Security as Code: A DevSecOps Approach

Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization.

In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline.

Code Security Reinvented: Navigating the era of AI

Artificial intelligence (AI) already serves as a copilot in our daily lives, acting as a digital assistant and delivering personalized experiences. Despite progress in many areas, AI has historically fallen short of improving software development practices. This changed with the introduction of AI pair programmers, which distill the collective technical know-how of the world’s developers, and their widespread adoption has been quite telling.

While the process of building software has become easier and faster, the question remains: What about more secure? In this session, we’ll demonstrate several ways developers can use AI to leverage the world's security knowledge through dozens of practical demos in GitHub Copilot. The audience will gain a deep understanding of AI capabilities, along with insights and best practices drawn from the lessons we learned as developers striving to ship secure code.

Breaking Barriers: The Art of (Free) Gamified Security Training

In a world where security training often feels like a mundane chore, discover the refreshing impact of gamification and turn learning into an enjoyable experience. Embark on an insightful journey as we unveil the success story of gh.io/securecodegame, an open-source game hosted on GitHub Skills, that attracted over 6,000 developers within the first year.

This session will provide you with an exclusive behind-the-scenes perspective, offering valuable insights and practical strategies to revolutionize various aspects of security training for your benefit. We’ll explore a case study from a tech startup that observed, among the developers who played the game, an increased sense of ownership for code security, improved communication with security teams, and a strong willingness to embrace further security training.

Navigating the Impact of AI, Developer Experience and Communities on Software Security

Discover the impact of AI, Developer Experience (DevEx), and communities on software security through real-world examples derived from securely building GitHub using GitHub. Uncover valuable insights into the dynamic interplays between these three transformative forces, paving the way for a new era in software development and, consequently, for software security.

This session will provide you with an exclusive behind-the-scenes perspective, offering insights into how GitHub enhances various elements of the Secure Software Development Life Cycle (SSDLC), benefiting from each driving force and their interplays. We will explore practical strategies for software security, supply chain, secrets hygiene, automation and security culture. The audience will gain a deep understanding of industry-leading software practices, drawn from our experiences as developers helping others with security in a rapidly changing landscape.

How GitHub secures open source

Uncover valuable insights into how GitHub secures the open-source software we all depend on, with real-world examples from the GitHub Security Lab, which uncovered 1,000+ vulnerabilities and was credited with 700+ CVEs over four years. Securing open-source software is critical because it underpins much of today’s digital infrastructure, and vulnerabilities in widely used components can create significant risks across entire software ecosystems.

This session will provide the latest updates on how GitHub enhances various elements of the Secure Software Development Life Cycle (SSDLC), leveraging the driving forces of Artificial Intelligence (AI), Developer Experience (DevEx), and community collaboration to secure open source. We will explore best practices in software security, including code scanning, secrets hygiene, dependency management, automation, and enhancing security awareness through gamification. The audience will gain a deep understanding of industry-leading initiatives and lessons learned from our experience in today's rapidly changing landscape.

Target audience are developers interested in software security and want to understand how GitHub uses GitHub to build GitHub securely and how we secure the open source software we all depend on.