A Leap Forward in Security: Our Journey with the GitHub Secure Open Source Fund

Florian Forster
Florian Forster

Founder and CEO

Co-authors:

Livio Spring
Livio Spring

Software Engineer

At ZITADEL, we've always believed that the strength of open source lies in its community and the shared goal of building transparent, robust, and secure software for everyone. As an identity and access management platform, security isn't just a feature; it's the foundation of everything we do. We've always been proud of the high standards we set for ourselves. That's why our recent participation in the GitHub Secure Open Source Fund was such a perfect fit, allowing us to build on that foundation and accelerate our security journey.

We were incredibly honored when a sponsor from the GitHub program proposed us for the Secure Open Source Fund, and even more thrilled when ZITADEL was selected. To be recognized by GitHub, a cornerstone of the open-source world, was a milestone in itself. What we didn't fully anticipate was how the program would serve as a massive accelerator for our security practices and connect us so deeply with the very fabric of the open-source community.

The Power of Connection and Collaboration

One of the most profound takeaways from this program has been the connection with other open-source maintainers. In the day-to-day, it’s easy to get siloed in your own project, tackling challenges you assume are unique. The fund brought together a diverse group of projects, from Express.js to Bootstrap to Oh My Zsh (and many more), each with brilliant minds behind them.

Suddenly, we were in a virtual room with peers who not only understood our complex world but were actively solving similar problems. Sharing insights, discussing threat models, and learning from each other's incident response plans created an environment of collective growth. This collaborative spirit is the heart of open source, and the fund cultivated it beautifully. It was a powerful reminder that while our projects may differ, our commitment to security and quality unites us.

Deep Insights from the Source

The access we got to GitHub's internal security teams was nothing short of a game-changer. These weren't just high-level presentations; they were deep, insightful sessions that allowed us to look under the hood of modern security practices. We were astonished by the insights into how CodeQL works, and the workshop on "Leveraging GitHub Copilot to Ship Secure Code" was revelatory. We walked away with concrete strategies for using Copilot as a security-aware partner in our development loop, giving us a powerful new way to security-test our features.

Another standout was the advanced session on Fuzzing. While we understood the concept, the practical guidance gave us a clear roadmap. We are now actively planning a proof-of-concept to integrate fuzzing into our CI/CD pipeline, a step that will systematically harden our code against unexpected inputs. These sessions have equipped us not just with knowledge, but with actionable plans that are already making ZITADEL more secure.

A Tangible Impact on ZITADEL

The GitHub Secure Open Source Fund was more than just an educational experience; it was a catalyst that helped us build upon our existing security posture. While we already had a robust security program in place, the fund provided the expert insights and collaborative environment to accelerate our roadmap and refine our approach on several fronts:

  • Deeper SBOM Analysis: The program prompted us to re-evaluate our dependency licenses using generated SBOMs. Building on that, we are now planning to introduce more advanced scanning to gain an even deeper understanding of our software bill of materials, helping us to not only ensure compliance but also to proactively uncover potential supply chain risks.
  • Enhanced Security Tooling: We've adopted more of GitHub's native security features, improving our code scanning and secret scanning capabilities.
  • Proactive Security Mindset: The program has helped instill an even more proactive security culture within our team. We’re now better equipped to think like attackers, anticipate threats, and build more resilient systems from the ground up.

We are immensely grateful to GitHub and everyone involved in the Secure Open Source Fund. This initiative does more than just support individual projects; it strengthens the entire open-source ecosystem by investing in its security foundation. For ZITADEL, it has been a catalyst, and we are more committed than ever to carrying these lessons forward and contributing to a safer open-source future for all.

Thank you for being part of this great journey!

Florian

Liked it? Share it!