GitHub says 99% of security incidents on its mega-popular code-sharing platform come from developer mistakes, and launches a new tool to help save programmers from themselves

  • GitHub is rolling out new tools to help developers on its platform avoid security blunders.
  • Over 99% of security incidents on GitHub stem from developer mistakes, a product head told Insider.
  • GitHub is also partnering with firms like Amazon Web Services and Google Cloud to secure open source.
  • See more stories on Insider’s business page.

GitHub, the ubiquitous online code repository, is rolling out a suite of new security tools — and the company hopes the new offerings will help save developers from themselves.

The company, a Microsoft subsidiary, just released a new “security overview” dashboard, currently in beta, that lets developers see all the risks present in their software. GitHub is also expanding its secret-scanning tool to general access this month, which automatically alerts developers when they’ve accidentally included sensitive information in their code. 

Indeed, the vast majority of security incidents on GitHub stem from developer mistakes — more than 99%, according to GitHub senior director of product management Grey Baker.

The new offerings are the latest in GitHub’s effort to take advantage of its unique position as world’s largest open source repository to close security holes in the code underlying much of the modern internet. The company’s strategy hinges on building automated tools that encourage DevSecOps — short for developer security operations, the practice of having security built into the code as developers write it, not added afterwards.

A rising trend in the software industry, the DevSecOps philosophy holds that the only way for programmers to keep up the pace required by the modern software economy while still securing against the ever-growing risk of a data breach or leak is to automate as much of the security process as possible. 

“There are a lot more developers out there than there are security professionals. Like, 500 times more,” said Baker. “If you want DevSecOps to work, you have to approach it from the developer’s perspective.”

When a developer makes a mistake in their publicly available code, it can turn into a security crisis in a matter of minutes.

Malicious bots built by cybercriminals are constantly monitoring open source repositories for sensitive information that could be used against developers. Security researcher Andrzej Dyjak recently tested those bots by including a secret — an Amazon Web Services key that grants control over a cloud repository — in his code, and found that malicious bots were trying to exploit the key within 10 minutes of its publication.


But in Dyjak’s case, GitHub’s secret scanning worked as intended: before the malicious bots found the secret, GitHub automatically alerted AWS of the breached key, protecting the repository.

GitHub now has partnerships with over 35 companies including Google Cloud, AWS, and Alibaba to automatically flag keys that are leaked in open source code, and Baker said GitHub has implemented a delay that prevents new code from being searchable for a few minutes so its secret scanning tools can detect problems before malicious bots can find them.

“When I’m advising a large organization about what they should be doing to secure their software, their applications, it’s almost always the boring stuff,” Baker said. “We want to move to a point with secret scanning where we’re no longer finding vulnerabilities after the fact; we’re preventing them from getting pushed at all.”

Source: Read Full Article