How GitHub Analytics Can Help Secure the Open Source Software Supply Chain

0

Couldn’t attend Transform 2022? Discover all the summit sessions now in our on-demand library! Look here.


Supply chain security attacks have changed cybersecurity forever. Since President Biden issued his Executive Order on Improving the nation’s cybersecurity Following the debacles of Log4j and SolarWinds, open source security has become a top priority for organizations.

In reality, to research shows that 73% of organizations have adopted measures to secure their software supply chains.

Continuing this trend, SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help businesses secure their GitHub implementations. The solution will enable security and development teams to analyze large-scale GitHub configurations and ensure the integrity of open source software.

GitHub supports more than 1.5 million organizations and plays a vital role in the software supply chains of many organizations as a source code management (SCM) solution to store code updates and identify issues.

Event

MetaBeat 2022

MetaBeat will bring together thought leaders to advise on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, California.

register here

Securing GitHub against the onslaught of open source

It’s no secret that vulnerabilities in open source projects can be devastating. For example, the Log4j remote exploit has been used in over 840,000 attacks within 72 hours of discovery.

Legit Security believes that securing GitHub is critical to securing the open source software supply chain, as exploits provide a way to modify source code, harvest secrets, and launch a supply chain attack.

For example, the organization recently revealed attack vulnerabilities in open-source projects from Google and Apache, including a “GitHub environment injection” in the Google Firebase project that allows an attacker to take control of a project’s GitHub Actions CI/CD pipeline and modify the underlying source code.

GitHub holds a unique place in the open source ecosystem because, although it is widely used, it is often difficult to secure GitHub implementations because it takes a long time to discover misconfigurations for each repository.

“It is difficult and time-consuming to consistently enforce security across large GitHub implementations, and GitHub misconfigurations are a very common source of vulnerabilities. Different people often deploy GitHub instances with different configurations and settings,” said Legit Security co-founder and CTO Liav Caspi.

“However, manually enforcing consistency in large GitHub organizations is labor intensive and prone to human error. Legitify solves this problem by allowing security teams and devops engineers to manage and enforce their configurations GitHub in a secure and scalable way,” Caspi said.

Legitify addresses these challenges by allowing users to scan GitHub implementations by a specific instance, resource type, or entire organization through the command line so they can detect security issues, categorize their severity, and escalate. review the corrective steps.

Other GitHub analytics solutions

It is important to note that Legit Security’s solution is not the only tool capable of security scanning GitHub code. GitHub Code Analysisreleased in 2020, is a native solution that integrates with GitHub Actions to analyze code as it is developed and provides users with security reviews to identify vulnerabilities.

Another tool offering this capability is SonarQube GitHub Stock, which allows the user to use a SonarQube scanner to detect bugs and code vulnerabilities in over 20 programming languages. SonarQube’s parent company, SonarSource, raised $412 million in funding earlier this year to scan code bases for vulnerabilities.

“Legitify is a unique open-source security tool designed for large enterprise GitHub deployments. Legitify connects to GitHub via an access token and detects issues on four resource types: member, repository, actions, and organization,” Caspi said.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Discover our Briefings.

Share.

Comments are closed.