Bug hunting. First inspection run of public code libraries reveals four million vulnerabilities
GitHub has revealed that its first security sweep has found over four million vulnerabilities in over 500,000 repositories.
The world’s largest code sharing platform said that it had alerted the repository admin about the flaws.
Last November GitHub said it would begin alerting developers when their code has a known vulnerability in what was described as an “important step” for open source security.
Open source security
“As more developers draw from existing code libraries to build new tools, tracking changes in dependencies like security vulnerabilities has become more difficult,” blogged GitHub.
It seems that the security sweep by GitHub is being listened to by the developer community.
“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version,” wrote GitHub.
“Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” it added. “Additionally, 15 percent of alerts are dismissed within seven days – that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”
“Security alerts are opening the door to new ways we can improve code checking and generation by combining publicly available data with GitHub’s unique data set,” it wrote. “And this is just the beginning – we’ve got more ways to help you keep code safer on the way!”
GitHub’s security screening has been welcomed by some security experts.
“In general, we support initiatives like GitHub’s Security Alerts as they aim to help open source project teams produce more secure code,” explained Tim Mackey, technology evangelist at open source code security experts Black Duck by Synopsys.
“Open source is pervasive and it plays an increasingly critical role in the software ecosystem, so any measures that bolster open source security should be applauded,” he added.
It should be noted that Black Duck by Synopsys does provide a similar free service for open source project teams called CoPilot.
GitHub meanwhile was in the news earlier this month when it it was struck with one of the most powerful distributed denial-of-service attacks (DDoS) ever seen briefly.
Indeed the DDoS attack was so powerful that it briefly took down the website of GitHub, and at its peak, the cyber attack reached an incredible 1.35Tbps.
Do you know all about security? Try our quiz!