GitHub’s strategy with AI will bring a new era for the developer community

• GitHub’s AI strategy for the developer community enhances application security and productivity, leading to more efficient coding practices.
• GitHub Universe 2023 showcases AI advancements, revolutionizing security and developer workflows in software development.
• APAC’s tech growth, spearheaded by Singapore, aligns with GitHub’s AI initiatives in transforming regional technology.

The integration of AI into application security is marking a transformative era in software development. At GitHub Universe 2023, significant advancements were announced, shaping the future of this field.

Tech Wire Asia interviewed Jacob DePriest, VP and deputy CSO at GitHub, at GitHub Universe 2023 on how AI is reshaping traditional application security and the prospects for developers. Additionally, we connected these advancements to the growing tech landscape in the Asia-Pacific (APAC) region, as observed by Sharryn Napier, VP of APAC at GitHub.

Enhancing security with AI for every developer

Jacob DePriest was keen to highlight the seismic shift that AI brings to addressing application vulnerabilities.

“GitHub is using generative AI models to model software languages to support them in CodeQL faster. This is behind-the-scenes work, but really, it’s allowing the company to go faster and support more languages and capabilities.”

This approach not only accelerates the process but also enhances overall security efficiency. The AI Copilot is instrumental in helping developers secure code early in the development process, signifying a proactive approach to vulnerability detection.

AI’s growing role in developer workflow

DePriest observed that AI is becoming integral to the entire developer workflow, enhancing security at each step. Currently, many developers find themselves coding in one instance and then shifting their mindset to focus on security. They deal with alerts and security issues before returning to coding, frequently switching between these tasks. This happens again in deployment phases with processes like CI/CD, where they must consider security while deploying.

GitHub can enhance security at each stage by integrating AI into every aspect of the development workflow. In the future, DePriest envisions scenarios where developers will receive suggestions, tips, and even auto-completions for more secure methods as they work. For instance, if a new CVE is released, AI could prompt developers to review certain aspects of their code.

Future projections include AI-driven suggestions and auto-completions for secure coding practices, reshaping how security is embedded in the development lifecycle.

GitHub’s fundamental security ethos has always been about bringing security to the developer. It aims to avoid disrupting the flow, as developers typically take around 23 minutes to enter a flow state, which can be disrupted in just five seconds. Its goal is to help developers maintain their flow. So, GitHub’s autofix feature in code scanning reflects its commitment to bringing security closer to the developer without disrupting their workflow.

“At the heart of our approach is the belief that AI shouldn’t change the workflows for developers but rather make them more efficient,” said DePriest. “I believe it’s more likely that AI will minimize disruptions in the workflow rather than increase them. This is where I envision AI having its most significant impact.”

Advancing secret detection with AI technology for the developer community

Secret detection at GitHub is being actively enhanced to provide increasingly actionable alerts. This strategy is critical for the effective resolution of security issues. GitHub’s goal is to avoid bombarding developers with unclear or difficult-to-address alerts. Although still in the early stages with some capabilities, GitHub is focused on providing developers with those actionable alerts, and minimizing the confusing ones. This is particularly relevant in the context of secret detection. DePriest explained that when a secret is found in the code, GitHub’s aim is to alert the developer and guide them on how to fix it.

“We’ll provide information about the implications and urgency of the issue. For instance, we’ll inform them if a token is already invalid and doesn’t pose a threat. These informational cues are crucial in enabling actionable outcomes. We want to prevent developers from having to spend excessive time determining whether something is a genuine security risk or not,” he explained.

For instance, this year alone, GitHub has blocked over 30,000 secrets through push protection before reaching the repository. This is crucial because it’s often too late once a secret enters the repository. It’s already embedded in the code, requiring time and resources to invalidate the token, generate a new one, and correctly reposition it. Preventing these 30,000 secrets from entering the code could save tens of millions of dollars, depending on the nature of the tokens.

The technology has significantly demonstrated AI-powered secret scanning’s impact in preventing security breaches.

Given that over 80% of current breaches can be traced back to leaked credentials or passwords, this issue remains a significant concern in security. GitHub believes that its secret scanning capabilities will make a substantial impact, especially with the recent advancements in detecting generic secrets. It is vital to address prevention and detection to effectively tackle this ongoing security challenge.

