Spotlight on GitHub Advanced Security

5:00 PM - 6:00 PM (UTC)

In this session Ray Kao will share an overview of GitHub Advanced Security key features including code scanning, secret scanning, and supply chain security.

5:00 PM - 6:00 PM (UTC)

Join us as Lindsey Bocatto and Dan Shanahan highlight the latest AI-powered features in GitHub Advanced Security.

5:00 PM - 6:00 PM (UTC)

In this session, learn how to set up GitHub Advanced Security into your GitHub and Azure DevOps pipelines to keep your developers engaged and ensure security throughout your development cycles.

2:00 PM - 6:00 PM (UTC)

This session will showcase GitHub's new AI-powered application security testing capabilities and cover how Microsoft views the code to cloud security synergy between GitHub Advanced Security and Defender for Cloud. The event will include educational sessions and hands-on labs. Participants will have the opportunity to connect with each other, elevate their expertise, and enhance their development capabilities. Agenda: GitHub AI-powered application security testing Code to cloud security with GitHub and Microsoft Hands on lab: strategically roll out your security program with GHAS and Defender for Cloud.

5:00 PM - 6:00 PM (UTC)

In this session, Andrew McCoy will show how you can meet your regulatory requirements by enforcing compliance standards and security policies with GitHub Advanced Security.

5:00 PM - 6:00 PM (UTC)

In this talk we provide a brief walk-through using Copilot to aid in detecting and fixing security vulnerabilities in source code. Topics covered include: A basic introduction to improving SDLC security using IDE and local environment tools Detecting OWASP Top 10 style vulnerabilities in an example application Remediating detected issues Creating .gitignore files to prevent environment files being committed Looking at how GHAS can be combined with Copilot to improve security further.

5:00 PM - 6:00 PM (UTC)

Developers deserve the chance to do the right thing. Leadership doesn’t always make it so easy. But in the face of mounting regulations and an ever-changing landscape of application security risks, the opportunity to turn obstacles into opportunities has never been more evident. This week’s guests are industry leaders in the field of software governance. Caleb Queern is the Managing Director of Cybersecurity at KPMG. Michael Edenzon is the Co-Founder and CEO of Fianu, and previously served as the Director of DevOps at PNC Bank. In 2022, Michael and Caleb co-authored the business novel Investments Unlimited, a fictional story about a bank’s journey toward automated governance. What began in 2019 as an industry-led whitepaper has become a movement encompassing AppSec, DevOps, and software supply chain security. At the heart of this movement are platforms like GitHub Advanced Security and Fianu. Caleb and Michael will tell the story of automated governance, the successes and pitfalls of large enterprises that aim to implement it, and how the principles of flow, fast feedback, and continuous improvement can be preserved so that you and your organization can thrive amidst an ever-growing landscape of rules and regulations. Learn more about the series!

5:00 PM - 6:00 PM (UTC)

In this session, we’ll explore the hidden risks that threaten APIs and delve into vulnerabilities within your codebase. From scanning OpenAPI specs to dynamic testing, we’ll equip you with practical strategies to harden your APIs against attacks. Discover how to seamlessly integrate security practices into your DevOps pipelines. Let’s build a robust shield together! Don’t miss this opportunity to enhance your API security expertise.

5:00 PM - 6:00 PM (UTC)

Developers invest a lot of time and effort into their code, making sure it safely delivers innovation and value to users. Unfortunately, a lot of that effort is wasted investigating security findings that ultimately represent no risk to the application. With the GitHub Advanced Security integration, Endor Labs enables development teams to establish efficient, automated processes to deliver software while eliminating 80% of the security noise that wastes developer time.

