Check out all the on-demand sessions from the Intelligent Security Summit here.
Whether directly or indirectly, nearly all organizations depend on software created by the open-source community. In fact, an incredible 97% of applications incorporate open-source code, and 90% of organizations say they are using it in some way.
Still, as evidenced by Log4j and the SUNBURST/SolarWinds attack (and many others), open source can be rife with security vulnerabilities. According to Gartner, 89% of companies experienced a supplier risk event in the past five years, and Argon Security reports that software supply chain attacks grew by more than 300% between 2020 and 2021.
The work of the open-source community is used in almost every software product, so securing it and protecting the community has a big impact, said Mariam Sulakian, senior product manager at GitHub. Vulnerabilities in open-source code can have a global ripple effect across the millions of people and services that rely on it.
The leading hosting service offers several capabilities to help address this problem, and today announced expansions to two of them: GitHubs secret scanning alerts are now available for free on all public repositories, and its push protection feature is now offered for custom secret patterns. Both capabilities are now in public beta.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
As the largest open-source community in the world, GitHub is always working to make using and contributing to open source easier, said Sulakian. We give away our most advanced security tools for free on public repositories to help keep open source secure, and to keep those building it safe.
Exposed secrets and credentials are the most common cause of data breaches, as they often go untracked. And, they can take an average of 327 days to identify.
Malicious actors often target leaked secrets and credentials as starting points for larger attacks, like ransomware and phishing campaigns, said Sulakian.
And, GitHub partners with more than 100 service providers to quickly remediate many exposed secrets through its secret scanning partner program.
For instance, in 2022, the hosting service has detected and notified on more than 1.7 million exposed secrets across public repositories. Breaking that down to daily numbers, GitHub finds more than 4,500 potential secrets leaked in public repositories.
Now, GitHub will empower open-source developers with these alerts too, and for free. Once enabled, GitHub directly notifies developers of leaked secrets in code. This enables them to easily track alerts, identify the leaks source, and take action.For example, a user can receive an alert and track remediation for a leaked self-hosted HashiCorp Vault key, said Sulakian.
Secret scanning for public repositories will help millions of developers avoid exposing their credentials and passwords by accident, she said.
The gradual public beta rollout of secret scanning for public repositories began today and the feature should be available to all users by the end of January 2023.
With secret scanning, we found a ton of important things to address, said David Ross, staff security engineer with Postmates. On the appsec side, its often the best way for us to get visibility into issues in the code.
Similarly, businesses often have their own unique set of secrets that they want to detect when exposed and protect before exposure, Sulakian explained.
With custom patterns, organizations scan for passwords in connection strings, private keys, and URLs that have embedded credentials (among other instances) across thousands of their repositories.
But remediation takes time and significant resources, said Sulakian.
To address this problem, GitHub introduced push protection to GitHub Advanced Security (GHAS) customers in April 2022. This capability seeks to proactively prevent leaks by scanning for secrets before they are committed.
In the eight months since that release, GitHub has prevented more than 8,000 secret leaks across 100 secret types, said Sulakian. With the enhanced capabilities announced today, organizations with GHAS have additional coverage for what are often their most important secret patterns: Those customized and defined internally to their organizations.
With push protection, businesses can prevent accidental leaks of the most critical secrets, said Sulakian.
Push protection for custom patterns can be configured on a pattern-by-pattern basis at the organization or repository level, Sulakian explained. With the capability enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern. Organizations can decide what patterns to push-protect based on false positives.
Integrating this capability into a developers flow saves time and helps educate on best practices, said David Florey, software engineering director at Intel.
If I attempt to push a secret, I immediately know it, he said.
The GitHub tool stops him before a secret is pushed into the codebase, he said; whereas, if he relied solely on external scanning tools to scan the repository after the secrets already been exposed, Ill need to quickly revoke the secret and refactor my code.
With threat actors increasingly targeting leaked secrets and credentials, GitHub customers are investing more resources to secure their growingly complex software supply chain, said Sulakian.
Organizations constantly seek to detect and fix vulnerabilities earlier in the software lifecycle to improve overall security, save costs related to reactive work by appsec teams, and minimize damage, said Sulakian.
GitHub helps application security teams rapidly identify and remediate the vulnerabilities in users code, she said. The company has developed its tools, many of them free, to integrate directly into developer workflows to enable more secure, faster coding. Recently, it also introduced private vulnerability reporting to help organizations easily disclose vulnerabilities and communicate with maintainers.
Our philosophy is to make all our advanced security features available for free on public repositories, said Sulakian.
