The war against those who exploit vulnerabilities in open source software just moved to a whole new level with the launch last week of the GitHub Security Lab.
Vulnerabilities in open source have long been a concern. In its 2019 DevSecOps Community Survey, automated open source governance company, Sonatype, found that there had been a 71% increase in open source breaches since 2014; and open source security company Snyk’s The State of Open Source Security 2019 reported an 88% increase in open source application library vulnerabilities over the past two years with 16 000 new vulnerabilities – an all-time high – disclosed in 2018.
The new GitHub Security Lab was announced at GitHub Universe developer conference in San Francisco by Jamie Cool, GitHub’s VP of Product Management, Security. The Security Lab’s mission is to “inspire and enable the global security research community to secure the world’s code".
He acknowledged, however, that securing the world’s open source software was “a daunting task” because of the scale of the project – the JavaScript ecosystem alone has over one million open source packages.
“Then there’s the shortage of security expertise: security professionals are outnumbered 500 to one by developers. Finally there’s coordination: the world’s security experts are spread across thousands of companies,” he added.
Another problem was that the process for addressing a new vulnerability was often ad hoc. Around 40% of new open source vulnerabilities don’t have a CVE (common vulnerabilities and exposure) identifier when first announced. As a result, they are not included in any public database. In addition, more than two thirds of critical vulnerabilities remain unpatched for 30 days after developers have been notified.
Securing the world’s open source software will require the whole community to work together.
Jamie Cool, GitHub Security
Cool believes that GitHub Security Lab and CodeQI – GitHub’s state-of-the-art code analysis engine – will “help level the playing field” and close the communication gap.
The Security Lab, which will include GitHub Security Advisories, will make it easier for maintainers and developers to work together directly on GitHub to ensure that maintainers can report and developers can update fixed versions quickly and easily.
Maintainers will be able to apply for a CVE directly from GitHub, specify details about the vulnerability and, when they’re ready to public details about the vulnerability, GitHub will send security alerts to affected projects. However, while getting the notification is useful, GitHub is going further by providing pull requests that will update a vulnerable dependency to a fixed version.
Joining forces with heavyweights
GitHub is not tackling all these problem alone. While GitHub would “lead by example” and dedicate full-time resources to finding and reporting vulnerabilities in open source projects, it would be joined by such heavyweights as Google, HackerOne, Intel, Microsoft, Mozilla, F5, JP Morgan, LinkedIn, Uber, VMWare, Okta, Trail of Bits and NCC Group, each of whom would contribute in different ways to the projects.
In addition, CodeQI, which lets users query code as though it was data, is being made available free of charge for use on open source; while the Security Lab will be running events and sharing best practices to help everyone participate in the project.
GitHub will also be giving away all the data that maintainers create in GitHub Security Advisories as well as additional data that is created and mapped to packages traced by the GitHub dependency graph.
Cool concluded with an appeal: “If you’re a security researcher or work in a security team, we want your help. Securing the world’s open source software will require the whole community to work together."
Share