Episode 248: GitHub’s Jill Moné-Corallo on Product Security And Supply Chain Threats

In this episode of the Security Ledger Podcast, Paul speaks with Jill Moné-Corallo, the Director of Product Security Engineering Response at GitHub. Jill talks about her journey from a college stint working at Apple’s Genius bar, to the information security space – first at product security at Apple and now at GitHub, a massive development platform that is increasingly in the crosshairs of sophisticated cyber criminals and nation-state actors. [MP3] [Transcript] Innovation in the cybersecurity industry often starts with the bad guys. Hard as it is to admit, information security firms are often playing catch up with cyber criminals and nation state actors: adjusting their tools and methods to respond to changes in attacks and compromises.  We’re seeing that dynamic play out these days in the increasing attention and urgency around attacks on software supply chains, as malicious actors have realized that they can bypass network defenses by insinuating themselves into the software and services that target organizations rely on.  Want To Prevent Another SolarWinds? Start With Developers Growing threats to open source platforms Attacks on open source projects and platforms are part of that trend. Malicious actors are increasingly targeting development platforms — planting malicious modules on platforms like Github, NPM and PyPi that imitate popular and then waiting for unsuspecting developers to download and integrate their malicious code with legitimate applications. Recent months have seen large scale attacks involving scores ore even hundreds of malicious modules designed to steal data or provide remote access to environments on which the tainted applications are deployed.  Jill Moné-Corallo, Director of Product Security Engineering Response at GitHub was our guest. But the shift left has also put open source platforms in the cross hairs of attackers, as they look for ways to leverage weaknesses to facilitate attacks or avoid detection. As we go to print, for example, the development tool CircleCI urged developers to change “any and all” secrets stored on their system after a compromise that may have resulted in the theft of developer secrets stored in environment variables or in contexts. Episode 216: Signed, Sealed and Delivered: The Future of Supply Chain Security Organizing chaos With attacks like that on the increase, how are the platforms responding? In this episode we speak with someone who knows: Jill Moné Corrallo, the Director of Product Security Engineering Response at GitHub – a position that gives her responsibility for GitHub’s product security incident response and bug bounty teams.