Yesterday, at the GitHub Universe conference for developers, GitHub announced that it will launch a new program aimed at improving the security of the open source ecosystem. The new program is called GitHub Security lab and it enables security researchers from a variety of companies to identify and troubleshoot popular open source projects.
All interested companies and security specialists individual computing you are invited to join the initiative to which security researchers from F5, Google, HackerOne, Intel, IOActive, JP Morgan, LinkedIn, Microsoft, Mozilla, NCC Group, Oracle, Trail of Bits, Uber and VMWare, that have identified and helped correct 105 vulnerabilities in the last two years in projects such as Chromium, libssh2, Linux kernel, Memcached, UBoot, VLC, Apport, HHVM, Exiv2, FFmpeg, Fizz, libav, Ansible, npm, XNU, Ghostscript, Icecast, Apache Struts, strongSwan, Apache Ignite, rsyslog, Apache Geode and Hadoop.
"The Security Lab's mission is to inspire and enable the global research community to secure the program code," the company said.
The maintenance life cycle of the security of the code proposed by GitHub implies that GitHub Security Lab participants will identify vulnerabilities, after which the information about the issues will be communicated to the maintainer and developers who will resolve the issues, agree on when to disclose information about the issue, and inform dependent projects about the need to install the version with removal of vulnerability.
Microsoft released CodeQL, which was developed to find vulnerabilities in open source code, for public use. The database will host CodeQL templates to avoid reappearance of fixed issues in the code present on GitHub.
Additionally, GitHub has recently become a CVE Authorized Numbering Authority (CNA). This means that it can issue CVE identifiers for vulnerabilities. This feature has been added to a new service called »Security Tips«.
Through the GitHub interface, you can get the CVE identifier for the identified problem and prepare a report, and GitHub will send the necessary notifications on its own and arrange their coordinated correction. Also, after fixing the problem, GitHub will automatically send pull requests to update dependencies associated with the vulnerable project.
The CVE identifiers mentioned in the comments on GitHub now automatically refer to detailed information about the vulnerability in the submitted database. To automate work with the database, a separate API is proposed.
GitHub also featured the GitHub Advisory Database Vulnerabilities Catalog, which publishes information about vulnerabilities affecting GitHub projects and information to track vulnerable packages and repositories. The name of the security consulting database that will be on GitHub will be GitHub Advisory Database.
He also reported the update of the protection service against getting confidential information such as authentication tokens and access keys in a publicly accessible repository.
During confirmation, the scanner verifies typical key and token formats used by 20 cloud providers and services, including Alibaba Cloud API, Amazon Web Services (AWS), Azure, Google Cloud, Slack, and Stripe. If a token is detected, a request is sent to the service provider to confirm the leak and revoke the compromised tokens. Since yesterday, in addition to the previously supported formats, support has been added for defining GoCardless, HashiCorp, Postman and Tencent tokens
For vulnerability identification, a fee of up to $ 3,000 is provided, depending on the danger of the problem and the quality of the report preparation.
According to the company, bug reports must contain a CodeQL query that allows creating a vulnerable code template to detect the presence of a similar vulnerability in the code of other projects (CodeQL allows semantic analysis of the code and form queries to search for structures specific).