Ultimately, she maintained, as the home for open source and 94-plus million developers, GitHub can advance the state of software security more than any other team or platform.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Read the original post:
Open-source code is everywhere; GitHub expands security tools to help ...
- Calls to Ban Open Source are Misguided and Dangerous - The New Stack - June 26th, 2024
- Delving the Risks and Rewards of the Open-Source Ecosystem - InformationWeek - June 26th, 2024
- Enhancing security through collaboration with the open-source community - Help Net Security - June 18th, 2024
- It's time to face the open source security problem - ITPro - June 18th, 2024
- Mistral AI just launched 'Codestral', its own competitor to Code Llama and GitHub Copilot and it's fluent in over 80 ... - ITPro - June 2nd, 2024
- Open-source cybersecurity could derail the internet as we know it - Quartz - May 15th, 2024
- Developer Experience Influenced by Open Source Culture - InfoQ.com - May 15th, 2024
- BLint: Open-source tool to check the security properties of your executables - Help Net Security - May 15th, 2024
- Modular Open-Sources Mojo: The Programming Language that Turns Python into a Beast - MarkTechPost - April 2nd, 2024
- Meet the 21-Year-Old Creator of Devika, the Indian Open Source Devin Alternative - Analytics India Magazine - April 2nd, 2024
- Is Open Source Under Threat or Primed to Go to the Next Level? - The New Stack - March 13th, 2024
- Where is Technology Headed in 2024? - Open Source For You - March 13th, 2024
- A Detailed Conversation on Open-Source AI Frameworks for MLOps Workflows and Projects - AiThority - March 5th, 2024
- Everything you need to know about GitHub's new push protection changes - ITPro - March 5th, 2024
- StarCoder 2 is a code-generating AI that runs on most GPUs - TechCrunch - March 5th, 2024
- Is the future of open source software at risk due to protestware? - Tech Xplore - February 25th, 2024
- Google unveils new family of open-source AI models called Gemma to take on Meta and othersdeciding open-source AI aint so bad after all - Fortune - February 25th, 2024
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauce - ZDNet - February 25th, 2024
- Open source vs closed source AI: What's the difference and why does it matter? - Euronews - February 25th, 2024
- Biden administration to debate whether all AI systems should be open-source or closed - Firstpost - February 25th, 2024
- Some Linkerd service mesh users will soon have to pay - TechTarget - February 25th, 2024
- A lone developer just open sourced a tool that could bring an end to Nvidia's AI hegemony AMD financed it for ... - TechRadar - February 25th, 2024
- Scoping Out the Software-Defined Vehicle: The Benefits of OTA Updates & Open Source - Embedded Computing Design - February 25th, 2024
- The importance and limitations of open source AI models - TechTarget - February 9th, 2024
- 15+ Popular Python IDEs in 2024: Choosing The Best One - Simplilearn - February 9th, 2024
- Balancing Innovation and Security: The Open-Source Conundrum - BNN Breaking - February 9th, 2024
- VCs and startups love open-source AI models but how will they make money? - Sifted - February 9th, 2024
- How better and cheaper software could save millions of dollars while improving Canada's health-care system - The Conversation Indonesia - February 9th, 2024
- Best of 2023: Are We Witnessing the End of Open Source? - DevOps.com - December 28th, 2023
- What comes after open source? Bruce Perens is working on it - The Register - December 28th, 2023
- 200 GB of GTA 5 source code is about to get leaked, making it an open source: Report - Sportskeeda - December 28th, 2023
- Never was so much owed by so many to so few - a look at the unheralded heroes of the open source world - TechRadar - December 28th, 2023
- Rockstar hit with another cyberattack, leaked GTA 5 source code reveal cancelled DLC plans - Times of India - December 28th, 2023
- What is open source software? - Android Police - December 20th, 2023
- Feds Warn Health Sector to Watch for Open-Source Threats - BankInfoSecurity.com - December 11th, 2023
- OpenTofu: Open-source alternative to Terraform - Help Net Security - December 11th, 2023
- AWS exec: 'Our understanding of open source has started to change' - The Register - December 11th, 2023
- Mark Jelic Rings in 40 Years Since the TEC-1 Launch with a New, Open Source, Upgraded TEC-1G SBC - Hackster.io - December 11th, 2023
- AI's future could be 'open-source' or closed. Tech giants are divided as they lobby regulators - Tech Xplore - December 11th, 2023
