A new initiative that GitHub announced last week has focused attention on the urgent need across industries for more organized approaches to addressing security vulnerabilities in open source software.

Last Thursday GitHub launched Security Lab, an effort that seeks to provide researchers, maintainers of open source projects, developers, and organizations with a common venue for collaborating on security.

GitHub has dedicated a team of security researchers to Security Lab. The researchers will work with peers from several other organizations to find and report bugs in widely used open source projects. Developers and maintainers will be able to work together on GitHub to develop patches for disclosed flaws and to ensure coordinated disclosures after vulnerabilities have been properly patched.

To encourage broad participation GitHub has made publicly available CodeQL, a semantic code analysis tool it says can help security researchers find vulnerabilities in open source software using simple queries.

"If you're a security researcher or work in a security team, we want your help," GitHub said in a statement. "Securing the world's open source software will require the whole community to work together."

Among those that have committed to contributing their time and expertise to the effort are Google, Intel, Uber, HackerOne, and Microsoft, which last year purchased GitHub for over $7 billion. Each of these initial partners has committed to contributing to the effort in a different way, GitHub said, without elaborating.

GitHub did not respond immediately to a Dark Reading request for more information on partner participation and other aspects of the effort. In the announcement, however, it described the Security Lab initiative as being focused on the whole open source security life cycle. 

"GitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create fixes, coordinate disclosure, and update dependent projects to a fixed version," it states.

A Major and Growing Concern
Vulnerabilities in open source software and components have become a major and growing enterprise security issue. Many development organizations use open source code heavily to accelerate software development, but few bother to check for vulnerabilities, keep track of flaw disclosures in open source components, or patch their software when fixes do become available. The situation is often exacerbated by many organizations' failure to maintain a proper inventory of the open source components in their software stack. Troublingly, 40% of new open source vulnerabilities do not have an associated CVE, so they are not included in any database, GitHub said.

Research conducted by Synopsis in 2018 found open source code in over 96% of codebases that was scanned for the study. Synopsis found some 298 open source components, on average, in each of the scanned codebases, compared to 257 in 2017. In many cases, the scanned codebases had substantially more open source components than proprietary code.

Significantly, 60% of the code in the Synopsis study had at least one security flaw. Forty-three percent contained vulnerabilities that were more than 10 years old, and 40% had at least one critical security flaw.

Fausto Oliveira, principal security architect at Acceptto, says unpatched vulnerabilities in open source code present a major threat to organizations. "The adoption of open source components permits companies to have a faster turnaround for their software projects at a cheaper cost," he says.

The downside is that adversaries are often as well informed or even better informed than security researchers of security vulnerabilities that are present in code components. "By having unpatched versions of open source components in production, an organization is offering a low-effort door into their infrastructure and services," Oliveira says.

One way the Security Lab initiative is seeking to address this is via a GitHub Advisory Database that contains detailed information on advisories created on GitHub. Maintainers will be able to work privately with security researchers on developing security fixes, applying for a CVE, and in structuring vulnerability disclosures, GitHub said.

To the extent that Security Lab is focused on addressing such issues, it is a good idea, says Thomas Hatch, CTO and co-Founder at SaltStack. "My concern is that this is not the first time we have seen these sorts of efforts," he says.

Many companies have tried over the years to secure open source code, but the level of attention required to address such a massive undertaking can deeply daunting, Hatch adds. "I don't think this will solve all our problems, but it is a fantastic step in the right direction," he notes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."