GitHub Advanced Security Reviews

The main focus of our use case is to enhance the overall security mindset and to improve the developer experience. Prioritizing security, our primary objective is to ensure the accuracy of security findings, minimize noise, and optimize the identification of potential vulnerabilities.

The most valuable is the developer experience and the extensibility of the overall ecosystem. When I refer to extensibility, I mean the ability to incorporate custom queries using CodeQL, the engine powering GitHub Advanced Security. This customization allows for creating specific queries tailored to our domain, beyond the general rule set.

The current reporting features are limited and require improvement. Data is consolidated under the security tab, including secret scanning, and code vulnerabilities. This consolidation may lead to confusion, especially with many issues. A more refined approach, categorizing and emphasizing specific vulnerabilities, would be beneficial. Additionally, introducing robust reporting capabilities for tracking issue resolution progress would significantly enhance the platform's usability. Considering the current feature set, I am contemplating the potential inclusion of features, particularly those related to better integration with existing security tools. As a sizable organization, we already utilize specific security tools. While these tools can export data in a compatible format for integration with GitHub, there are challenges, especially with a diverse range of tools operating in the security space.

I have been working with it for a year now.

In terms of stability, I haven't encountered any downtime issues. From a developer's perspective, there have been instances where, during the execution of workflows, they faced challenges in understanding why a particular analysis didn't report certain vulnerabilities as expected. Regarding performance, the product and its features demonstrate satisfactory capabilities.

The platform is inherently scalable, allowing for smooth onboarding as we deploy licenses. As of now, we have expanded the user base to approximately 350.

We extensively collaborate with their professional services team for assistance. Our interactions have included submitting feature requests, raising queries, and addressing what we perceive as glitches, even if they may not align with the platform's perspective. Additionally, we've had discussions with their product managers to convey our expectations for these tools. The GitHub team has been responsive and accommodating throughout these interactions. I would rate it eight out of ten.

Positive

I have experience with Fortify, which operates in the same space, one notable difference is the issue of excessive noise. It tends to generate a high number of false positives, leading to potential confusion for developers. This noise can compromise the overall developer experience and erode trust in the tool's accuracy. Advanced Security, on the other hand, excels in addressing these issues. It has proven to be more adept at avoiding false positives and providing a more reliable vulnerability notification system, contributing to a smoother and more trustworthy developer experience.

The initial setup is relatively straightforward. Once an enterprise admin enables it, the responsibility shifts to individual repo admins to enable it on their respective repositories. Over the past year, there have been enhancements, such as the automatic generation of analysis files for certain languages, eliminating the need for users to write their files.

The deployment process, in my perspective, is influenced by factors like the build process. The most time-consuming aspect revolves around organizational procedures such as raising purchase orders. Once these administrative steps are completed, the actual enablement by GitHub is a relatively swift process, typically taking just a matter of hours. This streamlined activation is especially notable since our operations are in the cloud, making the transition smoother and more efficient.

The current licensing model, which relies on active commitments, poses challenges, particularly in predicting and managing growth. This model requires constant adjustments and additional licensing requests, making it difficult to estimate usage from the start. A pay-per-use model, where charges align with actual usage, would be more ideal and flexible.

For organizations heavily invested in Microsoft's suite of products and operating as a sort of automation hub, GitHub Advanced Security stands out as the de facto choice. Its seamless integration with the developer environment and the broader suite of tools makes it the go-to solution. Overall, I would rate it nine out of ten.

The primary use case for GitHub Advanced Security is for SCSS (Semantic Code Search and Scan) dependencies scan and secret scan.

The most valuable features are security scan, dependency scan, and cost-effectiveness. Microsoft owns the platform, and it is included with Azure DevOps. We get a lot of good features at a very low cost.

There could be DST features included in the product.

We have been using GitHub Advanced Security for six months.

The stability of GitHub Advanced Security within Azure DevOps is highly commendable. Its serverless architecture, maintained by Microsoft, eliminates scaling concerns and load-related worries. The absence of maintainability costs, such as server upgrades, reduces administrative overhead.

We have 500 GitHub Advanced Security users in our organization.

We refer to the Microsoft documentation in case of technical issues.

The decision to switch or adopt GitHub Advanced Security was driven by the seamless integration and alignment with Microsoft technologies, eliminating the need for additional tools with their cloud or dependencies.

It provides one-click integration. It saves a lot of additional costs for setup and third-party consultancy compared to other vendors. It has severless maintenance, which is taken care of by Microsoft.

It is a user-friendly tool for those new to security, offering ease of use and integration within an organization. However, another specialized tool may be required for more advanced security needs, especially concerning data security testing (DST) and potentially information security management systems (ISMS). I rate GitHub Advanced Security a ten out of ten.

We use GitHub Advanced Security to secure data for multiple applications. It ensures user passwords or sensitive information are not accidentally exposed in code or reports. It scans the project's dependencies and checks if they are up-to-date and free from known security vulnerabilities.

GitHub Advanced Security is part of the Azure DevOps ecosystem. So, all the dashboards and information stay in our environment. We are not required to integrate it with any external security solution.

There could be a centralized dashboard to view reports of all the projects on one platform.

I rate GitHub Advanced Security a seven out of ten.

We keep our firewall security in place. Customers use GitHub because they don't want to coordinate with many tools. 

GitHub provides advanced security, which is why the customers choose this tool; it allows them to rely solely on GitHub as one platform for everything they need.

For customers, GitHub Advanced Security is valuable for several reasons. It offers server security and the key features. 

The report limitations are the main issue. We can only see a limited number of reports from Advanced Security. Many enterprise customers would prefer PDF reports. 

I've had experience with this solution for about a year.

It's a stable product. I would rate the stability a nine out of ten.

It is highly scalable. Our clients are enterprise businesses. 

The customer service and support is fine.

Positive

The initial setup was very easy; it wasn't difficult. 

GitHub allows for quick deployment depending on the customer's specific needs.  

Overall, I would rate the solution a ten out of ten.