The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on November 15, 2019

GitHub launches Security Lab to spot vulnerabilities in open-source code

GitHub launches Security Lab to spot vulnerabilities in open-source code Image by: GitHub
Ravie Lakshmanan

GitHub has officially launched a new Security Lab with an aim to secure open-source software.

The objective is to “bring together security researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone,” the Microsoft-owned code repository platform said.

Joining the company in this initiative are security professionals from various tech companies, including F5, Google, HackerOne, Intel, IOActive, J.P. Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber, and VMWare.

To that effect, the company is making CodeQL freely available for anyone to find vulnerabilities in open-source code. It’s also launching GitHub Advisory Database, a public database of security advisories created on GitHub.

CodeQL, the sematic code analysis tool used to spot exploits in codebases, comes from its acquisition of Semmle back in September.

In addition to identifying and reporting vulnerabilities in open source software, GitHub Security Lab will adhere to an open-source security lifecycle that ensures maintainers and developers disclose and fix software flaws while leveraging CodeQL to prevent security vulnerabilities from occurring in the future.

Semmle’s CodeQL has been instrumental in uncovering hundreds of bugs in open-source projects, spanning across Google Chromium, Linux, Ubuntu, and Microsoft’s Edge browser.

For its part, Semmle provides its own disclosure dashboard. But it won’t be surprising if GitHub integrates it with its new Advisory Database in the future, making it all accessible in one place.

Credit: GitHub
The open-source security lifecycle

From popular programming languages like Python and Ruby, and machine learning frameworks like TensorFlow, to JavaScript libraries and application deployment solutions like Kubernetes, GitHub plays host to a number of software projects that form the basis of modern web today.

As of August 2019, the software collaboration service is being used by more than 40 million developers worldwide and is used to store 100 million code repositories.

The development comes close on the heels of the company’s release of a native mobile app for iOS (in beta), and an improved code search and notifications experience. It also purchased Pull Panda earlier this year to beef up its portfolio of code review tools and provide developers an infrastructure to create secure software that follows the best software practices.

Now, with the formation of an open coalition of security teams and researchers to boost software security, GitHub has emerged the most comprehensive plaform capable of handling all aspects of the software development workflow.

Also tagged with

Back to top