GitHub acquisition to boost open source security
With software powering the world, it is essential that open source software can be trusted and that developers can create and consume it in a secure way.
That was one of the reason’s behind last week’s announcement by GitHub CEO Nat Friedman that the world’s largest repository of open source software has acquired Semmle, developer of a “revolutionary semantic code analysis engine”.
GitHub was acquired by Microsoft last year.
“Software security is a community effort; no single company can find every vulnerability or secure the open source supply chain behind everyone’s code. Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the very best way forward,” said Friedman.
Semmle allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants. It is used by organisations such as NASA, Uber, Microsoft and Google and has helped to find thousands of vulnerabilities in some of the largest codebases in the world, as well as over 100 common vulnerabilities and exposures (CVEs) including in high profile projects like Apache Struts, Apple’s XNU, the Linux Kernel, U-Boot, and VLC.
Commenting on the acquisition, Semmle CEO Oege de Moor said that by joining GitHub, the 13-year-old company was “taking the next step in changing how software is developed”.
“At Semmle, security researchers discover and study new vulnerabilities to diagnose the conditions that made the code vulnerable. They express those conditions as simple queries over code. Those queries can be shared and refined, make it easier to collaborate and eliminate a whole class of vulnerabilities. Developers see the results of those queries directly in their code reviews, making sure that once diagnosed, a new type of vulnerability is eradicated forever (and) consumers of open source get more secure, trustworthy frameworks to build on,” De Moor explained.
Shanku Niyogi, GitHub’s senior VP of product and product strategy, noted that the security lifecycle was broken with the identification of vulnerabilities a manual, ad hoc process; vulnerability disclosures often made irresponsibly, if at all; vulnerabilities fixed outside of normal open source workflows; and developers not getting accurate and timely security alerts for their projects.
In addition, updating vulnerability dependencies often took too long (or didn’t happen at all); and there was nothing to prevent the mistake that introduced the vulnerability in the first place from happening again.
“As the home for most of the world’s open source, this is a problem that we at GitHub fell responsible for addressing,” Niyogi said, adding that GitHub was still in the early stages of bringing the Semmle technology to GitHub users.
Niyogi also announced that GitHub has been approved as a CVE Numbering Authority for Open Source projects.
“We believe that fast, unfettered movement of vulnerability data is critical to improving software security… We will now be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry,” he said.