Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2019
05:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

GitHub Initiative Seeks to Secure Open Source Code

New Security Lab will give researchers, developers, code maintainers, and organizations a way to coordinate efforts on addressing vulnerabilities.

A new initiative that GitHub announced last week has focused attention on the urgent need across industries for more organized approaches to addressing security vulnerabilities in open source software.

Last Thursday GitHub launched Security Lab, an effort that seeks to provide researchers, maintainers of open source projects, developers, and organizations with a common venue for collaborating on security.

GitHub has dedicated a team of security researchers to Security Lab. The researchers will work with peers from several other organizations to find and report bugs in widely used open source projects. Developers and maintainers will be able to work together on GitHub to develop patches for disclosed flaws and to ensure coordinated disclosures after vulnerabilities have been properly patched.

To encourage broad participation GitHub has made publicly available CodeQL, a semantic code analysis tool it says can help security researchers find vulnerabilities in open source software using simple queries.

"If you're a security researcher or work in a security team, we want your help," GitHub said in a statement. "Securing the world's open source software will require the whole community to work together."

Among those that have committed to contributing their time and expertise to the effort are Google, Intel, Uber, HackerOne, and Microsoft, which last year purchased GitHub for over $7 billion. Each of these initial partners has committed to contributing to the effort in a different way, GitHub said, without elaborating.

GitHub did not respond immediately to a Dark Reading request for more information on partner participation and other aspects of the effort. In the announcement, however, it described the Security Lab initiative as being focused on the whole open source security life cycle. 

"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version," it states.

A Major and Growing Concern
Vulnerabilities in open source software and components have become a major and growing enterprise security issue. Many development organizations use open source code heavily to accelerate software development, but few bother to check for vulnerabilities, keep track of flaw disclosures in open source components, or patch their software when fixes do become available. The situation is often exacerbated by many organizations' failure to maintain a proper inventory of the open source components in their software stack. Troublingly, 40% of new open source vulnerabilities do not have an associated CVE, so they are not included in any database, GitHub said.

Research conducted by Synopsis in 2018 found open source code in over 96% of codebases that was scanned for the study. Synopsis found some 298 open source components, on average, in each of the scanned codebases, compared to 257 in 2017. In many cases, the scanned codebases had substantially more open source components than proprietary code.

Significantly, 60% of the code in the Synopsis study had at least one security flaw. Forty-three percent contained vulnerabilities that were more than 10 years old, and 40% had at least one critical security flaw.

Fausto Oliveira, principal security architect at Acceptto, says unpatched vulnerabilities in open source code present a major threat to organizations. "The adoption of open source components permits companies to have a faster turnaround for their software projects at a cheaper cost," he says.

The downside is that adversaries are often as well informed or even better informed than security researchers of security vulnerabilities that are present in code components. "By having unpatched versions of open source components in production, an organization is offering a low-effort door into their infrastructure and services," Oliveira says.

One way the Security Lab initiative is seeking to address this is via a GitHub Advisory Database that contains detailed information on advisories created on GitHub. Maintainers will be able to work privately with security researchers on developing security fixes, applying for a CVE, and in structuring vulnerability disclosures, GitHub said.

To the extent that Security Lab is focused on addressing such issues, it is a good idea, says Thomas Hatch, CTO and co-Founder at SaltStack. "My concern is that this is not the first time we have seen these sorts of efforts," he says.

Many companies have tried over the years to secure open source code, but the level of attention required to address such a massive undertaking can deeply daunting, Hatch adds. "I don't think this will solve all our problems, but it is a fantastic step in the right direction," he notes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.