GitHub announced the general availability of security campaigns with Copilot Autofix for all GitHub Advanced Security and GitHub Code Security customers, enabling them take control of their security debt and manage risk by unlocking collaboration between developers and security teams.
Security campaigns bring security experts and developers together, streamlining the vulnerability remediation process right within developer workflows, and at scale. Using Copilot Autofix to generate code suggestions for up to 1,000 code scanning alerts at a time, security campaigns help security teams take care of triage and prioritisation, while developers can quickly resolve issues using Autofix—without breaking development momentum.
“Our data shows that security debt is the biggest unaddressed risk that customers face: historically, only 10% of lingering security debt in merged code gets addressed, meaning until today, 90% of risks did not get prioritised,” said James Fletcher, Senior Product Manager, GitHub. “Now, our data shows that 55% of security debt included in security campaigns was fixed,” Fletcher added.
Since security campaigns were launched in public preview at GitHub Universe last year, GitHub has seen organisations at all different stages of their security journey try them out. Whether they’ve been used to reduce security debt across an entire organisation or to target alerts in critical repositories, security campaigns have delivered value for both developers and security teams in their efforts to tackle security debt.
“Security campaigns simplify life for our developers. They can easily group alerts from multiple repositories, reducing time spent on triage and prioritisation while quickly remediating the most critical issues with the help of Copilot Autofix,” said Jose Antonio Moreno, DevSecOps Engineer, Lumen.
In a sample of early customers, GitHub found that 55% of alerts included in security campaigns were fixed, compared to around only 10% of security debt outside security campaigns, a 5.5X improvement. This shows that, when alerts are included in a campaign, developers can spend more time focusing on fixing the security debt, since the prioritisation of which alerts to work on has already been taken care of by the security team. In fact, GitHub data shows that alerts in campaigns get roughly twice as much developer engagement than those not campaigns.
Triaging and prioritising security problems already present in a codebase has to happen as part of the normal software development lifecycle. Unfortunately, product teams facing pressure to ship more code, faster simply struggle to spend enough time digging through their security alerts deciding which ones to address first. Luckily, in most software organisations, there is already a group of people who are experts in understanding these risks: the security team. Security campaigns play to the different strengths of developers and security teams in a new collaborative approach to addressing security debt.
1. Security teams prioritise which risks need to be addressed across their repositories in a security campaign. Security campaigns come with predefined templates based on commonly used themes (such as the MITRE top 10 Known Exploited Vulnerabilities) to help scope the campaign. GitHub’s security overview also provides statistics and metrics summarising the overall risk landscape.
2. Once the campaign alerts are selected and a timeline is specified, the campaign is communicated to any developers who are impacted by the campaign. The work defined in a campaign is brought to developers where they work on GitHub, so that it can be planned and managed just like any other feature work.
3. Copilot Autofix immediately starts suggesting automatic remediations for all alerts in a campaign, as well as custom help text to explain the problems. Fixing an alert becomes as easy as reviewing a diff and creating a pull request.
Crucially, security campaigns are not just lists of alerts. Alongside the alerts, campaigns are complemented with notifications to ensure that developers are aware of which alert they (or their team) are responsible for. To foster stronger collaboration between developers and the security team, campaigns also have an appointed manager to oversee the campaign progress and be on hand to assist developers. And of course: security managers have an organisation-level view on GitHub to track progress and collaborate with developers as needed.
Starting today, developers can also access several new features to plan and manage campaign-related work more effectively:
* Draft security campaigns: Security managers can now iterate on the scope of campaigns and save them as draft campaigns before making them available to developers. With draft campaigns, security managers can ensure that the highest priority alerts are included before the work goes live.
* Automated GitHub issues: Security managers can optionally create GitHub issues in repositories that have alerts included in the campaign. These issues are created and updated automatically as the campaign progresses and can be used by teams to track, manage and discuss campaign-related work.
* Organisation-level security campaign statistics: Security managers can now view aggregated statistics showing the progress across all currently-active and past campaigns.