5:00 PM - 6:00 PM (UTC)

Find vulnerabilities earlier, ship software faster. These are the good intentions behind the drive to shift application security workflows from security teams to developers: a “shift left” move in the software development lifecycle. But does it really work? Hear from leading experts on how AI can help automate security work and make it more developer-centric, topics will include: Secure open source and LLM selection Prioritize risk based on what is reachable and exploitable Remediate at scale without context switching

5:00 PM - 6:00 PM (UTC)

Description: The rapid adoption of frameworks, DevOps, CI/CD, and agile processes has increased the velocity at which development teams can iterate and deliver, outpacing security teams' ability to address issues. The introduction of GenAI has exacerbated this problem by further increasing delivery velocity and requiring more APIs to interact with AI. In this session, Scott Gerlach will discuss how to ensure your code is protected in a GenAI-driven software development environment.

5:00 PM - 6:00 PM (UTC)

As AI has taken the world by storm, we are seeing tremendous productivity gains and increased development speed across the public sector. However, while GitHub Copilot is a fantastic productivity tool and can help write secure code more efficiently, it is not a replacement for proper code review and application security practices. GitHub disrupted the industry by bringing our industry leading application security capabilities to the GitHub Enterprise Cloud. Today, we deliver application scanning, secret scanning, and software supply chain security and allow developers to find and fix vulnerabilities as they code, removing the need for context switching and helping to reduce noise with our high true positive rate. Additionally, with the introduction of GitHub Copilot, we've taken this a giant step further by releasing auto-remediation capabilities. "Found means fixed". Join us for this highly interactive discussion where we'll be diving into GitHub Advanced Security, addressing frequently asked questions around everything from feature functionality, security, roadmap and providing resources so that you can get started today!

6:00 PM - 7:00 PM (UTC)

In this demo with Courtney Claessens, senior product manager at GitHub, you’ll discover how to help keep secrets secure, regardless of their structure. Learn how you can scan for almost 300 token types from over 100 service providers, enabling the detection of potential leaked secrets at scale and decreasing the chance secrets are leaked in the first place. You’ll also experience the power of AI in detecting generic secrets, such as passwords, and in creating custom patterns to help protect your organization’s confidential information.

9:00 PM - 10:00 PM (UTC)

Found Means Fixed - How KPMG is Partnering with GitHub for Auto-Fix Powered by Copilot for Remediation of Vulnerabilities At-Scale Your application security program will either succeed or fail based on developer adoption of your security tools. Once these security tools are enabled and adopted across your enterprise, the next biggest challenge is remediation (or fixing) these found vulnerabilities at-scale. Enter "Found Means Fixed", GitHub's latest tagline for leveraging industry leading Artificial Intelligence (powered by Copilot) to help fix thousands of vulnerabilities at the click of button. This session will cover how KPMG is providing a world-class services offering centered around "Campaigns" for enterprises leveraging GitHub's Advanced Security auto-fix solution. Campaigns will revolutionize how enterprises think about, plan for, and eliminate application security debt at-scale. Viewers will receive a behind-the-scenes look at the underlying technology and and the people and processes that will change the way DevSecOps practitioners think about managing significant security debt. Did we mention that we can eliminate security debt at-scale? Please join us for what is sure to be an exciting discussion around this game changing technology!

6:00 PM - 7:00 PM (UTC)

Join GitHub's Pierre Tempel - Director, Product Management - for a demo and GitHub Advanced Security 101 session. You'll see how code scanning seamlessly integrates vulnerability prevention and remediation into your development workflow and experience the power of Copilot Autofix, which helps fix vulnerabilities up to 3x faster through AI-powered fix suggestions. These features are designed to enhance collaboration and empower both developers and security professionals to build the best and more secure software. Key Takeaway 1: Learn more about the code scanning feature of GitHub Advanced Security. Key Takeaway 2: Understand how code scanning fits into your development workflow. Key Takeaway 3: Turbocharge your remediation workflow with AI. Topic: Security, Vulnerability Detection Target Audience: Enterprise - Developers, Open Source Developers or Maintainers, Security Professionals, Security Leadership

6:00 PM - 7:00 PM (UTC)

Discover how GitHub Advanced Security on Azure DevOps (GHAzDO) is transforming application security for development teams. In this exclusive webinar, we'll explore how GHAzDO brings GitHub's powerful security capabilities directly to your Azure DevOps workflows, empowering teams to identify and fix vulnerabilities faster than ever before. Join us for an engaging session where we'll dive into: GHAzDO's unique value proposition. Live Demo: See GHAzDO in action and explore its seamless integration with Azure DevOps. Future Innovations: Get an exclusive sneak peek into the roadmap with insights from our product team. Interactive Q&A: Your chance to ask questions and engage directly with our experts.

