0:13

Hey. Friends I'm Scott Handsome and this is

0:15

another episode of Handsome Minutes today and chatting

0:17

with Jacob the priest his the deputy Chief

0:19

Security officer. get hub are you sir I'm

0:21

do a lot less revenue to. So.

0:24

You know, I always look at people's linked

0:26

in, which is the standard thing you do

0:28

when you fill up forty seven tabs with

0:30

questions for interview like this and not everyone

0:32

when you scroll on their linked in. I've

0:34

spent fifteen years at the an Essay of

0:36

all the three letter acronym. Agencies.

0:39

That is the one that I have. Some. Most

0:41

mysterious and shrouded in mystery. A

0:43

How has that experience. It. Was great.

0:45

I did a bunch of different things

0:48

there are over the years from software

0:50

to find radio to the and open

0:52

source and Dax projects and even running

0:54

some can a large scale I to

0:56

insecurity projects. I think the fun thing

0:58

about my time there particularly at end

1:00

as I actually pivoted and was more

1:02

open and was working on open source

1:05

activities and partnering with other agencies and

1:07

try to figure out a help developers

1:09

get more active in the open source

1:11

community from contributions and releasing projects. and

1:13

so I gave me an opportunity. To

1:15

be less mysterious face on behalf of the

1:17

agency. Yeah a you are that like the

1:19

senior I was as evangelist and I'm trying

1:21

to get my head around how you would

1:23

even pull that off. I mean I just

1:25

assume if you work for a three letter

1:27

acronym agency than you would just not even

1:29

tell your neighbors right? like we we see

1:31

the Tv shows. What do you do? I

1:33

work for the government that's all I can

1:35

tell you. but you again I'm evangelize, an

1:37

open source for the and to say how

1:39

did you connect the two. Yeah.

1:42

I mean I think it starts as many

1:44

of our stories do of just falling a

1:46

passion following an interest. We're. Working

1:48

on a project and we thought it would

1:50

be great open source It because we wanted

1:52

to partner with universities in the military and

1:54

other places that didn't naturally have access to

1:56

the internal networks we were working on. Anna

1:58

that you know, spawn. Eighteen months

2:00

effort to release a million lines of code and

2:03

I learned a lot in that process and wanted

2:05

to make it better for other developers and so

2:07

really just gonna leaned into that and spend some

2:09

time looking into and talking to folks and figure

2:11

out how we do more of it. You.

2:13

So what's cool about that is that it

2:15

fits nicely into why you will come to

2:17

get hub like you basically became so open

2:19

in so into open source that that passion

2:21

lead you into doing open source to get

2:23

up. Yeah. Exactly. I couldn't think

2:26

of a better place to come after

2:28

my time and the Federal government. And

2:30

the fun thing is to in some

2:32

of the other things that I was

2:34

involved in at the agency I really

2:36

got to understand and think about risk

2:38

at very high levels as it may

2:40

impacts nations or you know, critical infrastructure

2:42

and things like that. And so combining

2:44

the leadership training and the risk training

2:46

I got at the feet of some

2:48

very amazing leaders there with my open

2:50

source passion. Ah, working on security

2:52

Get help as been a really great and

2:54

natural next step for me. I think

2:56

actually we may not have met in person,

2:58

but we were both I think in all

3:01

things Open and Twenty Twenty in North Carolina.

3:03

Yeah, and you were talking about Dev Ops?

3:05

So. Where's Dev Ops fit into your

3:08

life Like I know that The named of

3:10

Op's is itself new used to call them

3:12

build servers are stl see but now it's

3:14

like Devolves is baked into the Zoc Geist

3:17

when it open source and develops can merge

3:19

view. It was again one of

3:21

those natural progressions where I was working

3:23

on open source and the prophecies and

3:25

legalities of how to do that better

3:27

inside a federal agency, and it became

3:30

evident that that was only one piece

3:32

of the puzzle and so without a

3:34

consistent developer experience platform for. The developers

3:36

inside the agency the open source piece was

3:38

more difficult to achieve and so of group

3:41

of us. actually two or three of us

3:43

got together and a simply kind of did

3:45

it start up inside the government. We put

3:47

a pitch deck together. We. Got funding.

3:49

We put all the the kind of

3:51

like pros and cons together and we

3:53

started a program called decks that ended

3:55

up can have. Been. Responsible for

3:57

all the the Dev Ups pipelines to.

