APPS
APPS
APPS
GitHub’s new security tool flags vulnerable project components
There’s always a risk that one of the numerous third-party components used in the typical application project might contain a security flaw exploitable by hackers. GitHub Inc., the code hosting provider, has set out to mitigate this threat.
The company on Thursday introduced a new security tool that alerts developers when an external component on which their GitHub project depends is found to contain a vulnerability. According to GitHub, more than three-quarters of the 67 million code repositories hosted on its service rely upon at least one other project. They form one large, interdependent ecosystem that can be heavily affected if an exploit is found in a popular package.
The security tool builds upon a feature called Dependency Graph that GitHub launched last month to map out how users’ projects connect with one another. It shows developers what external components their repositories use, which can be a major help in large projects maintained by multiple contributors. Thanks to the new update, they can now also have GitHub alert them when an exploit is found.
The tool relies on data from the U.S. government’s National Vulnerability Database. When a match is detected, GitHub says that the algorithms running behind the scenes not only send out an alert but also check if there’s a patched version of the affected package on its platform.
By default, notifications are only sent to the administrators of a project. More users and teams can be added to the mailing list through the GitHub management console. A developer could, for example, bring their organization’s cybersecurity group into the mix to help them quickly respond to new vulnerabilities.
GitHub’s security tool currently works with code written in JavaScript and Ruby. The company will add support for the Python programming language next year, as well as work to help developers identify exploits that aren’t listed in the National Vulnerability Database.
GitHub is not the only provider working to protect users from compromised packages. Docker Inc., the software container pioneer, last year launched a similar tool that can scan the application images in a company’s internal repository for known security issues.
Image: Unsplash
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