6:00 PM - 7:00 PM (UTC)

Discover how GitHub Advanced Security (GHAS) empowers teams to secure code with cutting-edge features like AI-powered Autofix and streamlined campaigns. This session highlights GHAS’s latest advancements, helping organizations identify and remediate vulnerabilities faster. Stay ahead in cybersecurity with tools designed for modern development.

6:00 PM - 7:00 PM (UTC)

In this talk we walk through the OWASP DevSecOps Maturity Model (DSOMM) and look at how implementing GitHub can aid in shifting-left. Alongside discussing the basics of the DSOMM, we also map the use of GitHub services to the model's various dimensions and sub-dimensions and demonstrate how to measure the current maturity state.

5:00 PM - 6:00 PM (UTC)

Accelerating AppSec: How to Implement a Comprehensive DevSecOps Program using GitHub GHAS and Copilot with Coveros Much attention is spent on using GitHub Advanced Security (GHAS) and GitHub Copilot to support tactical application security tasks such as code scanning, dependency checking, secrets management, and vulnerability remediation. While these activities are all part of a comprehensive application security program, there are many other aspects of app sec that GHAS and Copilot can accelerate. Some of these include: ● Threat modeling ● Architectural risk analysis ● Automated governance ● Root cause analysis of vulnerabilities Join Jeffery Payne and Thomas Stiehm from Coveros as they discuss the business need for a comprehensive DevSecOps program and how GitHub GHAS and Copilot can be used end-to-end in your SDLC to accelerate the delivery of secure and reliable applications. What You’ll Learn: ● How GHAS and Copilot support much more than vulnerability identification and remediation. ● Understand why code scanning is necessary but insufficient for finding vulnerabilities. ● Using Copilot to support early lifecycle risk management activities ● How to effectively automate your governance processes within the GitHub platform. Take home valuable information on structuring and running a DevSecOps program using GitHub GHAS and Copilot.

5:00 PM - 6:00 PM (UTC)

Amidst an onslaught of new regulations and high-profile outages, software compliance has become a top industry priority. Attestations are the primary focus and for good reason: continuous compliance requires immutable proof. But compliance is measured against policy, and policy is not applied equally across the enterprise. In this talk, we’ll dive deep into how organizations can leverage platforms like Fianu to implement a properties-based approach to software policy lifecycle management to ensure compliance from first commit to production release.

5:00 PM - 6:00 PM (UTC)

Attackers are now taking advantage of AI to employ TTPs that cover more attack surface faster than ever before; consequently, web app penetration testing, red teaming, and blue team reaction time has moved from the speed of a go-kart track to the speed of a F1 race, in order to cover the same amount of ground as attackers. Please join Achilleus to hear first-hand from one of the best offensive tester/red teamers in the world, as to what we can expect from attackers in 2025 as well as how to level the playing field and give an edge to the developing and security teams.

5:00 PM - 6:00 PM (UTC)

Discover the hidden impact and true cost of leaked secrets in your code. Join our webinar to explore real-world scenarios, understand the challenges in remediation, and learn how to proactively secure your development lifecycle.

5:00 PM - 6:00 PM (UTC)

Dependabot Alerts are a powerful signal, but how do you focus on the ones that matter most? In this webinar, you'll learn how to confidently prioritize alerts based on risk, context, and team workflows. We'll share actionable strategies for turning a stream of dependency vulnerability notifications into a clear, efficient roadmap for improvement.