4:00

For security. Collaboration.

4:02

Tools and can all the things that

4:04

you would need to be successful for

4:06

an agency or forty thousand posts, folks.

4:09

Is. It fair to say that even and twenty twenty

4:11

four like, there are companies that are just. Follow.

4:13

The building on someone's laptop and

4:15

then don't have any kind of

4:18

mature of off/build servers last even

4:20

to have sex. Cops can have

4:22

a practice within their organizations. I

4:24

think that's true. I think we

4:26

also see a lot of fragmented

4:28

approaches where there's ten or twenty

4:30

instances of get servers and things

4:32

are under people's desks and code

4:35

spread around enterprises. and they're not

4:37

getting the benefits of sort of

4:39

the central collaboration Tulane Security. Honestly,

4:41

the comes with. Some. Of the

4:43

things that you can do when you pull those things

4:45

together and take the burden off of individual developers.

4:48

Out the they under someone's desk like

4:50

totally resonates with me like this so

4:52

many times. As it's a story

4:54

that I tell a lot that like long story

4:56

short my blog I thought was a virtual machine

4:58

for many years. And. Then when it

5:01

finally died I called support. It turns out they

5:03

had never moved into a Vm. It always been

5:05

under someone's desk. It was little yet many tower

5:07

under someone's desk and they're like well you were

5:09

getting around to it was like a holster surface.

5:12

They. Never image it, it never backed it

5:14

up. so I'm ftp. Eat in. did it

5:16

Frantic back up and you know that the

5:19

little spinning hard drive finally just. Pooped.

5:21

Out at the end, but I can

5:23

visualize it under someone's desk. And

5:25

never been more true that the clouds to someone

5:28

else is computer than what is someone else as

5:30

well. Run computer right and that's the thing I

5:32

think people don't like my joke about that to

5:34

it is so miles as computer but it's a

5:36

best practice it's like of we are figuring out

5:38

those best practices as a community. Yeah.

5:40

Absolutely. Of. Town. Are

5:42

you mention one of the things you had me

5:44

you're talking about? like listing out because the pipeline

5:47

of all the things for regular Joes and Janes

5:49

like myself that have like with your small business

5:51

like this podcast. I got the website

5:53

or gonna build in get hub actions can apply. call

5:55

it a key point a belt server. My Dev Ops

5:58

is effectively I check it and to get haven't. Magic

6:00

pops out the other and that's kind

6:02

of as sophisticated as it gets, but

6:04

you mentioned things like governance and security

6:07

and like the supply chain should have

6:09

regular developer like me a regular Joe

6:11

or Jane be thinking about that level

6:13

of complexity within their own develops pipelines.

6:16

I mean you're asking the security

6:18

person discussion so I'm probably gonna

6:20

say yes to some degree. I

6:22

think the important part here is

6:24

that is is just only after

6:26

the core things are done so.

6:29

You. Know for the fitness folks have too much

6:31

in this before like don't do never skip leg

6:33

day like I said for me, that kind of

6:35

cool thing in the security translations things like to

6:37

fk. Is. Making sure the account

6:40

a secure, making sure that things like

6:42

we don't have storage accounts that are

6:44

open to the internet and things like

6:46

that many. Once all those things are

6:48

done for the average developer then like

6:50

leaning into some of the capabilities that

6:52

you know for instance on Get Hub,

6:54

a lot of get of advanced security

6:56

capabilities like dependable and Co scanning and

6:58

secret detection. Are all available for free

7:01

for public republicans. I think those are things that

7:03

folks should turn on. Buffer us. When. We

7:05

think about security can have for the product

7:07

and for the community. We. Always start

7:09

with the developer account and that's why of

7:11

last eighteen months or so, we've kind of

7:14

work through a campaign to turn on our

7:16

faith. For. All the contributors

7:18

on get up which was a huge effort

7:20

to basically say like know this is an

7:22

optional anymore if you're contributing actively him get

7:25

hub you have to turn on a fan

7:27

and that's that's why because we to see

7:29

too many things start with passwords for anger,

7:31

a breach or credential leak. yeah I've one

7:33

hundred percent all a on to have a

7:36

in the i used things like Aussie but

7:38

then I worry like it's becoming centralized like

7:40

author you just for example as pulling their

7:42

desktop app which makes sense I probably shouldn't

7:45

be too a thing with thing that I'm.