Metrics and insights for security management

Tech Wire Asia: “Which metrics or insights do you consider most critical for security managers to monitor and improve their organization’s security health?”

“That’s a big question,” said DePriest.

He explained the importance of integrating security and engineering teams, advocating for a ‘secure by design’ approach. Achieving that requires security leaders to work closely with engineering leaders. That way, when tools, capabilities, and developer tooling are developed, and platform engineering is conducted, those elements are secure by design right from the start.

Such collaboration is crucial in managing secrets, remediating vulnerabilities, and effectively resolving security issues

DePriest emphasized that every company is different in its needs and approach. A financial industry company might have different requirements than a manufacturing or cloud-based tech company. But much of it boils down to crucial application security aspects. How are secrets managed in the code? How quickly are vulnerabilities remediated? And how effectively are day-to-day security issues monitored and resolved?

The company has established a program and governance structure at GitHub to address these issues. DePriest noted that focusing on these topics is essential for security leaders to continue improving and expanding control over security in software development.

Balancing AI tools and human expertise

In AI-enabled security tools, GitHub views AI as an augmentation capability, not a replacement for human expertise. DePriest underscores the need for software developers and the role of AI in enhancing their capabilities.

For instance, within the team at GitHub, the company encourages everyone to use Copilot. It’s available for everyone who wants to use it. “I’m excited about this because if our team can save time on routine, boilerplate tasks with Copilot’s help, they can dedicate more time to devising innovative ways to keep our platform secure,” DePriest emphasized. “As our customers and the wider community trust this platform, we view AI as an enabler and accelerator of capabilities, not as a replacement for human skills.”

Singapore’s emergence in APAC, and how AI has helped the developer community

The dynamic growth of the developer community in the APAC region, particularly in Singapore, is noteworthy. Napier attributes this growth to the government’s investment in coding education.

“The government’s investment in teaching coding to children in schools is a fundamental, grassroots effort now paying off,” Napier explained. This strategic approach and the vision to develop Singapore as a ‘smart nation’ have significantly contributed to its status as a major tech hub.

Napier suggested looking at educational initiatives for APAC countries aspiring to replicate Singapore’s success.

She pointed out the approach in Australia, where there’s a significant emphasis on diversifying the tech field. Napier believes it’s essential for governments in all regions to collaborate in solving the challenges of increasing the number of developers and people skilled in coding.

Napier added that investing in STEM education and promoting tech fields in schools and universities, similar to GitHub’s initiative, could bridge the skills gap.

AI’s impact on business strategies in APAC

Napier notes a surge of excitement among APAC leaders about AI’s potential. “We’ve observed developments happening 50% faster,” she states, emphasizing AI’s role in enhancing productivity and innovation.

Currently, the focus lies on understanding AI’s applications and implications, especially in security. Napier believes “the upcoming year will likely see more embracing of this technology.”

Discussing AI’s role in addressing legacy code, Napier recalls a conversation with a bank about adopting GitHub Copilot, highlighting AI’s potential for agility and productivity in enterprise settings.

While explaining and refactoring legacy code, the discussion led to an ‘Aha!’ moment. This is one of the things she thinks provides enterprises with a new level of agility and productivity, which is especially relevant in regions with significant human skills gaps, like Japan, Australia, and Singapore.

Looking toward 2024, Napier anticipates significant technological and economic developments in Singapore, influencing the broader APAC region. Despite facing similar economic challenges as other regions, the excitement for technology’s potential remains high.

“Next year, I anticipate it will be about the application of AI, really embracing it on a large scale,” Napier predicted, with organizations reporting productivity gains and the potential of recent technological advancements still largely untapped, 2024 promises to be a pivotal year in the technology landscape.

Underpinned by government initiatives and educational strategies, Singapore and the APAC region are poised for a technological revolution. The increasing application of AI across various industries heralds a new era of economic growth and enhanced global competitiveness, marking an exciting future for the region. This growth is paralleled by the advancements in AI-driven application security, as highlighted by GitHub, showcasing a symbiotic relationship between technological innovation and regional development.

---

---

---