itb-au logo
Story image

GitHub amps up vulnerability reporting capabilities

20 Sep 2019

GitHub has announced new capabilities that make it easier for developers to report vulnerabilities directly from their repositories.

GitHub is now an official CVE Numbering Authority, which means it can assign a CVE ID to a reported vulnerability, add it to the CVE List, and then on to the National Vulnerability Databased (NVD) on behalf of the developer.

“We believe that fast, unfettered movement of vulnerability data is critical to improving software security… We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry,” explains GitHub SVP product, Shanku Niyogi.

GitHub says the CVE reporting tool is part of newly-acquired Semmle, which is a tool that security researchers use to conduct declarative queries and find vulnerabilities in code.

The company believes Semmle integration will allow developers to disclose more vulnerabilities, and faster alerts to those affected by the vulnerabilities.

So far Semmle has uncovered more than 100 CVEs in open source projects such as Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot, and VLC.

Semmle CEO and founder Oege De Moore explains that the integration will change how software is developed because it allows every developer to benefit from work done by top security researchers.

“GitHub is the one place where the community meets, where security experts and open source maintainers collaborate, and where the consumers of open source find their building blocks. GitHubs recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub,” says De Moore.

Every CVE comes with a Semmle query, De Moore continues. Those queries are shared via open source, and open to the community.

“Every commit on every open source project is analysed with this curated body of crowd-sourced queries. Together, maintainers and security researchers make the entire ecosystem much safer than before.”

GitHub’s VP of APAC Sam Hunt adds that these security improvements have benefits for those in Asia Pacific.

“APAC has a large degree of enterprises subcontracting software development, so security is even more top of mind across almost every organisation and the ecosystem in the region,” says Hunt.

“Our commitment to secure the worlds code and continue to improve the security capabilities of our platform will enable forward looking enterprises to drive innovation and leverage secure software development powered by open source.”

Story image
Lack of skills holding back digital transformation
“A successful digital transformation means ensuring the right blend of skills across an organisation and the empowerment of the IT department to make a positive difference."More
Story image
DataRobot offers free AI platform to help fight COVID-19
"We're inspired by the passion of our employees, customers, partners, and the data science community who all have expressed interest in identifying ways to help address this global pandemic."More
Story image
Google offers Hangouts features for free in midst of COVID-19
As businesses make the move to work entirely remotely as countries go into lockdown during the COVID-19 pandemic, Google is offering free upgrades on their G Suite for business, providing certain enterprise features for free for the next few months.More
Story image
Corporate Australia must invest in smart technology now 
Smart technology is playing a critical role in the business community's response to adjusting to new social and industry norms. More
Story image
Zerto 8.0 launched with strategic partners Google and VMware
“With Zerto 8.0, our mission is to deliver IT resilience everywhere, by introducing a range of new and powerful features along with deeper integration with market-leading public cloud providers."More
Story image
Why AIOps should be at the top of tech ‘to do’ lists
The rise of AIOps has come about thanks to many older, legacy tools no longer being able to cope with the huge volume, speed and diversity of data being created in modern IT environments.More