7:47

Haven't front of mention of another. Factor. But

7:50

and the cigar man like is they just

7:52

gonna stop caring about that. There's all these

7:54

are authenticator. For. And then of course the

7:56

sheet that we're supposed to print out the know and prince

7:58

out of their we have had tokens and. That there's a

8:00

lot of really freaked out people who will lose access

8:02

to stuff a good habit they don't print out there

8:04

backup keys. Yeah. I think this is

8:06

where I'm excited about pasties and some of

8:09

the innovations that are happening. There were some

8:11

of the bait major companies and and we're

8:13

actually involved to certain degree in in some

8:15

of the past key establishments are getting together

8:17

to pull the standardized way of doing this

8:20

together and you could argue that there's maybe

8:22

like more secure ways with you be keys

8:24

and you know biometrics and things like that

8:26

but as a step forward from username passwords

8:28

and set particularly when we can be stored

8:31

and a central as way. That secure

8:33

I think. I think it's a great progression

8:35

that we're excited about. again. I'm. Here.

8:37

In A you mention you be keys and I'm

8:39

sitting here and I just picked my it I'm

8:41

holding up my get hub you be key that

8:44

was mailed to me that I never really used

8:46

because it didn't fit into my lifestyle and I

8:48

know that there are people who are so excited

8:50

about that level that kind of security but it

8:52

just never worked for me than there was use

8:54

be A and see one of them say one

8:56

of them see and I just got tired and

8:58

now it sits your unused which means that I'm

9:00

somehow a bad security personnel. Now. Definitely

9:02

not. I don't I think my you be

9:04

he is sitting in my bag somewhere. but

9:06

because I've got all the pesky turned on

9:09

the him fido and and you know touch

9:11

id and so that's how I operate every

9:13

so security just don't have to find my

9:15

you buggy and that's the thing right? Security

9:17

has to fit into our lifestyles right if

9:19

it isn't, if it is inconvenient enough. Them.

9:22

Already saw going to use it at all.

9:24

Yeah, that's right, we have to make it

9:26

work for users and that's partly why even

9:28

a were required to have a for contributors

9:30

on get Hub were not requiring you know

9:33

you be keys or pass keys or anything

9:35

like that because the diversity of the population

9:37

that uses Get Off for Open Source is

9:39

huge and not everybody has access to a

9:41

mobile phone or modern tech and can afford

9:43

things like that. and so we want to

9:45

balance security here with the accessibility and and

9:48

I quit ability for user base. Yeah.

9:50

i appreciate that you call that out by

9:52

the way like echoed ability like even the

9:55

pricing is modest know get up prose it

9:57

for box and you know for time there

9:59

and for probably has toys were free, it

10:01

was like seven bucks. I mean, it's not

10:03

big money to support your small projects. Yeah,

10:06

agreed. And I think, you know, we're

10:09

still one of the few larger SaaS

10:11

providers in this realm that

10:13

offer free compute as well. So, free actions

10:15

minutes and free code spaces minutes and things

10:17

like that. And particularly for universities, they get

10:20

an even, you know, more attractive kind of

10:22

onboarding package there, which is intentional, right? We

10:24

want to support the educational use cases, but

10:26

it's great. It's a great way to get

10:28

started. Isn't it attracted to bad guys, though?

10:30

Like the second you say free compute, then

10:33

someone's going to go and start mining Bitcoin

10:35

or doing something naughty. And as an organization,

10:37

it is a giant

10:40

CMS, you're not only shipping binaries,

10:42

but you're potentially building binaries that

10:44

could be evil and then helping

10:46

distribute them. Are people abusing releases?