5:00 PM - 6:00 PM (UTC)

Every modern application relies on a complex network of dependencies, workflows, and build systems. In this webinar, we’ll explore how GitHub Advanced Security helps you secure your entire software supply chain, from the moment a dependency is added to the final deployment. You'll learn how features like the dependency graph, Dependabot Alerts, Dependabot Updates, and artifact attestation work together to protect your code and ensure alignment with regulatory frameworks. GitHub makes it easier to meet compliance requirements, reduce risk, and ship software with confidence—all in one platform.

5:00 PM - 6:00 PM (UTC)

Modern development moves fast. And security teams are overwhelmed with alerts. But not all risks are equal. In this session, discover how GitHub and Microsoft Defender for Cloud are coming together to connect code with runtime context, giving dev and sec teams a shared, end-to-end view of application risk. Learn how to prioritize what’s actually exploitable in production, reduce alert fatigue, and accelerate remediation with AI-powered fixes, including multi-repo merge delegation through the new Copilot coding agent. If you’re ready to shift from detection to real risk reduction, this is the session for you.

6:00 PM - 7:00 PM (UTC)

Cut through the noise and turn raw usage data into clear business impact. This session shows how to measure and visualize the productivity gains from GitHub Copilot and the security improvements from GitHub Advanced Security. Learn how to translate adoption, ROI, and risk reduction into the metrics leadership cares about, making the value of GitHub impossible to ignore with Opsera’s insights.

6:00 PM - 7:00 PM (UTC)

The era of vibe coding is here with developers leveraging powerful AI tools like GitHub Copilot to accelerate development velocity. But how can security teams keep up without slowing developers down? This session showcases how GitHub Advanced Security and Endor Labs work together to help organizations embrace the vibe coding era securely. We'll dive into how to: ● Start secure by default: See how GitHub Copilot and Endor Labs work together to identify and fix open source vulnerabilities before you commit code ● Keep developers in flow: Learn how to use function-level reachability analysis to eliminate security distractions and helps focus remediation efforts ● Remediate at scale: Strengthen Dependabot's capabilities with Endor Labs' upgrade impact analysis to confidently automate safe, pre-validated dependency upgrades.

6:00 PM - 7:00 PM (UTC)

Learn how Copilot and GHAS secure by default, then use Campaigns to drive adoption and remediate at scale.

6:15 PM - 7:15 PM (UTC)

Enabling GHAS features can be a daunting task, particularly for organizations with complex ecosystems. This presentation explores how teams can accelerate their GHAS journey through a balance of structured guidance and practical enablement. By using bootstrap scripts designed to remove barriers and simplify adoption as well as aligning security practices with established frameworks, teams can quickly build momentum and establish strong security foundations in GitHub. Together, these approaches reduce uncertainty, eliminate guesswork, and allow leaders and practitioners to focus on achieving meaningful outcomes. Attendees will gain insight into how alignment, enablement, and actionable guidance combine to create a more confident, efficient, and results-driven approach to security.

6:15 PM - 7:15 PM (UTC)

Today’s DevSecOps pipelines excel at finding issues, but not at knowing which ones truly matter. Traditional testing tools stop at detection, while real security validation often happens late, manually, and out of band. In this session, we’ll explore what it means to bring offensive security intelligence into the developer workflow, unifying detection, validation, and remediation in a continuous loop. Using XBOW as an example, we’ll discuss how AI-driven reasoning can help teams move from theoretical findings to proof-backed, fix-verified security that keeps pace with modern development. You'll learn: Why DevSecOps needs real-world validation (not just scanning) to close the loop How shifting offensive testing left changes prioritization, collaboration, and velocity How AI is reshaping the path from vulnerability discovery to verified remediation

6:00 PM - 7:00 PM (UTC)

Today’s developers face mounting technical debt, with leaders often struggling to understand the blockers that prevent teams from delivering faster. Traditional code quality tools promise solutions but often create overwhelming backlogs of unresolved issues. Enter GitHub Code Quality: a streamlined tool that helps users assess their code's health and take meaningful, automated actions without leaving their workflows (thanks to GitHub Copilot). Join this session to learn how Code Quality improves maintainability and reliability while saving your team valuable time.