- Cyber Security Today, Nov. 24, 2023 A warning to tighten security on Kubernetes containers, and more - IT World Canada - November 25th, 2023
- This AI Paper Proposes ML-BENCH: A Novel Artificial Intelligence Approach Developed to Assess the Effectiveness of LLMs in Leveraging Existing... - November 25th, 2023
- Generative AI is a genuine breakthrough unlike most fads in tech: Zerodha CTO Kailash Nadh on the current waves in tech - The Hindu - October 27th, 2023
- Meet RedPajama: An AI Project to Create Fully Open-Source Large Language Models Beginning with the Release of a 1.2 Trillion Token Dataset -... - April 25th, 2023
- Hashtag Trending Apr.24th- Cybersecurity workers burnout; Code generated by ChatGPT and Googles Bard not very secure; Execs would want a robot to make... - April 25th, 2023
- This AI Project Brings Doodles to Life with Animation and Releases Annotated Dataset of Amateur Drawings - MarkTechPost - April 17th, 2023
- EU shares best practices with Ukrainian law enforcers on Open Source Intelligence and Criminal Analysis to - EIN News - April 8th, 2023
- 'I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts - CNN - April 8th, 2023
- With Just ~20 Lines of Python Code, You can Do Retrieval Augmented GPT Based QA Using This Open Source Repository Called PrimeQA - MarkTechPost - March 5th, 2023
- Daily Crunch: Hundreds of Salesforce workers laid off in January just discovered they were out of work today - TechCrunch - February 7th, 2023
- Unlocking the power of Open AI: how to automate information extraction - The Hindu - February 7th, 2023
- Is composable business most essential technology trend to meet challenges of 2023 and beyond? - ComputerWeekly.com - January 30th, 2023
- Open Definition & Meaning | Dictionary.com - January 22nd, 2023
- 529 Synonyms & Antonyms of OPEN - Merriam-Webster - January 22nd, 2023
- Open Definition & Meaning - Merriam-Webster - January 22nd, 2023
- Can Wazuh Become The Worlds Largest Open Source Cybersecurity Platform And IPO Without VC Funding? - Forbes - January 6th, 2023
- 8 Free/Open Source Code Review Tools for 2022 - SoftwareSuggest - December 28th, 2022
- Finding the next Log4j OpenSSFs Brian Behlendorf on pivoting to a risk-centred view of open source development - The Daily Swig - December 28th, 2022
- Nithin Kamath says FOSS is the 'pillar' on which Zerodha has been built. What is it? - Business Today - December 28th, 2022
- How Dogeliens Will Take Over the Metaverse Like Bitcoin and Stellar Took Over the Crypto World. - newsbtc.com - December 28th, 2022
- Intrinsic Buys Open Robotics' Commercial Arm, But Leaves ROS and Gazebo with the Foundation - Hackster.io - December 20th, 2022
- Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification - Forbes - December 20th, 2022
- Open Source - Apple Developer - December 12th, 2022
- Your Code of Conduct | Open Source Guides - December 12th, 2022
- Code of Conduct | Meta Open Source - Facebook - December 12th, 2022
- From the creator of Homebrew, Tea raises $8.9M to build a protocol that helps open source developers get paid - TechCrunch - December 12th, 2022
- Consortium of Japan partners successfully promote domestic production and cost reduction for 5G core technology, the basis for next-generation... - November 25th, 2022
- GitHub Vulnerability Allows Hackers to Hijack Thousands of Popular Open-Source Packages - CPO Magazine - November 17th, 2022
- GitHubs Octoverse report finds 97% of apps use open source software - VentureBeat - November 17th, 2022
- Microsoft sued for open-source piracy through GitHub Copilot - BleepingComputer - November 7th, 2022
- The White House Memorandum on Securing the Software Supply Chain: What It Means for Your Organization - Security Boulevard - November 7th, 2022
- First Timers Only - Get involved in Open Source and commit code to your ... - October 23rd, 2022
- List of free and open-source software packages - Wikipedia - October 23rd, 2022
- What is open source? - Red Hat - October 23rd, 2022
- Introducing Triton: Open-Source GPU Programming for Neural Networks - October 23rd, 2022
- Comparison of open-source and closed-source software - October 23rd, 2022
- Java 19 Brings New Patterns to Open Source Programming Language - October 23rd, 2022
- API series - OctoML: ML APIs need to take a lesson from their ancestors - ComputerWeekly.com - October 23rd, 2022
- Benefits of working with open source data quality solutions - TechRepublic - October 15th, 2022
- Microsoft's GitHub Copilot AI is making rapid progress. Here's how its human leader thinks about it - CNBC - October 15th, 2022
- NocoDB takes on Airtable with open source no-code platform that connects to production databases - TechCrunch - October 15th, 2022