GitHub has announced new security features across its platform to help protect the software development lifecycle (SDLC). These include private vulnerability reporting, CodeQL vulnerability scanning support for the Ruby programming language, and two new security overview options. The world’s leading development platform said these updates make securing the SDLC end-to-end easier and more seamless for developers. The releases come as SDLC cybersecurity remains high on the agenda with research revealing an increase of almost 800% in software supply chain attacks.
GitHub rolls out private vulnerability reporting, CodeQL support for Ruby, coverage/risk security overviews
GitHub announced its new features at GitHub Universe 2022, a global developer event for cloud, security, community, and AI. The first, private vulnerability reporting, focuses on responsible vulnerability disclosure that seeks to minimize the use of inconsistent and sometimes unsafe public channels for the reporting of vulnerabilities to maintainers. GitHub argued that, with public disclosure, maintainers can struggle to fix issues before bad actors learn about and potentially exploit them. “Private vulnerability reporting is a collaborative solution for security researchers and open-source maintainers to report and fix vulnerabilities in open-source repositories. It provides a convenient, standardized, and secret way to report, assess and address vulnerabilities,” GitHub stated. Maintainers are invited to join the public beta.
The next new security feature is CodeQL support for the Ruby programming language, which is now generally available by default in GitHub.com code scanning, CodeQL CLI, and the CodeQL extension for VS Code. This allows CodeQL users to easily find, identify and fix vulnerabilities in their Ruby codebases, all within GitHub, the firm said. To mark the new capability, the GitHub Security Lab Bug Bounty Program will give a $2,000 bonus for the first 10 CodeQL queries to test open-source projects written in Ruby that score High or Critical. Submissions will be accepted until March 31, 2023.
Last are two new view options added to GitHub’s security overview that provide greater visibility and insights to enterprise users of their security coverage and risk mapping of their entire application environment, helping them to better understand where to focus their remediation efforts, according to GitHub.
Tailoring SDLC cybersecurity to developers, addressing security-developer imbalance
Most vulnerabilities in software are the result of simple mistakes, which can be incredibly difficult for developers to spot, Justin Hutchings, director of product management at GitHub, tells CSO. “GitHub has a unique opportunity to empower our community of 94 million developers with developer-focused security tools that cover the three most common sources of vulnerabilities: the code you wrote, the open-source code you depend on and the credentials you use to secure your systems.”
Security teams are often outnumbered 100 to 1 as compared to the development teams they work with, which means they’re constantly playing catch up to find and fix all the vulnerabilities in their products, Hutchings adds. “GitHub has a tremendous opportunity to improve security across the whole industry by developing security capabilities that are tailored to developers.”
Developer acceptance of DevSecOps security tools is critical for successful application security, says Jim Mercer, Research VP, DevOps & DevSecOps at IDC. “GitHub rolling out these capabilities into where developers are working makes the deployment a no-brainer, and since these capabilities are not adding undue friction, we would expect that developers will be more open to using them.” The bottom line is that DevSecOps tools should be designed with the workstreams of developers and DevOps in mind, he adds. “While these moves are not a panacea of open-source security, they help make open-source components that businesses consume more secure.”
2022 a busy year for SDLC cybersecurity
It’s been a busy year for SDLC cybersecurity across the sector with various standards, initiatives and projects launched in 2022 to help raise the security bar surrounding software development processes, including those that rely heavily on open-source resources.
In September, the US National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: Recommended Practices Guide for Developers. The document emphasizes the role developers play in creating secure software and outlines guidance designed to help them adopt government and industry recommendations on doing so.
In May, Rezilion launched a dynamic software bill of materials (SBOM) built to plug into an organization’s software environment to examine how multiple components are being executed in runtime and reveal bugs and vulnerabilities. In November, Rezilion expanded its SBOM to support Windows environments, providing organizations with the means to better manage software vulnerabilities and meet new regulatory standards, addressing functionality gaps of traditional vulnerability management tools primarily designed for Linux OS.
In March, IriusRisk released a new Open Threat Model (OTM) standard to allow greater connectivity and interoperability between threat modeling and other parts of the SDLC. The OTM standard was published under a Creative Commons license and leverages a wide range of source formats and supports new sources of application and system design, also allowing users to exchange threat model data within the SDLC and cybersecurity ecosystem, IriusRisk said.
This year has also seen organizations begin to stand up open-source program offices (OSPOs) to help codify strategies around open-source software use and contribution and to foster collaboration with the broader software development community. These OSPOs often have key responsibilities such as cultivating an open-source software strategy, leading its execution and facilitating the use of products and services across an enterprise, playing a key role in an organization’s approach to security and governance of open-source software.
Copyright © 2022 IDG Communications, Inc.
