From Code Suggestions to Security

View Show Notes and Transcript

What is GitHub Copilot? Its a AI-powered coding assistant that's redefining how developers write code. We spoke to Joseph Katsioloudes, a security specialist from the GitHub Security Lab. We spoke about how GitHub Copilot has been designed to serve not just developers but security professionals and others involved with code, enhancing productivity, satisfaction, and security across the board.

Questions asked:
00:00 A bit about Joseph
01:07 What is GitHub Copilot?
02:42 Use case for GitHubCopilot from a security perspective
04:16 Cloud Development Kits (CDKs) for GitHub Copilot
05:48 Business Motivation for GitHub Copilot adoption
07:41 Should we trust AI generated code ?
08:31 Using GitHub Copilot
12:00 Data Privacy with Github Copilot
13:28 GitHub Copilot for Regulated Industries
14:51 What is GitHub Copilot X?
16:02 What is GitHub Workspace?
18:20 The Fun Section

Ashish Rajan: [00:00:00] Welcome to the show, man. Thanks for having me. So I won't butcher your introduction. If you can share a bit about yourself, that would be great, man.

Joseph Katsioloudes: For sure. My name is Joseph. I'm a security specialist at the GitHub security lab. Yeah. The focus of my career is to help software developers write secure software.

So let's say that the focus of my career is to make cybersecurity easy for developers. I'm doing this at the GitHub security lab, which is a team of security experts with the mission to secure the open source software that we all depend on .We are doing this through a range of activities like vulnerability research Where we found more than a thousand of security vulnerabilities in the past four years, 500 plus of which have been given security identifiers, also known as CVEs and personally, I produce a lot of content for the developers that is developer first. So the language used for security is developer focused. It's friendlier for them. And at the same time [00:01:00] as a group, we try to help towards that direction because open source software is so important for the whole world.

Ashish Rajan: Awesome. And maybe this is a good point to bring the whole GitHub Copilot as well. I think initially conversations about GitHub Copilot was talking about developers, productivity and all of that. Our audience being a cloud security audience that have engineers in them as well. How would you describe GitHub Copilot to them? Like what is GitHub Copilot?

Joseph Katsioloudes: It's an AI. pair programmer. Therefore, imagine a coding assistant right at your Code editor, right at your fingertips, able to suggest code. These code suggestions get the form of autocomplete. If you are already typing some code, you can give context and the logic, basically what you want to do by adding a comment.

And then when you go to the next line, you have code suggestions. All right. And of course, there is GitHub Copilot Chat. Yeah. Which is a chat functionality where you can talk to this [00:02:00] coding assistant for dozens of use cases. For example, explain code generate test cases, or in general, in the same way you ask for code on the comments, you can ask for code on the chat.

Ashish Rajan: So is it more for developers or is there parts which are for security as well?

Joseph Katsioloudes: I will say it's for everybody that works with code. Okay as a code assistant Yeah for developers maybe because they write much more code than the rest. Yeah, it can be more suitable for them but there are a lot of security proffesionals that are also writing code Yeah And of course other professions and specialists around the world who also write code or have something to do with code

Ashish Rajan: And to bring this home for people? What would be a good security use case that you can think that people can use GitHub Copilot for from a

Joseph Katsioloudes: security perspective? For example, let's say that someone is a penetration tester and wants to generate a script that is attacking something specific Yeah, you can [00:03:00] ask copilot for that to like for example, you can give the requirements for the script and you expect code generation there, or something that I do a lot is to generate fuzzing strings.

Like for example, I want this length. I want to have this amount of alphanumeric, this amount of complex or special characters. At the same time, GitHub Copilot is enabled on the web, so you can navigate in a project like you have an open source project that you might consider adding to your supply chain.

And at the top you have the copilot icon by clicking that. The chat is opening and you can ask security related questions like what is the attack surface of this project? I've done this at Bootstrap and the answers were helping me. For example, you had, Oh, here is where the widgets are used.

And this can be a problem for cross site scripting vulnerabilities. Or here is this sidebar. that [00:04:00] has the ability to do these and that, opening the door for these security issues. This can help me as a security specialist to be very specific and productive on where I look for before I start to read the whole code base.

Ashish Rajan: And because those are interesting use cases also from a perspective that a lot of people who write code and writing code for a different purpose. So there's a fuzzing element for people who are on the offsec side, even on the appsec side as well. Sometimes let's just know that I have a use case in my mind for this particular code that I'm reviewing for my team. What does that look like? And now in terms of a lot of our audience also writes something called CDK, which is like a developer kit provided by most of the cloud providers. And it's a great example is the Terraform CDK or AWS CDK. Is there a use case for something like that as well in GitHub Copilot?

