sb-au logo
Story image

GitHub amps up vulnerability reporting capabilities

20 Sep 2019

GitHub has announced new capabilities that make it easier for developers to report vulnerabilities directly from their repositories.

GitHub is now an official CVE Numbering Authority, which means it can assign a CVE ID to a reported vulnerability, add it to the CVE List, and then on to the National Vulnerability Databased (NVD) on behalf of the developer.

“We believe that fast, unfettered movement of vulnerability data is critical to improving software security… We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry,” explains GitHub SVP product, Shanku Niyogi.

GitHub says the CVE reporting tool is part of newly-acquired Semmle, which is a tool that security researchers use to conduct declarative queries and find vulnerabilities in code.

The company believes Semmle integration will allow developers to disclose more vulnerabilities, and faster alerts to those affected by the vulnerabilities.

So far Semmle has uncovered more than 100 CVEs in open source projects such as Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot, and VLC.

Semmle CEO and founder Oege De Moore explains that the integration will change how software is developed because it allows every developer to benefit from work done by top security researchers.

“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks. GitHubs recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub,” says De Moore.

Every CVE comes with a Semmle query, De Moore continues. Those queries are shared via open source, and open to the community.

“Every commit on every open source project is analysed with this curated body of crowd-sourced queries. Together, maintainers and security researchers make the entire ecosystem much safer than before.”

GitHub’s VP of APAC Sam Hunt adds that these security improvements have benefits for those in Asia Pacific.

“APAC has a large degree of enterprises subcontracting software development, so security is even more top of mind across almost every organisation and the ecosystem in the region,” says Hunt.

“Our commitment to secure the worlds code and continue to improve the security capabilities of our platform will enable forward looking enterprises to drive innovation and leverage secure software development powered by open source.”

Story image
Cyber attacks keeping business leaders up at night, new research finds
Data breaches and insider threats are keeping organisations up at night, according to new research from KnowBe4, the security awareness training and simulated phishing platform.More
Story image
Cyber threat intelligence reaching maturity in organisations worldwide
Cyber threat intelligence is reaching a state of maturity and integration in organisations across the globe, according to a survey by the SANS Institute and ThreatQuotient.More
Link image
OSS Group: The local IT automation architects
OSS Group helps Kiwi businesses uncover the value of IT automation.More
Story image
Okta, CrowdStrike, Netskope and Proofpoint create shared zero trust security strategy
Okta, CrowdStrike, Netskope and Proofpoint have joined forces to develop and launch an integrated, zero trust security strategy, stating that this is crucial for today’s digital and remote working environments.More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Download image
Workforce demographics and culture is changing. Management must too
The way we work is changing, and so is the make-up of the workforce. To get the best results, businesses need to take on dynamic workforce management.More