Don’t Ignore Those GitHub Security Alerts. Automate Them Into your Workflow. - Ashley Wolf & Gil Yehuda, Verizon Media

Open source projects are vulnerable to exploits just like any code is. Recent high-profile vulnerabilities in open source code, including Moment.js, Lodash, and PostgreSQL, have highlighted the importance of code quality that can impact the security of open source code in production. GitHub recently made security vulnerability information available for your projects on GitHub. How can you connect the dots to make your use of open source secure?This talk will highlight some best practices that your Open Source Program Office (OSPO) can use to manage security vulnerabilities for open source projects using GitHub’s security alerts at scale. We’ll discuss the mechanics and governance around the process we’ve set up at Verizon Media to notify internal employees about CVEs on their projects.