Joseph Katsioloudes: My understanding is that CDKs are going to be wrapped around programming languages like Python, JavaScript. Yeah. GitHub Copilot is [00:05:00] capable of auto complete with coding suggestions for a range of languages and frameworks. Okay. But it's particularly good at Python, JavaScript, TypeScript. Go Ruby, C+ C# this means that for CDKs while I haven't really tested out myself the specific use case of those. Yeah. Since they are in these languages, we expect to have auto completion capability there as well.

Ashish Rajan: Oh, okay. So anyone who's listening or watching this would be able to save the right CDK in Python or Go or whatever.

They should at least be able to say, cause maybe even mix and match. And obviously you haven't tested this, so I take that with a pinch of salt as well. People can find out and experiment with this. They can use it to create scripts that can help them do some kind of security testing on their internal softwares.

Why are businesses going for GitHub Copilot? Like what's the motivation for businesses?

Joseph Katsioloudes: We can take the example of Mercado Libre, which is a large e commerce website in Latin America that has seen [00:06:00] 50 percent improvement in the time taken in writing code. This means that they have half of the time in their hands to use and pursue in other activities that they have in their backlog.

Yeah. And just to give the audience an idea about the size of these large e commerce website, we are talking about a company of 13, 000 software developers, 9, 000 of which were using Copilot with a hundred thousand PRs merged every day. So productivity is one thing. Yeah. At the same time, there is developer happiness. satisfaction, let's call it less frustration when they are doing something. And our research shows that 88 percent of our users feel less distractions, less frustrations when they are writing code, probably because they don't have to write daunting or repetitive boilerplate. For me, this is a big one.

At the [00:07:00] same time, If we remove MercadoLibre from the scene and we see the big picture, our stats show that for the end of 2022, 35 percent of newly written code was AI generated. And this number one year later, therefore at the end of 2023 went to up to 60 percent for popular languages like Java.

This shows that a lot of code is AI generated and there's a reason behind.

Ashish Rajan: Yeah. And I think. This is where I was, I think I was on LinkedIn earlier today or yesterday, and people were talking about is there enough trust in the code generated? Would you say you still need to someone to review the code before you put production, right?

As you said, even though that many people would've deployed the code, but the expectation here is that someone has already reviewed the code before. Hopefully they did not put that straight in production. Would that be accurate?

Joseph Katsioloudes: It's accurate, yeah, because copilot, as the name suggests. It's a Copilot, the developer, the user is the pilot [00:08:00] is the mind behind is the person who directs what's happening.

And of course, in the same way that you shouldn't trust blindly an AI coding assistant, you shouldn't trust blindly anybody in the same way your code goes through security testing anyway, the best practice at the least is for code to go through security testing in the same way, you should test all your code.

Even if it's AI generated or not, same practice, same principles.

Ashish Rajan: Yeah. And would you say cause I'm thinking about a lot of people who would be listening to this stuff from enterprise. They already have a lot of old code is like ChatGPT was interesting, right? Cause that was basically I log in and basically suddenly I can do, I don't know, solve complex problems.

What's onboarding experience like when it's, cause I imagine. GitHub is used by a lot of enterprise and so is use AI Copilot would be interesting more in that context. What's the user experience when you're trying to use something like GitHub co [00:09:00] pilot?

Joseph Katsioloudes: The experience looks like any other extension in a code editor.

Okay. GitHub Copilot is gonna take the context of the code base and suggest code. Therefore, if the code base is old of legacy code or a new one, there is not really a difference for a coding assistant in the sense that it works in the same way. Okay. Taking into consideration the files and be able to suggest code based on the user comments.

This cuts the onboarding, of course, makes the user experience of someone that is new to a code base much more friendly, much simpler, and of course, faster. I don't have data to quantify on that. Like for example, how many users feel satisfied in that direction, but on personal experience, I was trying to make myself comfortable with a new code base. And I was asking questions all the time to Copilot chat. [00:10:00] Like for example, what is this function doing or where are the input fields? What is the attack surface? Similar like before, or give me an outline of this. I try to use my own questions that I will ask a senior software developer to the coding assistant.

Ashish Rajan: Without frustrating the senior developer,

Joseph Katsioloudes: And without asking for extra time. Everything is there 24 7. I can ask whatever I like.

Ashish Rajan: It's really interesting. In an old code as well, during the onboarding, so am I giving it access to my entire repository?

And it just goes, okay in your repository you have 2530. And obviously I'm making up a scenario here. Please take it for the pinch of salt it is. 20 repositories, my organization runs out of those 20 repositories. And I have the plugin in my IDE for GitHub Copilot. And it is able to understand the context across all the repositories and go, okay, because you're trying to add a feature in this one repository, would it be, and I don't know if this is actually a scenario, would it be able to suggest code for, [00:11:00] hey, if you're trying to write a feature for, I don't know, adding a, changing the color from blue to green.