10:48

Are people abusing raw dot

10:50

whatever GitHub CDN and using it? And

10:52

are you constantly just slapping people down

10:54

for doing those kind of things? Yeah,

10:57

it's actually a huge, huge challenge for

10:59

the platform. With 100 million developers using

11:01

the platform and a massive amount of

11:03

compute, there is a lot of folks

11:06

who are trying to use this for

11:08

various purposes. So we have in

11:10

the security team, actually, inside GitHub, we

11:13

have a counter abuse team, and they are building

11:15

machine learning pipelines, auto detections, they're

11:17

working very closely with support and

11:20

trust and safety. So as

11:22

much as possible, automate, remediate and kind

11:24

of shut down both spam

11:27

and abuse, but also things like,

11:29

you know, crypto mining and also

11:31

things like hosting binaries or

11:33

content that don't meet our terms

11:35

of service. Yeah, it's definitely a

11:38

challenging both engineering and scale problem

11:40

across the board. So

11:42

GitHub advanced security is a product or a

11:44

collection of products. It's the name for looks

11:46

like you've got a friend there in the

11:48

background, I can hear. Sorry,

11:51

no, it's fine. That's the

11:53

kind of security that we're looking for, though, at the

11:55

company. And then someone you'll I assume that there's a

11:57

bark that you'll hear. That is the

11:59

I need to get up bark as a bad guy

12:01

versus the I see a squirrel bark. Unfortunately,

12:04

they're exactly the same. Also, friend bark

12:07

is the exact same. So that's not

12:09

not effective. You

12:11

may. We have my

12:13

I don't have a dog but my my niece does

12:16

absolutely useless as a security. Oh,

12:19

she's like, Oh, it'll warn me if no, it won't know it

12:21

will let them in and introduce the and

12:23

it like bring them over, you know, you

12:26

see those tiktoks with like the giant German Shepherd

12:28

and then like the delivery guy comes in like,

12:30

are you doing? Indeed,

12:33

that is exactly my dog. I

12:35

was gonna ask about GitHub advanced security and understand

12:37

like, is it a product? Is it a collection of

12:40

products? So GitHub advanced security

12:42

is a couple things. So one

12:44

for kind of our enterprise customers,

12:46

it's a product that can be

12:48

purchased that includes code scanning, which

12:50

is our SaaS capability based on

12:52

co QL. It includes kind

12:54

of our supply chain capabilities, which is

12:57

largely kind of depend about and dependency

12:59

scanning and then secret scanning, which includes

13:01

push protection. We just recently

13:03

announced that this is all being augmented

13:05

by AI as well. So code scanning

13:07

now comes with things like auto

13:09

fix, so suggestions. So instead of just like

13:11

highlighting the potential vulnerability in the code and

13:14

saying, Hey, developer, you should remediate this. It's

13:16

coming with an actual suggestion in the pull

13:18

request to say like, Oh, and here's how

13:20

we think you should remediate this, you can

13:22

just click accept and move on from there.

13:25

And then in the secret scanning space, we're

13:27

using AI to not just detect high confidence

13:29

patterns, which is kind of where we've been

13:31

to date, you know, things like Azure tokens

13:33

or AWS tokens or things like that, but

13:36

also lower confidence patterns like username and passwords

13:38

or SSH keys or RSA keys. So that's kind of

13:41

the full kind of GitHub advanced security

13:43

package. Most of that is also available

13:45

for free on public repos on GitHub.

13:48

You know, and I have to admit, I have used

13:50

all of those things. Like if there's a free thing

13:52

on a public repo, I turn it on and like

13:55

depend about, I could just gosh, I

13:57

could do a whole show on depend about, you know,

13:59

people don't realize how good it is because

14:01

it's not on by default. You

14:03

get the vulnerability dependencies on by default.

14:05

If you're an admin on a public repository, you

14:08

just go and you check and you turn it

14:10

on and then you get depend upon it. It's

14:12

like an employee that makes pull requests while you

14:14

sleep. It's amazing.

14:17

I gush about how awesome depend upon it

14:19

is. Yeah, it's really fantastic. And

14:21

then we're seeing just a huge... Secret

14:23

scanning is a newer capability for us, but

14:25

back in mind with push protection, we're just

14:28

seeing some incredible things happening. I'll just give

14:30

you an example inside of GitHub. We've really

14:33

worked to reduce and eliminate

14:35

secrets in code in our own code

14:37

base using GitHub Advanced Security. And

14:39

being able to keep it eliminated with push

14:42

protection so that nothing's getting in there after

14:44

we've cleaned everything up is just an absolutely

14:46

amazing capability. But being able

14:48

to offer that for public repos is critical

14:50

because it's not a cheap

14:52

thing for us to do from an infrastructure perspective,

14:54

but it's the right thing to do because we

14:57

take that responsibility kind of at the center of

14:59

a lot of the software development ecosystem very seriously.

