GitHub on mission to secure the world's open source software

Monday, 18 November, 2019

Securing the world’s open source software is a formidable mission… and one that GitHub has chosen to accept.

On 14 November, the hosting giant launched GitHub Security Lab — a platform designed to empower people to secure open source code.

Through the platform, participants can access GitHub’s analysis engine, CodeQL, which helps users find and eradicate vulnerability-causing code, as well as “thousands of hours of security research”, according to a blog post by GitHub’s Vice President of Product Management, Security, Jamie Cool.

Users can also earn bounties of up to US$3000 for writing new CodeQL queries that find multiple, or a class of, vulnerabilities in open source code with high precision.

Cool said these tools would help the Lab’s security researchers, maintainers and partner companies — such as Google, Intel, Microsoft and VMWare — fight challenges of scale, expertise and coordination.

“The JavaScript ecosystem alone has over one million open source packages. Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies,” he said.

Lab researchers have already found and published 105 common vulnerabilities and exposures (CVEs), according to the site.

As more vulnerabilities are discovered, participants and end users will “need better tools to handle them”, Cool said.

Currently, “Forty percent of new vulnerabilities in open source don’t have a CVE identifier when they’re announced, meaning they’re not included in any public database. Seventy percent of critical vulnerabilities remain unpatched 30 days after developers have been notified,” he said.

GitHub expects the Lab to help improve responses to newly discovered vulnerabilities by ensuring they are only announced when maintainers have fixed affected code and developers can quickly update affected software.

Lab intends to boost project participation through events and sharing of best practices.

Image credit: ©stock.adobe.com/au/maciek905

Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.