Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/30/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GitHub Tool Spots Security Vulnerabilities in Code

Scanner, which just became generally available, lets developers spot problems before code gets into production.

A code-scanning capability that GitHub has been testing for the past several months is now generally available for organizations using the platform as part of their software development process.

The scanner is based on CodeQL, a code analysis technology that GitHub acquired from its purchase of Semmle last year. It gives developers a way to scan code for security vulnerabilities during development and to address the issues before the code gets into production.

Related Content:

GitHub Initiative Seeks to Secure Open Source Code

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: Securing Slack: 5 Tips for Safer Messaging, Collaboration

GitHub released the first beta of the natively integrated code scanner at its GitHub Satellite virtual event earlier this year. Since then, more than 6,000 user accounts — belonging to both individuals and organizations — have enabled code scanning on their GitHub repositories, says Justin Hutchings, product manager at GitHub.

Over 12,000 repositories on GitHub have been scanned a total of 1.4 million times since the scanner went into beta. Over that period, the scanner has helped uncover more than 20,000 security issues in code stored on GitHub, including remote execution flaws, SQL injection errors, and cross-site scripting flaws, according to GitHub.

"Thanks to their testing and feedback, we're confident that code scanning is ready for the wider community," Hutchings says. "The code-scanning beta proved the hypothesis that if you build security tooling for developers first, developers will use it. According to Hutchings, GitHub made multiple improvements to the product based on feedback from beta users of the code scanner so it meets requirements of the open source community and commercial organizations.

More source code is currently stored on GitHub than any other platform. Some 50 million developers and 2.9 million businesses worldwide collectively use GitHub to host a staggering 100 million code repositories. Since launching as a place for individual developers to securely host and manage code revisions back in 2008, GitHub has grown into the most widely used platform for managing software development projects worldwide.

In 2011 GitHub launched an enterprise version of the platform that organizations can use on-premise to manage software projects. In 2017, it launched an enterprise cloud version of the technology. Microsoft acquired GitHub for $7.5 billion in 2018. Some of its better-known customers include Facebook, American Airlines, Dow Jones, and 3M.

Ongoing Effort
Hutchings says the new code-scanning feature is part of GitHub's ongoing effort to help secure the open source software ecosystem. In 2019, GitHub launched Security Lab, an initiative under which it working with security researchers, developers, and others to detect and report bugs in popular open source projects. Among those participating in the effort are Microsoft, Google, HackerOne, and Intel.

Such efforts are important because in recent years a high number of data breaches have resulted from vulnerabilities, such as SQL injection efforts, input validation mistakes, and cross-site scripting flaws in web applications. Vulnerabilities in open source software in particular have been of high concern because of how widely used these components are in modern applications.

CodeQL, on which GitHub's new scanner is based, is a semantic code analysis tool that lets developers query software code like it was data. GitHub has described the tool as allowing developers to write a query for all variants of a security vulnerability and then sharing the query with others so they can look for the same issues in their code as well.

Code scanning is free for public repositories and available as an add-on as part of GitHub Advanced Security for GitHub Enterprise Server and GitHub Enterprise Cloud, Hutchings says. Its unique proposition is in shifting security left, or earlier, in the security development life cycle. "It allows enterprise security teams to scan every commit made to their applications and to provide feedback automatically during code review," Hutchings says.

Such feedback can help developers address issues faster. In the last 30 days of GitHub's beta, developers and maintainers using the platform fixed 72% of the security issues they identified in their code he says. "We were extremely pleased to see this direct positive impact … given industry data shows that less than 30% of all flaws are fixed one month after discovery."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27974
PUBLISHED: 2020-10-28
NeoPost Mail Accounting Software Pro 5.0.6 allows php/Commun/FUS_SCM_BlockStart.php?code= XSS.
CVE-2020-27975
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF.
CVE-2020-27976
PUBLISHED: 2020-10-28
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Within admin/mail.php, a from POST parameter can be passed to the application. This affects the PHP mail function, and the sendmail -f option.
CVE-2020-27978
PUBLISHED: 2020-10-28
Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
CVE-2020-22552
PUBLISHED: 2020-10-28
The Snap7 server component in version 1.4.1, when an attacker sends a crafted packet with COTP protocol the last-data-unit flag set to No and S7 writes a var function, the Snap7 server will be crashed.