15:01

Yeah, and this push protection, we should

15:03

explain that a little bit because one

15:06

of the number one questions on Stack

15:08

Overflow, like the top questions is,

15:10

I've pushed a secret into GitHub, I've pushed a

15:12

connection string, how do I make it go away?

15:15

Yeah. I mean, that's also

15:17

one of the number one questions we talk

15:19

to customers about a lot as well because

15:21

once it's in, it's in, right? It's super

15:24

expensive to remediate. It's super difficult to

15:26

know it's good. And if you talk to any security team,

15:28

they're going to say, well, like once it's there, you have

15:31

to deactivate it, you have to roll it,

15:33

you got to change the credential. And so

15:35

push protection basically sits in between the editor

15:38

and the GitHub service itself and inspects,

15:40

it's secure, it's encrypted, but it inspects

15:42

what's coming in looking for credential secrets

15:45

in the code before it actually goes

15:47

into the get system itself. And if

15:49

it finds anything, it'll block it. And

15:51

then there's options depending on what you're

15:53

doing, you can come back to the

15:55

developer and say, do you want to

15:58

override this or enterprise. to

16:00

have the ability to adjust some of the responses there

16:02

as well. So it's a pretty powerful tool. Yeah. And

16:04

it really this idea of these

16:07

SaaS, these shared access security tokens

16:09

and their potential vulnerabilities, it's just

16:12

a magic number. And

16:14

if somebody gets it, they own you and

16:16

the amount of like responsibility that can be

16:18

assigned to one of these tokens that

16:21

is just easily copy pasted and given to

16:23

someone is huge. And I understand I saw

16:25

some stuff because I work at Microsoft in

16:27

my day job. This is all public. There

16:29

was some nation state actor that got a

16:31

hold of some tokens and was running around

16:34

on some non-production build servers recently. And it

16:36

all starts with those freaking tokens that you

16:38

could paste to someone in a slack. So

16:41

you want to want to catch those. So it

16:43

makes me wonder though, as devs, how can we

16:45

have them without ever seeing them? Like I don't

16:47

want it in my clipboard because once it gets into my

16:49

clipboard, it could be given, it could be moved away. Is

16:52

there a way to have secrets that we simply can't see

16:54

that wouldn't even show up

16:56

in GitHub? It's a great question.

16:58

And I think when I think about the

17:00

proactive security space and kind of all the

17:02

advances that are happening, I think this is

17:04

an area that a lot of enterprises work

17:06

towards through things like enterprise vaults and kind

17:08

of accessing these secrets on demand through APIs,

17:10

which is probably that's one of the right

17:12

ways to do it. I won't say it's

17:14

the only right way to do it. But

17:16

having that accessible to a normal dev is

17:18

more of a challenge, I think, because it's

17:20

just it's so easy just to go grab

17:22

that token and toss it

17:24

in the repo and keep moving to

17:26

deploy the blog or do whatever. And

17:29

so I think this is where normalizing

17:31

things like secret scanning and normalizing and

17:33

making it clear where to put secrets

17:35

in places like GitHub or you know,

17:38

cloud compute, like Azure is

17:40

helping, but we can still do more I think

17:42

as a community here. Yeah, I

17:44

like the call out of like normalizing

17:46

it like right now, when I

17:48

start a new project, it usually ends up in

17:51

some JSON file. And that's just wrong, it should

17:53

be it's wrong by default. And

17:55

it should be right by default. And I need to get

17:57

that into my head so that it is normal. And of

17:59

course, GitHub will catch me 99.9% of

18:03

the time or as you said it will warn you and

18:05

say, are you sure you want to do this? This token

18:07

is used for testing. But even then

18:09

I shouldn't push it through. I should do

18:11

it correctly from the beginning. Yeah,

18:13

I agree. And for like that normal dev

18:15

out there at a minimum storing it as

18:18

part of the secret management capability inside GitHub

18:20

is a good first step. I think once

18:22

you start to scale that though, there's probably

18:24

more sophisticated ways to share that across the

18:27

enterprise team. So I'll also talk about the

18:29

third leg of that stool. We

18:31

talked about secret scanning and dependent bot, but

18:33

then CodeQL, it's this code analysis tool. And

18:36

it'll analyze your code, it'll give you quality. But

18:39

it's really becoming a security tool, like it's spotting

18:41

like bad practices. But you have to do this

18:43

across a plurality of languages, right? Like there's all

18:45

kinds of, you could be doing Erlang, you could

18:47

be doing Rust, you could be doing C Sharp.

