Software development platform GitHub Inc. is making it easier for security researchers to identify vulnerabilities in the code it hosts after acquiring a company called Semmle Ltd.

Semmle has built what GitHub says is a “revolutionary code analysis engine” that works by performing “variant analysis” on entire codebases to spot mistakes that might create a vulnerability.

This kind of code inspection is normally performed manually by security researchers using tools such as grep or AWK through an integrated development environment. It’s usually a cumbersome process, and it requires that the security researcher has both deep knowledge of the codebase and a good understanding of various threat models.

GitHub says this makes variant analysis a challenge, because most software organizations don’t actually have any security researchers on staff. Moreover, the developers themselves aren’t usually equipped to spot vulnerabilities. So what’s needed is a platform that’s able to automate much of the process and make it easier to find vulnerabilities.

That’s where Semmle’s code analysis engine comes into play. The platform works by treating code as data, and combines “the latest research in compiler optimization” with “insights in database implementation” so that code can be queried using a declarative, object-oriented query language, in a similar way to how databases are queried for insights.

This should be useful because numerous vulnerabilities are caused by the same type of coding mistake, GitHub said. With Semmle, it’s possible to find all variations of a coding mistake from a single query and then eliminate hundreds of vulnerabilities in one fell swoop.

“Just as relational databases make it simple to ask very sophisticated questions about data, Semmle makes it much easier for researchers to identify security vulnerabilities in large code bases quickly,” GitHub said in a blog post.

Constellation Research Inc. analyst Holger Mueller said Semmle’s capabilities are important because many repositories these days are more like “large scale pharmaceutical warehouses” where much of the code is simply forgotten about.

“But this code needs to be constantly monitored for relevance, functional readiness and safety,” Mueller said. “So automatic code scanning is the key to doing this.”

GitHub said Semmle’s code analysis engine is now available in all public repositories on GitHub, and for all enterprise customers.

In addition to the new tool, GitHub said it has become an official Common Vulnerabilities and Exposures Numbering Authority, something that will make it easier for code maintainers to report vulnerabilities directly from their repositories.

CVE Numbering Authorities are organizations that have been authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. CVE IDs are then provided as needed to researchers, vulnerability disclosers and information technology companies.

“GitHub will assign a CVE ID, post to the CVE List, and then to the National Vulnerability Database (NVD) on a developer’s behalf,” it said in a blog post. “By making this process simple and native to the GitHub experience, GitHub believes more vulnerabilities will be disclosed, and then alerted to affected teams more quickly.”

“Becoming a CVE is advantageous for GitHub because any vulnerabilities discovered can now be communicated and tracked,” Mueller said.

Image: GitHub/Facebook