Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GitHub Initiative Seeks to Secure Open Source Code

New Security Lab will give researchers, developers, code maintainers, and organizations a way to coordinate efforts on addressing vulnerabilities.

A new initiative that GitHub announced last week has focused attention on the urgent need across industries for more organized approaches to addressing security vulnerabilities in open source software.

Last Thursday GitHub launched Security Lab, an effort that seeks to provide researchers, maintainers of open source projects, developers, and organizations with a common venue for collaborating on security.

GitHub has dedicated a team of security researchers to Security Lab. The researchers will work with peers from several other organizations to find and report bugs in widely used open source projects. Developers and maintainers will be able to work together on GitHub to develop patches for disclosed flaws and to ensure coordinated disclosures after vulnerabilities have been properly patched.

To encourage broad participation GitHub has made publicly available CodeQL, a semantic code analysis tool it says can help security researchers find vulnerabilities in open source software using simple queries.

"If you're a security researcher or work in a security team, we want your help," GitHub said in a statement. "Securing the world's open source software will require the whole community to work together."

Among those that have committed to contributing their time and expertise to the effort are Google, Intel, Uber, HackerOne, and Microsoft, which last year purchased GitHub for over $7 billion. Each of these initial partners has committed to contributing to the effort in a different way, GitHub said, without elaborating.

GitHub did not respond immediately to a Dark Reading request for more information on partner participation and other aspects of the effort. In the announcement, however, it described the Security Lab initiative as being focused on the whole open source security life cycle. 

"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version," it states.

A Major and Growing Concern
Vulnerabilities in open source software and components have become a major and growing enterprise security issue. Many development organizations use open source code heavily to accelerate software development, but few bother to check for vulnerabilities, keep track of flaw disclosures in open source components, or patch their software when fixes do become available. The situation is often exacerbated by many organizations' failure to maintain a proper inventory of the open source components in their software stack. Troublingly, 40% of new open source vulnerabilities do not have an associated CVE, so they are not included in any database, GitHub said.

Research conducted by Synopsis in 2018 found open source code in over 96% of codebases that was scanned for the study. Synopsis found some 298 open source components, on average, in each of the scanned codebases, compared to 257 in 2017. In many cases, the scanned codebases had substantially more open source components than proprietary code.

Significantly, 60% of the code in the Synopsis study had at least one security flaw. Forty-three percent contained vulnerabilities that were more than 10 years old, and 40% had at least one critical security flaw.

Fausto Oliveira, principal security architect at Acceptto, says unpatched vulnerabilities in open source code present a major threat to organizations. "The adoption of open source components permits companies to have a faster turnaround for their software projects at a cheaper cost," he says.

The downside is that adversaries are often as well informed or even better informed than security researchers of security vulnerabilities that are present in code components. "By having unpatched versions of open source components in production, an organization is offering a low-effort door into their infrastructure and services," Oliveira says.

One way the Security Lab initiative is seeking to address this is via a GitHub Advisory Database that contains detailed information on advisories created on GitHub. Maintainers will be able to work privately with security researchers on developing security fixes, applying for a CVE, and in structuring vulnerability disclosures, GitHub said.

To the extent that Security Lab is focused on addressing such issues, it is a good idea, says Thomas Hatch, CTO and co-Founder at SaltStack. "My concern is that this is not the first time we have seen these sorts of efforts," he says.

Many companies have tried over the years to secure open source code, but the level of attention required to address such a massive undertaking can deeply daunting, Hatch adds. "I don't think this will solve all our problems, but it is a fantastic step in the right direction," he notes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
CVE-2021-31737
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2020-28198
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
CVE-2021-28665
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.