18:50

CodeQL has to manage all of that. It

18:52

does. It does indeed. And we have an

18:55

amazing team who is building essentially language models

18:57

for each one of the languages we support

18:59

and continue to evolve them. And it's not

19:01

just a once and done build

19:03

either. Because as you know, these languages evolve

19:05

all the time. There's new releases, there's new

19:07

versions of Python coming out, you know, constantly.

19:09

And so how do we keep up with

19:11

that? I think there's kind of two angles

19:13

here. One is how does the team continue

19:16

to model and create what is

19:18

considered a vulnerability? We approach

19:20

this a few different ways. One is we

19:22

actually have researchers inside of GitHub who

19:24

are doing vulnerability research on open source

19:27

projects. And they're actually actively contributing what

19:29

they're learning back into the CodeQL base,

19:31

which then is then made available to

19:33

all of our customers and open source

19:36

users, typical devs all the way to,

19:38

you know, big enterprises. And

19:40

then we have started to use

19:42

AI to help auto model languages

19:44

faster and open source projects that

19:46

are widely used so that

19:49

we can actually increase the rate

19:51

that we are modeling and supporting

19:53

new capabilities in that program. Now,

19:55

I was picking random languages, but I do want to

19:57

come and give a brief correction I ran. I call...

20:00

That rust and are like Richard new. I thought

20:02

about them a bit more in the far side

20:04

of the bell curve there but the those are

20:06

not supported You have Cc plus plus he sharp

20:08

Go! Caitlyn is in beta. you can swift and

20:10

beta which is pretty cool. Python. Ruby.

20:12

You know. what I'm struck by with this list

20:15

is you got both compiled and interpreted languages, which

20:17

are two different universes that you're going to have

20:19

to treat as if they're the same, but they're

20:21

very different. The. Really different terms

20:24

of we approach it. The team's making

20:26

some incredible progress to be able to

20:28

tackle even the compiled languages in a

20:30

faster and odyssey like easier to set

20:32

up ways because right now you often

20:34

have to like integrated into the build.

20:36

Ah as you're thinking about like a

20:39

java build. The goal here is to

20:41

really make this easy to turn on,

20:43

easy to use and and kind of

20:45

easy to get to that first meaningful.

20:48

Alert that move the needle on the security

20:50

here and the regular on a progress on

20:52

that so I'm I'm excited to see we're

20:54

headed as a as a A programmer. The.

20:56

Amount of like work happening to just push

20:58

a hello world like the back. The behind

21:00

the scenes work must be insane. You're talking

21:02

about free compute. like if I go and

21:05

make Hello.c and I check it in for

21:07

me it happens instantly. I see the file

21:09

I can set up a good have actions,

21:11

I can make a released executable pops out

21:13

and then I can start hitting raw.whatever whatever

21:16

and I can sort crop mean I can

21:18

curl it immediately. But behind the scenes you

21:20

run com que el. you scan for viruses

21:22

like it is a whole bunch of compute

21:24

that happen and you do that. Are public

21:26

repository is is gonna be sustainable he just

21:28

me more efficient and I understand how that's

21:31

gonna be something that would be around and

21:33

ten years but it needs to be. It's

21:35

a good question. I think some of it's

21:37

about the efficiency and I think some of

21:39

it is about the fact and and is.

21:41

One things I love of I Get Home

21:43

is that you know the leadership and the

21:45

company generally values this community and values the

21:48

work we're doing here and is investing in

21:50

that as well. And so I think you

21:52

know. It's not necessarily a question of like

21:54

can we make this cheaper to to run

21:56

or not for public repos It's like how

21:58

do we do it is. The scale will

22:00

at all you know, period. For some of the

22:02

capabilities I think it gets a little harder. We

22:05

talk about Jeep you Bound A I Features. But

22:07

generally you know it's an important part of what

22:10

we're doing as a company and as a

22:12

business to support the open source community and continue

22:14

to lean into that responsibility. So.

