- GitHub repo security at scale and CISA's SSVC vulnerability framework
Quick recap. New members joined from Kansas City to Budapest, and the main thread was asset management in the cloud - specifically how organizations inventory and secure GitHub repositories at scale. The group compared scanning approaches across entire GitHub organizations to catch shadow IT and supply-chain risk, then turned to CISA's new binding operational directive and its SSVC framework, which prioritizes patching by real-world evidence rather than CVSS score alone.
Show 3 discussion topics
Securing GitHub repositories at scale
Rev asked how organizations track and secure their GitHub repositories. Shawn described how tools like Wiz can discover and scan repos across platforms, while Neil stressed scanning entire GitHub organizations - not just individual repos - to surface shadow IT. The conversation covered defending against rogue-employee actions and supply-chain attacks, the difficulty of securing GitHub Actions given their transient runners, and layered controls: CASB, SASE, conditional access through the IdP, and sign-off-based policies that also educate users.
CISA's SSVC vulnerability framework
Neil introduced CISA's new binding operational directive and its Stakeholder-Specific Vulnerability Categorization (SSVC) approach, which moves beyond CVSS by weighing exposure, known exploitation, automatability, and impact. The group discussed implementation friction - notably a three-day patching expectation for high-risk vulnerabilities - and the need to map SSVC to industry-specific compliance frameworks, which for non-federal organizations means custom work since CISA targets federal agencies.
Access controls: conditional access, CASB, and SASE
Dave explained how conditional access can gate on location, time, and device state, while Neil emphasized mapping access sensitivity to control strength. The group treated CASB and SASE as complementary layers for governing access to cloud and SaaS.
