GitHub now warns devs about bugs that led to Equifax breach

Microsoft-owned code hosting repository GitHub has expanded its security alerts program to warn developers about known vulnerabilities in Java and .NET, two of today’s most popular programming languages. 

GitHub’s security alerts service aims to help developers plug known security holes in dependencies used by projects hosted on GitHub. 

Dependencies are packages, such as software libraries, written in different programming languages that a code repository may depend on.

GitHub scans for vulnerabilities in dependencies, which until now has focussed on popular programming languages JavaScript, Ruby, and Python. 

Bugs in open source libraries run the risk of quietly slipping into many projects when the same code is shared among developers.   

The most well known case of a vulnerable dependency enabling a major data breach was credit firm Equifax, which used a vulnerable version of Apache Struts — a framework for building Java web apps. Hackers exploited the Struts flaw to steal personal information from over 145 million people. 

GitHub's security alerts could have a big impact on security of projects that may come to affect end-users. In May, GitHub reported having found four million vulnerabilities in half a million repositories when it was only scanning for bugs in Ruby and JavaScript dependencies. That led to a major clean up effort that resulted in repository owners fixing 450,000 vulnerabilities.     

The addition of Java and Microsoft’s .NET marks a major expansion given their widespread use among programmers. 

Java has consistently run second to the most popular language, JavaScript, over the past three years, according to GitHub’s 2018 Octoverse report, while .NET is one of the world’s top programming languages.    

GitHub’s security alerts only provide alerts for bugs in packages that are assigned a Common Vulnerabilities and Exposures (CVE) number, which could mean some bugs are missed.  

Read more: DHS warns of another dangerous flaw in Advantech WebAccess SCADA software

But, as GitHub notes, it does use public commits on GitHub and a review process to detect bugs that haven’t been assigned a CVE. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags open sourceMicrosoftjava.netpythonGitHub

More about ApacheEquifaxMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts