Codesharing repository giant GitHub has hired Jacob DePriest as its vice president of security operations. In that position, he’ll lead the security operations team under Chief Security Officer Mike Hanley as part of GitHub’s continued investments in security.
Now, you may think, “Good for him,” but why are you writing about him? I mean senior IT people get hired every day and they don’t get stories about them in The New Stack. The reason is that DePriest isn’t just another techie from around Redmond, Silicon Valley, or Route 128 way. No, DePriest joins GitHub from the U.S. National Security Agency (NSA).
There DePriest helped build the NSA’s Developer Experience function from the ground up, He fostered private and public sector engagement with the open source community. Three guesses where they hosted their code and the first two don’t count. That’s right GitHub hosts the NSA’s code repositories.
Now, you may be waiting for me to talk about how awful it is that the master snoopers of the online world now have even more of a foothold in the open source community. You’d be wrong.
You see the NSA has two primary missions. The one everyone knows is “NSA’s mission is to help protect national security by providing policymakers and military commanders with the intelligence information they need to do their jobs.” That’s the eavesdropping and code-breaking side. The other mission isn’t to gather information, it’s to protect the US’s secure information. These are, after all, two sides of the same coin.
So when DePriest wrote, “The cybersecurity and threat landscape is changing rapidly and I believe the way to stay ahead of the curve is to make security straightforward, automated, and impactful. In my new role, I will work side by side with an amazing team as well as the community to continue to improve the security of the world’s software,” he’s quite serious.
As he also said at the 2018 OSCON conference in Portland, Oregon. “We want to share and publish what we’re doing, we want to partner, we want to learn what other big organizations are doing to see if we can improve things.
What many of you may not know is that the NSA has a long history of working with open source to help secure it. The biggest example of that is SELinux.
SELinux stands for Security-Enhanced Linux Over twenty years ago, the NSA realized how important Linux would become. So, the NSA created a mandatory access control (MAC) architecture for Linux. Today, this set of patches and user tools, which add MAC security to Linux, is the foremost Linux security system
While many Linux system administrators shudder at installing and maintaining SELinux, it’s really not that bad. While it requires deep knowledge about Linux architecture, the key point is its fundamental security approach, restrict everything unless explicitly permitted, which is the polar opposite of Linux’s “permit everything unless explicitly forbidden.” Get your mind around that and you’re halfway to mastering SELinux.
SELinux is far from the only thing the NSA has open sourced for the good of the community. Other noteworthy projects the NSA has been involved with include Apache Accumulo, a sorted, distributed key/value store that provides robust, scalable data storage and retrieval; Ghidra, a software reverse engineering framework; and Security compliance content for Security Content Automation Protocol (SCAP).
In other words, the NSA can be your security friend and the leader of their open source community is now bringing his expertise at the difficult task of balancing open source and security to GitHub. I look forward to seeing what DePriest brings to GitHub. I have high hopes.
Feature image: The NSA National Cryptologic Museum.