GitHub on mission to secure the world's open source software
Securing the world’s open source software is a formidable mission… and one that GitHub has chosen to accept.
On 14 November, the hosting giant launched GitHub Security Lab — a platform designed to empower people to secure open source code.
Through the platform, participants can access GitHub’s analysis engine, CodeQL, which helps users find and eradicate vulnerability-causing code, as well as “thousands of hours of security research”, according to a blog post by GitHub’s Vice President of Product Management, Security, Jamie Cool.
Users can also earn bounties of up to US$3000 for writing new CodeQL queries that find multiple, or a class of, vulnerabilities in open source code with high precision.
Cool said these tools would help the Lab’s security researchers, maintainers and partner companies — such as Google, Intel, Microsoft and VMWare — fight challenges of scale, expertise and coordination.
Lab researchers have already found and published 105 common vulnerabilities and exposures (CVEs), according to the site.
As more vulnerabilities are discovered, participants and end users will “need better tools to handle them”, Cool said.
Currently, “Forty percent of new vulnerabilities in open source don’t have a CVE identifier when they’re announced, meaning they’re not included in any public database. Seventy percent of critical vulnerabilities remain unpatched 30 days after developers have been notified,” he said.
GitHub expects the Lab to help improve responses to newly discovered vulnerabilities by ensuring they are only announced when maintainers have fixed affected code and developers can quickly update affected software.
Lab intends to boost project participation through events and sharing of best practices.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
Inrel's new cryogenic control chip could bring us closer to a practical, commercially viable...
We want your help to improve our member services, so please take two minutes to fill in our short...
The company has released the Windows 10 Insider Preview Build 19033 in both the fast and slow...