What we learned from the Security Lab’s Community Office Hours

Earlier this year, the GitHub Security Lab launched an initiative offering office hours for open-source projects to enhance their security posture and mitigate breach risks, aligning with their mission to secure open-source software. The initiative connected with six projects, yielding significant improvements in their security practices. For instance, the Guzzle team, a PHP HTTP client, saw a dramatic reduction in vulnerability processing time thanks to the lab's guidance. The office hours involved maintainers completing a questionnaire, matching them with GitHub security experts who prepared by familiarizing themselves with the codebase, leading to productive discussions. Key findings included maintainers struggling to define their attack surface, the impact of adopting simple security practices like 2FA and automated code scanning, and an observed imbalance between functionality and security testing. The initiative highlighted the importance of threat modeling exercises and encouraged maintainers to prioritize security through practical, data-driven approaches.