Sergey Nivens - Fotolia

GitHub hires first-ever chief security officer

GitHub has added a CSO to its ranks, as the platform seeks to grow and maintain one of the world's largest collections of open source software projects.

GitHub has hired a new chief security officer to help the company secure its overall platform for hosting software development projects, as well as to help developers "shift left" and bake the process of building secure software in as an early and more natural part of the development lifecycle.

Mike Hanley, a veteran software security leader, comes to GitHub from Cisco, where he was most recently chief information security officer -- a position he attained when Cisco acquired Duo Security for $235 billion in 2018. Hanley was head of security at Duo.

Hanley is GitHub's first CSO. All security efforts were previously led by former vice president of security Shawn Davenport.

Hanley a big win for GitHub

By all accounts, Hanley's hire is a win for GitHub -- a "score," said one analyst.

Chris GonsalvesChris Gonsalves

"Mike is about as universally well regarded as it's possible to be in infosec," said Chris Gonsalves, senior vice president of research at Channelnomics, formerly The 2112 Group, based in Port Washington, N.Y. "That's a credit to his formidable technical skills coupled with a proven ability to lead high-functioning teams. He's former DoD, former CERT [federally-funded Community Emergency Response Team], he has the chops. More importantly, he played a significant role in building Duo's well-known culture of positivity and excellence, and he'll certainly bring that to GitHub."

Indeed, in a blog post, Hanley pointed to similarities between the "developer-first" security culture at Duo and that at GitHub.

All the right investments

Hanley also noted GitHub's investments in areas including passwordless authentication and the move to eliminate all third-party tracking cookies on its site as ways the company has placed a priority on developer security and privacy.

"Similarly, developer-focused security capabilities like secret scanning and CodeQL provide key guardrails that help developers avoid incidents and shipping vulnerabilities," Hanley said in the post. "Having built programs in SaaS companies like Duo and large enterprises like Cisco, I know how critical these capabilities are to a wide range of developers, and these investments are an incredible foundation for the next round of growth and investment in our security org."

Hanley is stepping into an important role not only at GitHub but also in the overall software development industry. GitHub holds one of the world's largest collections of open source software projects.

It is not hyperbole to say that GitHub has ascended to critical infrastructure status.
Chris GonsalvesSenior vice president of research, Channelnomics

"It is not hyperbole to say that GitHub has ascended to critical infrastructure status," Gonsalves said. "Go ask Uber or Twitter how important security is in this environment. In a digital world, code repositories hold the proprietary fabric -- the crown jewels -- of the world largest enterprises. GitHub is a vital link in the modern supply chain, no matter what industry you're in."

As Hanley noted in his blog, the world runs on software, and a large portion of it -- especially the open source software that's part of practically everything -- is built by millions of developers on GitHub every day.

Boosting confidence for enterprises

However, "The recent open source-based novel supply chain hack really spooked the open source community," said Dave Gruber, an analyst at Enterprise Strategy Group. "The deep dependency chain behind many open source projects obscures issues that enable this kind of attack. GitHub needs to get on top of this fast, before organizations lose confidence."

Hanley said many of his favorite security projects are hosted on GitHub, including CloudMapperStethoscopeGoPhish and osquery.

"It makes sense for GitHub to hire a CSO," said Krishnan Subramanian, an analyst at Rishidot Research in Redmond, Wash. "With the Solarwinds hack in the minds of people and the need to secure the pipeline from developer laptop to production, GitHub should employ the best security to give the necessary assurance to their enterprise customers. From that angle, this is a good step by GitHub."

That enterprise focus is key, as GitHub must protect the repositories  of small, medium and very large teams, including those with thousands of developers.

"GitHub is learning via Microsoft that it needs to play well with the C-suite, so a former Cisco CISO gives GitHub some instant credibility," said Holger Mueller, an analyst at Constellation Research in Monte Vista, Calif.

Multifaceted responsibilities

Hanley's role will be at least two-pronged, as he has to tie down the internal systems and oversee the protection of developer teams with projects on the platform.

In many ways, it's a lot like running a self-storage facility, Gonsalves explained. Job one is securing the facility.

"Then the task becomes getting the tenants to secure themselves," he said. "Making sure they padlock their units and don't cut holes in the walls to share their possessions with their neighbors -- stuff like that. And as they grow beyond their repository roots into services like GitHub Pages, the security implications increase dramatically."

Moreover, GitHub has made a few acquisitions over the past couple of years that demonstrate its interest in application security, such as the acquisitions of Semmle and Dependabot.

"These acquisitions speak to their focus on building security into the development process," said Sandy Carielli, an analyst at Forrester Research. "GitHub also has partnerships with a number of pre-release security testing vendors to integrate their tools into GitHub. I'm not surprised to see GitHub continuing to invest by hiring a chief security officer."

Enterprise Strategy Group is a division of TechTarget.

Dig Deeper on Software development lifecycle