Cloud Security Office Hours Banner

Friday, June 12, 2026 - Meeting Recap

AI's impact on cybersecurity, Microsoft Red Sun zero-day, HSBC password controversy

- GitHub repo security at scale and CISA's SSVC vulnerability framework

Quick recap. New members joined from Kansas City to Budapest, and the main thread was asset management in the cloud - specifically how organizations inventory and secure GitHub repositories at scale. The group compared scanning approaches across entire GitHub organizations to catch shadow IT and supply-chain risk, then turned to CISA's new binding operational directive and its SSVC framework, which prioritizes patching by real-world evidence rather than CVSS score alone.

2026-06VulnerabilitiesGitHub ActionsGovernanceCommunity
Show 3 discussion topics

Securing GitHub repositories at scale

Rev asked how organizations track and secure their GitHub repositories. Shawn described how tools like Wiz can discover and scan repos across platforms, while Neil stressed scanning entire GitHub organizations - not just individual repos - to surface shadow IT. The conversation covered defending against rogue-employee actions and supply-chain attacks, the difficulty of securing GitHub Actions given their transient runners, and layered controls: CASB, SASE, conditional access through the IdP, and sign-off-based policies that also educate users.

CISA's SSVC vulnerability framework

Neil introduced CISA's new binding operational directive and its Stakeholder-Specific Vulnerability Categorization (SSVC) approach, which moves beyond CVSS by weighing exposure, known exploitation, automatability, and impact. The group discussed implementation friction - notably a three-day patching expectation for high-risk vulnerabilities - and the need to map SSVC to industry-specific compliance frameworks, which for non-federal organizations means custom work since CISA targets federal agencies.

Access controls: conditional access, CASB, and SASE

Dave explained how conditional access can gate on location, time, and device state, while Neil emphasized mapping access sensitivity to control strength. The group treated CASB and SASE as complementary layers for governing access to cloud and SaaS.

↑ All meeting recaps