22:17

I have over all of this like

22:19

looming over all of this is get

22:21

Her Copilot which is generating code. There's

22:23

a large language model at it's base.

22:25

But. Large language models are tuned for

22:27

different stuff. Summer good at generating Shakespeare

22:30

and limericks and summary could have generated

22:32

code but Summer does. Confident. B.

22:34

S's. How do I know

22:36

that Copilot or some code language model

22:38

is not going to go and generate

22:40

insecure code and then run it down

22:42

my pipeline? My security pipelines sure so

22:44

kind of starting at the the left

22:46

side of this. The models were using

22:48

are very much focused and tune towards

22:50

software development and the way we're incorporating

22:52

those and so we're going to continue

22:54

to work on what's the right models

22:56

used for the right situations you're in

22:59

that will evolve as the product doubles

23:01

as well, but then kind of. If

23:03

you move a little bit to the

23:05

right, then we. Are working with Microsoft

23:07

and we've got our own filters and

23:09

places well that we partner with Microsoft

23:11

on a do things like security filtering

23:14

and toxicity filtering. So they're looking for

23:16

Com and my Sql injection vulnerabilities and

23:18

are going to prevent those from even

23:21

being suggested to developers before they even

23:23

get there. Are now is early days

23:25

and I think this is going to

23:28

continue to evolve and I'm really excited

23:30

actually to see overtime if we see

23:32

fewer and fewer vulnerabilities introduced in the

23:35

editor to. Begin work of actually think

23:37

we are. We're already seeing that now, but

23:39

you know I think getting these filters, getting

23:41

the tuning necessary after the suggestions to

23:43

make sure it's relevant to the context of

23:45

what the developers doing, what they're trying to

23:48

do, what question they asked. Is

23:50

something we're very focused on and in. In.

23:52

We always say even though the suggestions are

23:54

good and we're seeing huge acceptance rates here

23:56

it's it's a copilot so you should still

23:59

run advanced security. Still check the code.

24:01

you should still make sure your builds work

24:03

and your your normal to us as you

24:05

would normally. Appreciate the call it

24:07

up at the idea of context. I use

24:09

that in my talks about not just copilot.

24:11

The Ai in general is that if he

24:13

interview walk up to someone and you say

24:15

that they're gonna like a joke about this.

24:17

At my wife and I we finish each

24:19

other's sandwiches in on them are like maybe

24:22

it's context that we have because been married

24:24

for twenty five years but when you say

24:26

to get her copilot he write me a

24:28

for loop how much context is appropriate. Does

24:30

it need to know what I wrote last week?

24:32

Doesn't need to know. I wrote earlier today. Or.

24:35

Cannot produce what I needed to produce. Now

24:37

maybe it doesn't know that I'm in the

24:39

middle of read teaming. or maybe it doesn't

24:41

know I'm in the middle of whatever context

24:43

of get a copilot knows can get into

24:46

an Uncanny Valley of creepiness. Where. I

24:48

might feel uncomfortable that the I know

24:50

stuff. But. If it's permissive and

24:52

it says follow up questions, Like

24:55

I'm. alone I clip he that you know to me like.

24:57

Looks. Like you're doing some naughty things with

24:59

red teaming. would you like help vs? It

25:02

looks like you're really focused on security and

25:04

you want your code to be extra secure.

25:06

How much contest should Copilot have? one is

25:08

trying to help me sir. I think Universe

25:10

is something we we talk to customers about

25:12

and I know our product and engineering teams

25:15

are are really focus on as well and

25:17

some of this is gonna come down. the

25:19

were in the product and were in the

25:21

work flow that the developers engaging a I

25:23

as it is and so you know the

25:25

context going into copilot get a Copilot from.

25:28

Auto completion. May. Be open

25:30

files and the editor that they're working

25:32

on now. but if they've got shot,

25:34

get a copilot chat up as well.

25:37

And. They're asking questions the not can tune

25:39

in, help it understand a bit more and

25:41

so as we can have. Are. Building

25:43

Get a Copilot into more and more

25:45

of the get A platform in terms

25:48

of enabling developer productivity and and I

25:50

think we're gonna hopefully see that be

25:52

more evidence to developers were it's getting

25:54

it and how it's helping them be

25:57

more productive. I like that the evidence

25:59

part like I don't. want magic. I

26:01

want CodeQL or Dependabot or

26:03

any number of these tools

26:05

and GitHub advanced security and my pipeline to let me

26:08

know, hey, I found a thing. Here's

26:10

why I think it's a thing. And here's what

26:12

I think you should do about it. Like don't

26:14

just say, this is a problem. Tell

26:16

me why you figured it out so then I

26:18

can learn and be better myself. Sure.

