. And then secret
29:00
scanning and push protection is going to be fantastic
29:02
as well. This is all combined within the context
29:04
of GitHub advanced security. This is pretty
29:06
cool stuff. Jacob, thanks for hanging out with me today.
29:09
Thanks so much for having me. Enjoy chatting. We've
29:12
been chatting with Jake DePries, he's the deputy
29:14
chief security officer at GitHub. This
29:16
has been another episode of Hansel Minutes and we'll see
29:18
you again next week.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More