6:00 PM - 7:00 PM (UTC)

These days, every codebase relies on open source software (OSS). From testing tools to utility libraries and whole frameworks, using OSS accelerates development velocity and lets you focus on the parts of your app that really matter. But every package you use comes with its own license, and some licenses can introduce compliance or legal risk in unexpected ways. What are licenses, how do they work, and how can you navigate the wild seas of OSS licensing to make the best use of open source, while still keeping your project compliant and secure? In this session, we'll talk through all of this and more.

6:00 PM - 7:00 PM (UTC)

There is no single tool that solves application security. The strongest programs are built on collaboration. In this Reactor session, GitHub Advanced Security and Semgrep come together to show how modern teams can extend beyond native capabilities in a seamless, developer-first way. We will explore how security-forward, agile solutions play better together without forcing teams to adopt clunky, legacy tooling. Join us for a practical conversation on how collaboration over compromise creates faster, safer, and more scalable AppSec programs.

5:00 PM - 6:00 PM (UTC)

¿Está tu equipo de seguridad escalando a la misma velocidad que tu código generado por IA? Te invitamos a una sesión exclusiva donde revisaremos las capacidades de IA que existen hoy en día dentro del mundo de Seguridad. En la era de la IA, la brecha entre desarrollo y seguridad se está cerrando. Queremos mostrarte cómo GitHub está liderando esta convergencia, permitiendo que los equipos de DevSecOps operen con una visibilidad total y sin fricciones. ¿Qué verás en esta sesión? IA + Seguridad Nativa: Cómo detectar vulnerabilidades y secretos en tiempo real. Visibilidad Unificada: Una única "torre de control" para gestionar el riesgo de toda tu cadena de suministro. Automatización de remediacion: Dejar de solo encontrar problemas para empezar a resolverlos con sugerencias de IA. Roadmap de Innovación: Las capacidades de IA que están cambiando las reglas del juego para los expertos en ciberseguridad. Finalizaremos con un Q&A en vivo para resolver tus retos específicos de infraestructura y cumplimiento.

5:00 PM - 6:00 PM (UTC)

Discover how GitHub Advanced Security on Azure DevOps (GHAzDO) is transforming application security for development teams. In this exclusive webinar, we'll explore how GHAzDO brings GitHub's powerful security capabilities directly to your Azure DevOps workflows, empowering teams to identify and fix vulnerabilities faster than ever before.

6:00 PM - 7:00 PM (UTC)

Securing What You Build, What You Depend On, and What Builds It For You A focused deep dive into modern supply chain security, exploring how artifact attestations, virtual registries, and SLSA compliance work together to establish trust, integrity, and traceability across the software lifecycle.

5:00 PM - 6:00 PM (UTC)

Security alerts are only useful if someone acts on them. For most engineering teams, Dependabot alerts accumulate faster than developers can triage them — creating a backlog that quietly becomes a liability. In this session, Ankit Kumar Honey, Supply Chain Security Expert and Senior Engineering Manager leading GitHub's Dependabot team, shows you how GitHub is fundamentally changing the relationship between vulnerability detection and resolution. You'll see live how a Dependabot alert can now be assigned directly to an AI coding agent: Copilot, Claude, or Codex — which analyzes the vulnerability, opens a draft pull request with a proposed fix, resolves test failures, and handles complex edge cases like package downgrades when a dependency is compromised or contains malware. In this session with live demo, you'll learn: How Dependabot's AI agent assignment works end-to-end — from alert triage to merged fix When AI agent remediation is the right tool versus rule-based Dependabot auto-PRs What this shift means for engineering teams managing supply chain security at scale Whether you're a developer, security engineer, or engineering leader, you'll leave with a clear picture of where supply chain security is heading and exactly how to start using these capabilities today.