sb-nz logo
Story image

GitHub amps up vulnerability reporting capabilities

20 Sep 2019

GitHub has announced new capabilities that make it easier for developers to report vulnerabilities directly from their repositories.

GitHub is now an official CVE Numbering Authority, which means it can assign a CVE ID to a reported vulnerability, add it to the CVE List, and then on to the National Vulnerability Databased (NVD) on behalf of the developer.

“We believe that fast, unfettered movement of vulnerability data is critical to improving software security… We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry,” explains GitHub SVP product, Shanku Niyogi.

GitHub says the CVE reporting tool is part of newly-acquired Semmle, which is a tool that security researchers use to conduct declarative queries and find vulnerabilities in code.

The company believes Semmle integration will allow developers to disclose more vulnerabilities, and faster alerts to those affected by the vulnerabilities.

So far Semmle has uncovered more than 100 CVEs in open source projects such as Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot, and VLC.

Semmle CEO and founder Oege De Moore explains that the integration will change how software is developed because it allows every developer to benefit from work done by top security researchers.

“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks. GitHubs recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub,” says De Moore.

Every CVE comes with a Semmle query, De Moore continues. Those queries are shared via open source, and open to the community.

“Every commit on every open source project is analysed with this curated body of crowd-sourced queries. Together, maintainers and security researchers make the entire ecosystem much safer than before.”

GitHub’s VP of APAC Sam Hunt adds that these security improvements have benefits for those in Asia Pacific.

“APAC has a large degree of enterprises subcontracting software development, so security is even more top of mind across almost every organisation and the ecosystem in the region,” says Hunt.

“Our commitment to secure the worlds code and continue to improve the security capabilities of our platform will enable forward looking enterprises to drive innovation and leverage secure software development powered by open source.”

Story image
IBM integrates Okta identity solutions to cloud offerings
“We’re excited to formalise the partnership to provide our joint customers with the technology to help secure their organisations.”More
Story image
Interview: Ping Identity exec on why security system updates are critical during COVID-19
Techday spoke with Ping Identity country manager for A/NZ and Japan, Ashley Diffey, on how zero-trust is favourable over perimeter-based security, and what the changes in work mean for businesses in a post-COVID-19 world.More
Story image
Cyclone named essential NZ supplier for online learning devices
The Ministry of Education has selected Cyclone as one of a handful of essential business suppliers for devices and technologies used in distance and online learning.More
Story image
Interview: RSA explains security in the epoch of IT disruption
We discussed cybersecurity in terms of how it fits into business continuity, as well as the threat landscape, and what RSA is currently doing to assist businesses that need protection.More
Story image
Data is more valuable to cyber attackers than cash - report
Data theft was the goal of more than half of all attacks in 2019, according to PT. This is a 20 percentage point increase compared to 2018 when data theft was the goal of only 30% of incidents. More
Story image
Employee errors 'the most significant threat to personal data' - report
According to a report released today by nCipher Security, employees actions and mistakes are increasingly being recorded as one of the most significant risks to an organisation’s security posture.More