Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GitHub Initiative Seeks to Secure Open Source Code

New Security Lab will give researchers, developers, code maintainers, and organizations a way to coordinate efforts on addressing vulnerabilities.

A new initiative that GitHub announced last week has focused attention on the urgent need across industries for more organized approaches to addressing security vulnerabilities in open source software.

Last Thursday GitHub launched Security Lab, an effort that seeks to provide researchers, maintainers of open source projects, developers, and organizations with a common venue for collaborating on security.

GitHub has dedicated a team of security researchers to Security Lab. The researchers will work with peers from several other organizations to find and report bugs in widely used open source projects. Developers and maintainers will be able to work together on GitHub to develop patches for disclosed flaws and to ensure coordinated disclosures after vulnerabilities have been properly patched.

To encourage broad participation GitHub has made publicly available CodeQL, a semantic code analysis tool it says can help security researchers find vulnerabilities in open source software using simple queries.

"If you're a security researcher or work in a security team, we want your help," GitHub said in a statement. "Securing the world's open source software will require the whole community to work together."

Among those that have committed to contributing their time and expertise to the effort are Google, Intel, Uber, HackerOne, and Microsoft, which last year purchased GitHub for over $7 billion. Each of these initial partners has committed to contributing to the effort in a different way, GitHub said, without elaborating.

GitHub did not respond immediately to a Dark Reading request for more information on partner participation and other aspects of the effort. In the announcement, however, it described the Security Lab initiative as being focused on the whole open source security life cycle. 

"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version," it states.

A Major and Growing Concern
Vulnerabilities in open source software and components have become a major and growing enterprise security issue. Many development organizations use open source code heavily to accelerate software development, but few bother to check for vulnerabilities, keep track of flaw disclosures in open source components, or patch their software when fixes do become available. The situation is often exacerbated by many organizations' failure to maintain a proper inventory of the open source components in their software stack. Troublingly, 40% of new open source vulnerabilities do not have an associated CVE, so they are not included in any database, GitHub said.

Research conducted by Synopsis in 2018 found open source code in over 96% of codebases that was scanned for the study. Synopsis found some 298 open source components, on average, in each of the scanned codebases, compared to 257 in 2017. In many cases, the scanned codebases had substantially more open source components than proprietary code.

Significantly, 60% of the code in the Synopsis study had at least one security flaw. Forty-three percent contained vulnerabilities that were more than 10 years old, and 40% had at least one critical security flaw.

Fausto Oliveira, principal security architect at Acceptto, says unpatched vulnerabilities in open source code present a major threat to organizations. "The adoption of open source components permits companies to have a faster turnaround for their software projects at a cheaper cost," he says.

The downside is that adversaries are often as well informed or even better informed than security researchers of security vulnerabilities that are present in code components. "By having unpatched versions of open source components in production, an organization is offering a low-effort door into their infrastructure and services," Oliveira says.

One way the Security Lab initiative is seeking to address this is via a GitHub Advisory Database that contains detailed information on advisories created on GitHub. Maintainers will be able to work privately with security researchers on developing security fixes, applying for a CVE, and in structuring vulnerability disclosures, GitHub said.

To the extent that Security Lab is focused on addressing such issues, it is a good idea, says Thomas Hatch, CTO and co-Founder at SaltStack. "My concern is that this is not the first time we have seen these sorts of efforts," he says.

Many companies have tried over the years to secure open source code, but the level of attention required to address such a massive undertaking can deeply daunting, Hatch adds. "I don't think this will solve all our problems, but it is a fantastic step in the right direction," he notes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3656
PUBLISHED: 2019-12-10
JBoss KeyCloak: XSS in login-status-iframe.html
CVE-2013-0293
PUBLISHED: 2019-12-10
oVirt Node: Lock screen accepts F2 to drop to shell causing privilege escalation
CVE-2013-1793
PUBLISHED: 2019-12-10
openstack-utils openstack-db has insecure password creation
CVE-2013-2095
PUBLISHED: 2019-12-10
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.