Thousands of vulnerabilities exist in open source code – GitHub aims to help developers see if their projects are affected
go through
Cliff Saran, Editor-in-Chief
Published: 2022年8月10日12:56
GitHub has introduced an automatic alert mechanism that enables developers to address vulnerabilities in the open source components used by their code. According to GitHub, the new feature, called Dependabot Siren t for Vulnerable GitHub Actions, which will make it easier for developers to stay up-to-date and fix security holes using their Actions workflow.
Vulnerabilities like Log4j put open source security weaknesses in focus, U.S. President Joe Biden makes software security a national priority. His executive order on cybersecurity requires that only companies that use secure software development lifecycle practices and comply with specific federal security guidance can sell to the federal government.
The advantage of open source code is that you can transfer external code modules from GitHub, etc. The public repository is pulled into the project. This allows developers to easily integrate functionality without having to write all the code themselves. Open source modules are maintained by third-party developers.
But as Computer Weekly previously reported, if in If a security risk is found in an open source module, then projects that depend on that module will also be at risk. In many cases, developers whose code requires such modules may be unaware that the open source code they have incorporated into their own projects is a security risk.
This is a vulnerability that GitHub wants to address via Dependabot alerts The case of GitHub Actions.
GitHub consultation database shows , there are over 173,000 vulnerabilities in GitHub uncensored
GitHub Senior Product Manager In a blog post discussing Dependabot’s vulnerable GitHub Actions alerts, Kate Catlin and GitHub blogger Brittany O’Shea said the alerts will be powered by the GitHub advisory database.
“When security breaches are reported in action, our security A team of researchers will create an advisory to document the v vulnerability, which will trigger an alert on affected repositories,” they wrote. At the time of writing, the GitHub consulting database has 8,543 recommendations reviewed, of which 1,560 have been classified as ‘critical’. However, to show the scale of the problem facing the open source community, the database shows that there are more than 173,000 vulnerabilities in GitHub that have yet to be reviewed.
Global cooperation is required to keep open source universal consensus code secure. In January, a number of big tech companies, including Google and IBM, attended the White House Open Source Software Security Summit.
In conjunction with the summit, released by Kent Walker, President of Global Affairs, Google and Alphabet wrote a blog discussing the need to effectively protect open source code.
“Increasing reliance on open source means that industry and It’s time for governments to make a concerted effort to establish baseline standards for security, maintenance, provenance and testing — to ensure that the nation’s infrastructure and other vital systems can rely on open source projects,” he wrote.
IBM Enterprise Security Director Jamie Thomas also attended the summit, He said: “Today’s meeting made clear that government and industry can work together to improve secure open source practices. We can start by encouraging widespread adoption of open and reasonable security standards, identifying key open source assets that should meet the most stringent security requirements, and Promote nationwide collaboration to expand skills training and education in open source security and reward developers who make important contributions
Dependabot may alert on vulnerable operations can be linked to continuous integration and deployment (CI/CD) processes, enabling development teams to prioritize developer work and Faster resolution of security issues.
Read more about application security and coding requirements
Open Source Status: Computer downtime every week to upload guests
go through: Cliff Saran
The open source community has developed a safe road software
go through: Alex Scroxton
GitHub Desktop 3.0 received a cold reception
go through: Stephanie Glenn
Software Supply Chain Security Risks Around Kubernetes
