Open source software underpins trillions of dollars in value but often relies on under-resourced maintainers, creating significant security risks.
Static application security testing (SAST) tools like GitHub code scanning can automatically find about 50% of vulnerabilities before production.
The primary challenge in security is fixing, not detection, and AI-powered tools can automatically generate code fixes within pull requests.
Leaked credentials are a top cause of breaches, so secret scanning prevents them from being committed, while Dependabot automates dependency updates.
Developers spend nearly a third of their time finding and fixing security issues, but AI tooling can free them up for more proactive security reviews.
AI assistants can analyze open source projects to assess their security posture and help determine if they align with your risk appetite.
Interactive, browser-based training like the Secure Code Game helps developers practice fixing real-world vulnerabilities from the OWASP Top 10 and AI security.
A dedicated fund provides open source projects with $10,000 annually, plus three weeks of security training and mentorship from experts.
While expert tools are better for vulnerability detection, AI excels at fixing code and can use an agent mode to automate the entire fix-and-test cycle.
GitHub secures open source through a combination of high-quality research, AI, improved developer experience, community collaboration, and education.
29:50Kevin Lewis
21:53Isaac Evans
24:47Adrian Mouat
26:52Thomas Dohmke & Demetris Cheatham
35:31Thomas Dohmke
25:19Chris Wysopal
23:34Stefania Chaplin
32:55Natale Vinto
Jobs that call for the skills explored in this talk.
Excellence AG
Fraunhofer-Gesellschaft
NTT DATA Deutschland GmbH
NTT DATA Deutschland GmbH