Product reviews, deals and the latest tech news

There is a lot of open-source code; GitHub is expanding its security tools to help secure it

Whether it’s for internal operations or external services, almost every company uses open-source software. Incredibly, 90% of companies report utilising open-source technology in some capacity, and 97% of apps themselves use it.

However, Log4j and SolarWinds (among others) show that open source software can have serious security flaws. Argon Security forecasts a 300% increase in software supply chain assaults between 2020 and 2021, while Gartner says 89% of firms have encountered a supplier risk incident in the previous five years.

“Almost every software product” relies on open-source contributions, according to Mariam Sulakian, senior product manager at GitHub. “Securing it and safeguarding the community has a tremendous influence,” she said. The millions of individuals and services that rely on open-source software are all potentially at risk if the software is compromised.

The industry-standard hosting provider has various features available to deal with the issue, and just today they announced the extension of two of them: GitHub’s push protection functionality is now accessible for bespoke secret patterns, and its secret scanning warnings are also available for free on all public repositories. Both features may now be accessed by the general public in beta.

According to Sulakian, “GitHub is always trying to make using and contributing to open source easier since it is the largest open-source community in the world.” By making our most cutting-edge security technologies freely available in public repositories, we hope to ensure the safety of open source and the developers who work on it.

Maintaining confidentiality in the keeping of secrets

The most prevalent root of untraced data breaches is exposed secrets and credentials. Furthermore, identifying them can take an average of 327 days.

Sulakian warned that “malicious actors typically target disclosed secrets and credentials as starting points for broader assaults,” such as ransomware and phishing operations.

Through its secret scanning partner programme, GitHub collaborates with more than a hundred service providers to promptly fix numerous disclosed secrets.

More than 1.7 million exposed secrets in public repositories were found and reported to the hosting service in 2022, for example. When broken down daily, that means that GitHub discovers over 4,500 possible secrets exposed in open repositories.

Now, similar notifications will also be available to open-source developers on GitHub, at no cost to them. If this setting is activated, GitHub immediately alerts programmers whenever confidential information has been exposed in their code. As a result, they can keep tabs on warnings, pinpoint the origin of the leak, and take corrective measures with ease. According to Sulakian, users may get notifications and monitor fixes for issues like compromised self-hosted HashiCorp Vault keys.

Millions of developers may protect their credentials and passwords using “secret scanning for public repositories,” she claimed.

Secret scanning for public repositories has entered public beta today and will be accessible to all users by the end of January 2023.

Postmates’ staff security engineer, David Ross, said, “With secret scanning, we uncovered a tonne of essential items to resolve.” “From an application security perspective, this is frequently the most effective means of locating bugs in the code.”

Secure development is being advanced by GitHub.

Also, as Sulakian mentioned, corporations often have their own special set of secrets that they want to be able to recognise when they’ve been compromised and prevent others from learning.

Organizations may use bespoke patterns to search thousands of repositories for passwords in a wide variety of places, including connection strings, private keys, and URLs with embedded credentials.

However, as Sulakian points out, “remediation requires time and substantial money.”

To solve this issue, in April 2022, GitHub began offering push protection to GitHub Advanced Security (GHAS) users. This feature checks for leaks before they happen in an effort to prevent them in advance.

Since then, Sulakian claims that GitHub has stopped over 8,000 breaches of over 100 different sorts of secrets in the ensuing eight months. With the new features revealed today, businesses using GHAS will have more protection for the secret patterns that are frequently the most crucial to their operations since they are uniquely tailored and specified within the business.

Using push protection, firms may guard against the unintentional disclosure of their most sensitive information, as Sulakian put it.

According to Sulakian, push protection for unique patterns is something that can be set up on a per-pattern basis at the repository or repository-level. When this feature is activated, GitHub will prevent users from pushing changes that match the specified pattern. Based on the number of false positives, companies may choose which patterns to push-protect.

According to Intel’s director of software engineering, David Florey, including this capability into a developer’s flow saves time and helps educate on best practises.

“If you try to keep a secret from me, I’ll find out about it right away,” he remarked.

He explained that if he depended exclusively on external scanning tools to search the repository after the secret had been released, “I’ll need to rapidly revoke the secret and rework my code,” but the GitHub tool prevented this from happening.

Customers of GitHub are investing more efforts to safeguard their more complicated software supply chain as a result of the rising focus of threat actors on exposed secrets and credentials, according to Sulakian.

When it comes to improving overall security, saving money on reactive work by appsec teams, and minimising harm, “organisations continually attempt to discover and repair vulnerabilities earlier in the software lifecycle,” said Sulakian.

According to her, application security teams may more easily find and fix flaws in user code with the help of GitHub. With its free and open-source technologies, the firm aims to streamline and improve developer productivity without disrupting existing processes. Private vulnerability reporting was recently added to facilitate disclosure of vulnerabilities and communication between companies and maintainers.

For free on public repositories is part of our concept,” Sulakian stated.

At the end of the day, she insisted, “as the home for open source with 94 million plus developers, GitHub can improve the status of software security more than any other team or platform.”