- GitHub hired Jacob DePriest as its new VP of Security, the company announced Tuesday.
- DePriest, the NSA's former head of open source, will report to GitHub's recently-hired CSO.
- DePriest told Insider he wants to address growing security threats faced by developers.
GitHub has tapped 15-year National Security Agency veteran Jacob DePriest as its new VP of security, the company confirmed to Insider this week.
It's the latest in a series of moves by the Microsoft-owned open source repository to beef up its security operations. DePriest will report to chief security officer Mike Hanley, who GitHub poached from Cisco in February to build out and lead its security team.
Before joining GitHub earlier this month, DePriest oversaw open source projects at the NSA and led efforts to crowdsource feedback on the agency's software from outside developers. In an interview with Insider, DePriest said he'll use his experience at the NSA to tackle the growing landscape of threats faced by open source developers.
"Open source is such a foundational element to what everyone's doing right now. Even enterprise software is usually comprised of open source," DePriest said. "I don't think there's any place in the world that somebody could have more potential impact on the software community than GitHub."
As companies increasingly rely on open source software and adopt more applications hosted in the cloud, security experts are stressing the importance of making open source code more secure. And with over 65 million developers on its platform, GitHub has visibility into an unparalleled range of threats.
The company recently rolled out new tools that automatically scan users' code and flag security vulnerabilities like accidentally-leaked company secrets after a researcher hacked Apple, Tesla, and Microsoft using insights from their public repositories. DePriest said he'll aim to build on those efforts while aiming to educate developer communities about how to keeping their code safe.
"I think engagement with the community and engagement with partners is so critical to this space," DePriest said.DePriest will also be tasked with helping shape GitHub's policies determining who can use its platform and for what. While the company has historically taken a hands-off approach to developer projects, it's recently faced questions about when to moderate content.
Just this week, the US Department of Justice charged four Chinese cybercriminals with hacking into US businesses and said they used GitHub to store malware and stolen data.
Before that, GitHub faced backlash earlier this year when it removed a security researchers' proof-of-concept of a Microsoft Exchange vulnerability, arguing that leaving the researchers' post up posed potential harm if bad actors used the information to carry out hacks on unpatched servers. GitHub recently updated its site policies on what vulnerability research is allowed based on feedback from the community.
"The whole world's landscape for this stuff is changing. How do you enable security researchers without enabling bad actors? What's the balance in there? I think it's going to be an ongoing conversation," DePriest said.