They make it super simple. I don't know what to do. So I'm going to ask the chat. Hey, how do I change the color for blue to green? And for whatever reason I'm trying to change this in an old legacy code. It will still be able to get the context of the remaining repositories and go, Oh, I think if you change this, you might want to change it all these other places.

Because that's where it's a global variable and it's being used everywhere. Would it have and have we gone, come to that level with GitHub Copilot?

Joseph Katsioloudes: To the best of my knowledge, not yet. Okay. You can ask for a change in one file at a time. Okay, and to one repo. To run code base at a time.

Ashish Rajan: That is still pretty good. Yeah, considering that a lot of companies do run just off one repo as well. As I would have given the example, a lot of security people on the podcast and the YouTube channel would be like, wait, what does that mean for my code's intellectual property, security, privacy?

How are you guys assuring your customers that security privacy is basically being taken care of as well as you've worked through this?[00:12:00]

Joseph Katsioloudes: It's a question that I'm getting asked a lot. The variations of that question can be, Oh, will you have Copilot takes my context in order to train the model? Will you take my code as it is and suggest it to other users of Copilot?

The answer is that we do our best security wise, in the same way we do with other products across the whole platform in the same way we follow best practices in everything we do, we also follow for GitHub Copilot and specifically when someone has the business or the enterprise license, then we retain nothing.

For example, you ask for something through a prompt. We just take the prompt that travels, of course, through the web to us. Securely in an encrypted manner, we just use it to give a reply and that's it then is not getting retained in the same way that nothing is being kept when it [00:13:00] comes to the individual license for those who don't have the business or the enterprise and have the individual GitHub Copilot license, we give the chance for them to opt in or opt out at any stage from sharing analytics in the same way that they can do so with any other product around the world.

Ashish Rajan: Oh like same way iPhone, Apple would ask you, Hey, share analytics or Google would ask you share analytics. It's that tick box. Ah, okay. So similar.

And what about regulatory industries as well? Cause I think that's probably a harder net to crack for a lot of people because is there anything from a security compliance perspective from there on GitHub Copilot?

Joseph Katsioloudes: GitHub Copilot individually is not currently certified against the rest of certifications that GitHub is certified.

For example, GitHub has a SOC 2 and an ISO 27001 certification. We are taking steps towards the direction of getting GitHub Copilot certified, such as engage a third [00:14:00] party auditor to perform an assessment. And we expect for this assessment to finish by the end of May, 2024. So that GitHub Copilot will have a SOC 2 type one certification and an ISO 27001.

In the meantime, we are taking steps by securing Copilot in the same way we are securing every other product across the platform. And of course we have performed a third party penetration test to GitHub Copilot for business. The results can be asked to us and they are going to be protected by an NDA. We are happy to provide those to our existing enterprise customers.

Yeah. And those people who are doing the bug hunters out there, Guthub Copilot is in scope in our bug bounty program for them to search for vulnerabilities.

Ashish Rajan: All right. And another one term that keeps coming up. It's the whole GitHub Copilot X and it's funny. I think I was, when I was doing research for this, [00:15:00] initially I kept looking for GitHub Copilot, what else is out there on the internet?

And then somehow I found, I went into this rabbit hole for GitHub Copilot X. What is GitHub Copilot X?

Joseph Katsioloudes: It's a great question. X is not a product. Okay. It's our vision for the future. It's our vision to bring AI in every step of the software development lifecycle so that developers are seeing the big picture, they are being creative and AI is taking on either inside or outside of the editor.

The daunting and the repetitive tasks such as writing boilerplate code. For example, we want to have developers writing code in the speed that they can think, in the speed of their minds. Oh, wow. And a great use case of that for our viewers to visualize. It's GitHub Copilot workspaces, which was the last thing our CEO Thomas Dohmke showed at the opening keynote of GitHub Universe [00:16:00] 2023, two months ago, early November

Ashish Rajan: For people who don't know what workspaces, what is GitHub Workspace?

Joseph Katsioloudes: You just give an idea. Let's say a feature name. Yeah. And that's pretty much it on that demo. You have the issue being created, described, code is being written for you, submitted in a PR. The libraries are getting imported for you. Oh. So that you can think about the features. Yeah. And the rest can be done by AI tests are being generated and so on.

Ashish Rajan: Wow. So is that in preview at the moment or is that gA?

Joseph Katsioloudes: It's nothing of the two. Okay. It's a vision. It's a vision and it's being under work from Github Next, which is a team at Github who is forward looking and is creating MVPs for the future.

Ashish Rajan: Wow. That would be really interesting because people are using the current version, which is the GitHub Copilot. They're also seeing 50 percent more productivity and all that. So I still overall feel there's a positive spin to the whole thing, but [00:17:00] that is a good future to look forward to.

