UPDATED 12:12 EST / NOVEMBER 17 2017

APPS

GitHub’s new security tool flags vulnerable project components

There’s always a risk that one of the numerous third-party components used in the typical application project might contain a security flaw exploitable by hackers. GitHub Inc., the code hosting provider, has set out to mitigate this threat.

The company on Thursday introduced a new security tool that alerts developers when an external component on which their GitHub project depends is found to contain a vulnerability. According to GitHub, more than three-quarters of the 67 million code repositories hosted on its service rely upon at least one other project. They form one large, interdependent ecosystem that can be heavily affected if an exploit is found in a popular package.

The security tool builds upon a feature called Dependency Graph that GitHub launched last month to map out how users’ projects connect with one another. It shows developers what external components their repositories use, which can be a major help in large projects maintained by multiple contributors. Thanks to the new update, they can now also have GitHub alert them when an exploit is found.

The tool relies on data from the U.S. government’s National Vulnerability Database. When a match is detected, GitHub says that the algorithms running behind the scenes not only send out an alert but also check if there’s a patched version of the affected package on its platform.

By default, notifications are only sent to the administrators of a project. More users and teams can be added to the mailing list through the GitHub management console. A developer could, for example, bring their organization’s cybersecurity group into the mix to help them quickly respond to new vulnerabilities.

GitHub’s security tool currently works with code written in JavaScript and Ruby. The company will add support for the Python programming language next year, as well as work to help developers identify exploits that aren’t listed in the National Vulnerability Database.

GitHub is not the only provider working to protect users from compromised packages. Docker Inc., the software container pioneer, last year launched a similar tool that can scan the application images in a company’s internal repository for known security issues.

Image: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU