View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. AI and automation
December 5, 2019updated 30 Jun 2022 9:33am

GitHub Security Lab Draws on Expertise from All Corners of Cybersecurity Industry

"GitHub will send security alerts to affected projects.”

By CBR Staff Writer

GitHub recently unveiled its work on GitHub Security Lab a space for security researchers and developers to fix vulnerabilities and share expertise in order to improve the overall security of GitHub’s code sharing ecosystem.

GitHub is performing strongly for Microsoft who acquired it for £5.6 billion last year as the software development and code repository is now used by 40 million developers. Unfortunately threat actors are also using the platform to host malware and in some case store stolen data, as happened in the Capital One breach.

The GitHub Security Lab will help security teams identify and report vulnerabilities in open source software. The security lab aims to make it easier for developers to use GitHub to fix bugs and patch projects.

Jamie Cool VP of product management security at GitHub commented in a security blog that: “GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code. Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects. The team has already had over 100 CVEs issued for security vulnerabilities it has found.”

GitHub Security Lab

Credit: GitHub

The GitHub Security lab is attempting to establish a cross industry community and so far is citing ‘time and expertise’ commitments from F5, Google, HackerOne, Intel, IOActive, J.P. Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber and VMWare.

GitHub Security Lab

According to GitHub research when it comes to open source vulnerabilities 40 percent of them don’t have a CVE identifier and 70 percent of the issues discovered are still unpatched 30 days after developers have been alerted. The Security Lab aims to address this by bringing developers together to ensure that vulnerabilities are only disclosed when those responsible for fixing it are ready.

Importantly two months ago GitHub became a CVE Numbering Authority allowing it to issue CVE numbers when needed.

As part of this initiative GitHub has created a Security Advisories function that allows maintainers to work with: “Security researchers on security fixes in a private space, apply for a CVE directly from GitHub, and specify structured details about the vulnerability. Then, when they’re ready to publish the Security Advisory, GitHub will send security alerts to affected projects.”

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

In order to give developers the ability to move quickly GitHub have brought its automated security updates feature out of beta and made it generally available. This function pushes out notifications about vulnerabilities and importantly includes a pull request that can ‘update a vulnerable dependency to a fixed version.’

GitHub have also released a token scanning application which is run by the security lab that: “Within seconds of a commit being pushed to GitHub (or a repositories being made public), we scan it for token formats from 20 different cloud providers. When we detect a match, we notify the appropriate service provider and they take action, generally revoking the tokens and notifying the affected users.”

GitHub is making all data created by maintainers available for free in a GitHub Advisory Database.

See Also: Microsoft Earnings Outperform Expectations, Even as Azure Growth Slows

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU