A new initiative announced by GitHub last week has drawn attention to the urgent need across industries for more organized approaches to address security vulnerabilities in open source software.
Last Thursday, GitHub launched the Security Lab, an effort that aims to provide researchers, open source project maintainers, developers, and organizations with a common place to collaborate on security.
GitHub has dedicated a team of security researchers to Security Lab. Researchers will work with peers from several other organizations to find and report bugs in widely used open source projects. Developers and maintainers will be able to work together on GitHub to develop fixes for disclosed vulnerabilities and to ensure coordinated disclosures once the vulnerabilities have been properly addressed.
To encourage wide participation, GitHub made CodeQL publicly available, a semantic code analysis tool that it says can help security researchers find vulnerabilities in open source software using simple queries.
âIf you’re a security researcher or work on a security team, we need your help,â GitHub said in a statement. âSecuring the world’s open source software will require the whole community to work together. “
Among those who have pledged to devote their time and expertise to the effort include Google, Intel, Uber, HackerOne, and Microsoft, which last year bought GitHub for more than $ 7 billion. Each of these initial partners has committed to contributing to the effort in a different way, GitHub said, without elaborating.
GitHub did not immediately respond to a request from Dark Reading for more information on partner involvement and other aspects of the effort. In the announcement, however, he described the Security Lab initiative as being focused on the entire open source security lifecycle.
âGitHub Security Lab will help identify and report vulnerabilities in open source software, while maintainers and developers use GitHub to create patches, coordinate disclosure, and update dependent projects to a fixed release,â he says. -he.
A major and growing concern
Vulnerabilities in open source software and components have become a major and growing security concern for businesses. Many development organizations use open source code extensively to accelerate software development, but few bother to check for vulnerabilities, track disclosures of flaws in open source components, or fix their software when patches become available. The situation is often exacerbated by the failure of many organizations to maintain an appropriate inventory of open source components in their software stack. Disturbingly, 40% of new open source vulnerabilities do not have an associated CVE, so they are not included in any database, GitHub said.
Research conducted by Synopsis in 2018 found open source code in over 96% of the code bases that were scanned for the study. Synopsis found some 298 open source components, on average, in each of the scanned code bases, up from 257 in 2017. In many cases, the scanned code bases had many more open source components than proprietary code.
Significantly, 60% of the code in the Synopsis study had at least one security vulnerability. Forty-three percent contained vulnerabilities more than 10 years old and 40% had at least one critical security vulnerability.
Fausto Oliveira, Senior Security Architect at Acceptto, says unpatched vulnerabilities in open source code pose a major threat to organizations. âThe adoption of open source components allows companies to have faster turnaround time for their software projects at a lower cost,â he says.
The downside is that adversaries are often as well informed, if not better informed than security researchers, of security vulnerabilities in code components. âBy having unpatched versions of open source components in production, an organization provides a low-effort gateway into its infrastructure and services,â Oliveira said.
The Security Lab initiative seeks to address this issue through a GitHub advisory database that contains detailed information about reviews created on GitHub. Maintainers will be able to work privately with security researchers on security patch development, CVE request and structuring of vulnerability disclosures, GitHub said.
Since Security Lab is focused on solving these issues, it’s a good idea, says Thomas Hatch, CTO and co-founder of SaltStack. âWhat worries me is that this is not the first time that we have seen this kind of effort,â he says.
Many companies have tried over the years to secure open source code, but the level of attention required to tackle such a massive business can be deeply intimidating, Hatch adds. “I don’t think this will solve all of our problems, but it’s a fantastic step in the right direction,” he notes.