As part of Universe 2019, GitHub had unveiled a new initiative to improve code security a year ago. GitHub Security Lab aims to help secure the open source ecosystem. The cooperation of all parties interested in secure software (developers, companies, security researchers) should be simplified and made more effective. Security Lab partners include Google, Uber, Mozilla and Oracle.
Security research, community and industry engagement
The initiative focuses on three key areas: Security research, community building and industry engagement. GitHub Security Lab is essentially a team of security researchers focused on finding vulnerabilities in open source software (OSS) before they become exploits – that is, before an attacker can exploit the vulnerability. GitHub states that the team has already found over 400 Ies in the first year through variant analysis driven by its own code analysis engine, CodeQL, targeted fuzzing and manual code review. Rough projects such as Google Chrome, Android, the Linux kernel, Ubuntu, and Java enterprise applications were also affected, it said.
The team also reportedly helped stop an active attack on an OSS supply chain. In addition, the initiative apparently recently helped identify and fix a critical remote vulnerability in the German COVID-19 infrastructure.
Goals for 2021
For the coming year, the team has set a goal to further improve the workflow for fixing OSS vulnerabilities and to further engage the community. In addition, the research team wanted to broaden the spectrum, and not just focus on vulnerabilities in open source code. OSS components provided via package managers, for example, are also increasingly the focus of attacks, e.g. through hijacking and mailware. Here Security Lab sees a way to help.
Last but not least, GitHub Security Lab has helped bridge the gap between the security and developer communities. Creating CodeQL queries is a first step, but the research team would like to expand its efforts further, for example in the form of new educational content and the support of contributions from the community and the Open Source Security Foundation (OpenSSF). More information about GitHub Security Lab and its first anniversary can be found in the article on the GitHub blog.