Establishing a Secure Development Strategy

1. Establishing a Secure Development Strategy

Now, we'll explore how to secure our data projects with GitHub tools like the Dependency Graph, Dependabot, and Advanced Security.

2. Why Secure Development Matters

Secure development is crucial for all projects. By automating security tasks, we can prevent issues early and maintain a strong security posture with minimal effort. Let’s explore the tools that make this possible.

3. GitHub Advanced Security: The Essentials

GitHub Advanced Security provides essential tools like Code Scanning for identifying vulnerabilities, Secret Scanning for protecting sensitive data, and features like Dependency Graph and Dependabot, which we'll focus on in this video. For more on other features, visit the documentation.

4. Understanding the Dependency Graph

The Dependency Graph provides a complete view of our project’s dependencies, helping us visualize all the libraries our project relies on. It identifies potential vulnerabilities in our dependency chain and allows us to monitor updates and changes. This tool is crucial for maintaining a secure and up-to-date project.

5. Adding Dependencies to Our Repo

To dive deeper into how dependencies work, we’ve added key files to our ecommerce-data-hub repo. This includes a requirements-analysis.txt file with specific package versions for data analysis, a requirements-ml.txt file for machine learning, and a setup.py file to manage all dependencies. These additions will let us see the Dependency Graph in action.

6. Opening the Dependency Graph

To explore dependencies, we start by opening our ecommerce-data-hub repository.

7. Opening the Dependency Graph

Next, we navigate to the Insights tab.

8. Opening the Dependency Graph

We click on the Dependency graph option on the left sidebar.

9. Opening the Dependency Graph

The Dependency Graph highlights various alerts: critical, high, and moderate; indicating the severity of vulnerabilities in our dependencies.

10. Opening the Dependency Graph

Hovering over a critical alert, we’ll see Dependabot suggests updating the TensorFlow library in the requirements-ml.txt file. Always verify the update's compatibility with the codebase.

11. Turning on Dependabot Alerts

To ensure we're alerted to new vulnerabilities, head to Settings, navigate to Code security and analysis, and toggle on Dependabot alerts.

12. Checking Dependabot Alerts in the Security Tab

After enabling Dependabot alerts, head to the Security tab in our repository to view them.

13. Viewing Dependabot Alerts

Click on Dependabot in the Security tab to view all active alerts. Here, we can see detailed information, such as the critical TensorFlow issue we encountered earlier.

14. Reviewing and Merging the Security Update

Let's open the TensorFlow vulnerability. We click Review security update, and merge the automatic pull request from Dependabot to upgrade TensorFlow to version 2.12.1.

15. Reviewing the Updated Alerts

After merging the security update, if we go back to the alerts view, we can see that 275 alerts are now closed, with 8 remaining. This shows how Dependabot helps keep our dependencies secure by automatically resolving vulnerabilities.

16. Putting Everything Together

We focused on tools to keep our projects secure by using the Dependency Graph to spot issues, enabling Dependabot alerts for automatic vulnerability notifications, and using Dependabot for quick, automated updates. These steps keep our code secure and up-to-date with minimal effort.

17. Let's practice!

We’ve covered powerful tools—now, let’s get hands-on!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.