26:20

Yeah. No, I totally agree. And I think,

26:23

you know, when I will pull up copilot

26:25

chat and start asking questions, that's one of

26:27

my favorite parts about it, actually, is it's

26:29

explaining to me, here's what we're suggesting. Here's

26:31

why, hey, this is vulnerable. If you want

26:33

to read more about why it's vulnerable, go

26:35

click this link. And it just honestly, it's

26:38

a much richer experience than going to a

26:40

search engine and trying to find help

26:42

for the thing I'm trying to do. And it's also

26:44

way, way faster. I was editing a

26:46

Jupiter notebook the other day to like

26:49

analyze some data for the teams. And

26:51

I needed to make some changes to it. And I wasn't

26:53

super familiar with the language. And I was like, oh, this

26:55

is gonna take me hours. I'm not even gonna bother with

26:57

this. And I was like, oh, wait, actually, let me fire

26:59

up copilot and see what I can do. I had it

27:01

fixed in like five minutes. I did exactly what

27:03

I wanted it to do. And I understand why

27:05

it did it. And that was just a fun

27:07

thing for me, given that I don't really develop

27:09

every day anymore in my day job. You know,

27:12

it's interesting that you call that out, though, because

27:14

you know that idea that there are co workers

27:16

or relatives who are really good Googlers, you know,

27:18

I'll have like non technical relative try to Google

27:20

for something and they'll just keep banging their head

27:22

against the wall. And then I just all

27:24

noticed like you used too many words, use less,

27:26

and then I'll find it on the first try.

27:29

Or there's a particular term. Hopefully,

27:31

copilot and the eyes will equalize that more so

27:33

that everyone will get the answer that they want.

27:35

Because what happens now is my non technical relative

27:37

will be like, Oh, you're just a really good

27:39

Googler. It's like, well, no, you know, I want

27:41

I want to teach you how to be able

27:43

to do that. But I noticed that their solution

27:45

is to simply restart and try

27:47

again. Yeah, like give up on the query

27:50

and phrase it differently. But

27:52

with with with an AI or with a co

27:54

pilot, I don't just give

27:56

up and start a new conversation, I try

27:58

to refine it. I think that's a scale,

28:00

we're gonna have to teach our non-technical brethren. I

28:03

agree. I also think at least to me, it feels

28:05

more intuitive to do that with an AI copilot. I

28:07

mean, just being able to have that context we were

28:09

talking about a few minutes ago that it's already got,

28:11

it already sort of knows roughly what I'm trying to

28:14

do, or at least what I'm seeing on my screen

28:16

to a certain degree and say like, hey, can you

28:18

explain this file to me? I don't have to tell

28:20

it which file it is. Or

28:22

can you help me rewrite this file from

28:25

COBOL to Python? There's things like that where if

28:27

I went and Googled that, it would take me

28:29

hours and hours and hours to figure out roughly

28:31

the same thing because I would have to keep

28:34

doing that iterative thing. And even though I'm not

28:36

quite as good of a Googler as my wife

28:38

is, I'm still fair at it. Very

28:40

cool. Well, I think that our in conclusion, what

28:42

I'm hearing is I need to make sure that

28:44

I've got advanced security turned on, on

28:47

all of my repositories, which I can do if

28:49

I'm an admin on a public repository, I can

28:51

turn these on. And that'll give me dependent bot,

28:53

which I already love, CodeQL, which I

28:56

can use. And if I interact with it, I

28:58

will get nothing but good stuff. And then secret

29:00

scanning and push protection is going to be fantastic

29:02

as well. This is all combined within the context

29:04

of GitHub advanced security. This is pretty

29:06

cool stuff. Jacob, thanks for hanging out with me today.

29:09

Thanks so much for having me. Enjoy chatting. We've

29:12

been chatting with Jake DePries, he's the deputy

29:14

chief security officer at GitHub. This

29:16

has been another episode of Hansel Minutes and we'll see

29:18

you again next week.