Joseph Katsioloudes: Just on that, I just want to mention that at GitHub, we believe that developers are going to become even more important in the future.

And that software opportunities or in general openings in the industry are gonna grow. This is because every software revolution has brought new opportunities. For example, when compilers were out or when programming languages were searching. It's just changing. It's not that something is making developers obsolete.

It is the opposite. Developers are needed there. AI is here to be an assistant and not to take the place of developers.

Ashish Rajan: Yeah. And I think it's a good example because I think when we first started doing cloud security, a lot of people were like, Hey does that mean all the sysadmins are going to go out of jobs?

Technically, they're not going out of jobs. Technically, they're basically, it's a new skill being created. And now it's I think somebody should give me an example. The most. important job that you can get at a point, and this is context for people in the [00:18:00] UK, as a chariot rider for the queen.

That was the most, best job you could find at a certain point in time. Like right now, whoever the person is, great job to who are he or she, and if they're driving, they're not even doing the horse thing. So same as now, this may be a step towards that kind of future where now, hey, we can work on bigger problems now rather than smaller problems.

I appreciate you sharing all that. Thank you so much for coming. Now, I do have three questions, which are just non technical, just personal questions. More in terms of just to get to know you a bit more. First one being, what do you spend time on when you're not working on GitHub Copilot or any of these amazing things?

Joseph Katsioloudes: I'm quite sporty. Oh, nice. I like to play tennis. And my love for racquet sports grows a bit more lately. I discovered paddle. Oh no!

Ashish Rajan: Are you one of those who paddle? Okay, fair enough.

Joseph Katsioloudes: I have never played. Okay, it's in the plan to use some of the future free time towards that direction. Is that even a thing in the UK?

It is, yeah.

Ashish Rajan: Really? So people actually play that paddle thing? I've seen videos of it, but I didn't realize that was a thing in the [00:19:00] UK now.

Joseph Katsioloudes: I don't know how big it is in the UK compared to Spain or Italy that we are playing maybe 15 years ago. Yeah. But I see more and more paddle courts around me.

Ashish Rajan: Interesting. Okay. So there, I'm going to check those out as well. Second question for you. What is something that you're proud of, but that is not on your social media?

Joseph Katsioloudes: I wouldn't say that I post the things that I'm most proud of. That's a good thing. Let's say work life balance with all these conferences and in general, coming back to real life, it's a bit difficult to maintain it.

I am personally happy about that and I don't promote it or I didn't promote it. Fair enough.

Ashish Rajan: I think that's a good, finding a balance is important. I think I definitely struggle with sometimes, so I respect you for that as well. Final question, what is your favorite cuisine or restaurant that you can share?

Joseph Katsioloudes: I have to go with the one I'm from. I will go with the Greek cuisine.

Ashish Rajan: Oh, nice. Any particular dish that is your all time favorite from a Greek cuisine?

Joseph Katsioloudes: It's the salad for me. Oh, is that right? Someone [00:20:00] can say from I don't know, dozens of dishes, why do you choose the salad? I don't know. It's the one that goes in my heart when I eat it.

Ashish Rajan: Wait, so for context, for people who are probably not from Greece, they should try a salad which has tomato. What kind of ingredients do you have?

Joseph Katsioloudes: Super simple. It's tomatoes, cucumber, green peppers, feta cheese, oregano, olive oil. That's it? That's pretty much it.

Ashish Rajan: I'm gonna try that. But, okay, it has to be in Greece.

London probably doesn't have as much.

Joseph Katsioloudes: I just believe that the ingredients are a bit more fresh.

Ashish Rajan: I would take that into account. Dude, this was amazing. Where can people find you on the internet to connect and maybe talk more about Github Copilot?

Joseph Katsioloudes: You can find me at Twitter or LinkedIn under the handle at j k c s

Ashish Rajan: o JK chief security officer.

That's correct.

Joseph Katsioloudes: That's correct. I know many people will say wow you are very young to have a CSO next to JK. It's a [00:21:00] nickname. It comes from University. Oh I was studying my master's in cyber security engineering. It was like a joke. Everybody on the course had the initials plus their CSO next to them. So I just kept that compared to the rest of the class that changed their habits.

Ashish Rajan: But it's a good thing when you apply for a job and suddenly it's oh, JKCSO Clearly? There's something important here. But now I'll put that on the show notes as well. Dude, thank you so much for coming on the show, man.

Joseph Katsioloudes: Thanks for the invite. Great conversation. It's a pleasure

to be here.

Ashish Rajan: Thank you so much. All right. Thank you so much for watching, everyone. We'll see you in the next one. Peace.

No items found.
More Videos