Github Security Lab aims in helping and inspiring for a secure open-source environment

Together with several security researchers who work for Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne, Github founded Security Lab that hunts down and helps fix bugs in popular open-source projects hosted on Github.

In a press release, Github stated that:

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code. Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open-source projects.”

The project has been active since the last two years but since yesterday Github has launched Security Lab officially.

During the beta period, the founding members have already tracked down and helped to fix more than 100 security flaws.

Bug bounty program

The project also has a bounty program for companies and individuals to join the team in hunting and fixing security flaws. To compensate the bug hunters fo their time the program has a reward system with bonuses up to $3000,-.

To join the program, a bug report must contain CodeQL, a new tool Github also launched with this announcement. It is a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. This code has also been implemented by Mozilla.

Improve security

Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create automated security updates. When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled.

CVE Numbering Authority

CVE Numbering Authority (CNA), is an independent and international organisation that issues CVE identification numbers for vulnerabilities.

Many open source project owners who host their projects on GitHub don’t bother requesting a CVE number due to the lengthy process.

To make things easier for the community Github became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. 

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Getting CVE identifiers are crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open-source tools that they would have normally missed.

The company also launched the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects.

Token Scanning updated

Token Scanning, their own service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

From now on, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent.

You can read their official announcement on Token Scanning for more info.

Follow us:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: