As part of the Universe 2019 GitHub presented a new initiative to improve code security a year ago. GitHub Security Lab aims to help secure the open source ecosystem. The cooperation between all parties interested in secure software (developers, companies, security researchers) should be simplified and made more effective. The partners at the Security Lab include Google, Uber, Mozilla and Oracle.

Security research, community and engagement in the industry The initiative focuses on three areas: security research, building a community and getting involved in industry. At its core, GitHub Security Lab mainly consists of a team of security researchers who focus on finding vulnerabilities in open source software (OSS) before they become an exploit – i.e. before an attacker can exploit the vulnerability. GitHub states that the team already found 400 issues in the first year through variant analysis, controlled by its own code analysis engine CodeQL, targeted fuzzing and manual code review Has. Large projects such as Google Chrome, Android, the Linux kernel, Ubuntu and Java enterprise applications were also affected by this.

According to its own information, the team should also have helped in an active attack on stop an OSS supply chain. In addition, the initiative apparently recently helped to identify and remedy a critical remote vulnerability in the German COVID 19 infrastructure.

Destinations for 2021 For the coming year, the team has set itself the goal of further improving the workflow for eliminating OSS vulnerabilities and further involving the community. In addition, the research team wants to expand the spectrum and not just focus on vulnerabilities in open source code. OSS components made available via package managers are also increasingly at the center of attacks, for example through hijacking and mailware. This is where Security Lab sees an opportunity to help.

Finally, GitHub Security Lab wants to help bridge the gap between the security and developer communities. Building CodeQL queries is a first step, but the research team wants to expand its efforts, for example in the form of new educational content and support from contributions from the community and the Open Source Security Foundation (OpenSSF). More information about GitHub Security Lab and its first anniversary can be found in the post on the GitHub blog.

(mdo)