APPS
APPS
APPS
GitHub’s new security tool flags vulnerable project components
There’s always a risk that one of the numerous third-party components used in the typical application project might contain a security flaw exploitable by hackers. GitHub Inc., the code hosting provider, has set out to mitigate this threat.
The company on Thursday introduced a new security tool that alerts developers when an external component on which their GitHub project depends is found to contain a vulnerability. According to GitHub, more than three-quarters of the 67 million code repositories hosted on its service rely upon at least one other project. They form one large, interdependent ecosystem that can be heavily affected if an exploit is found in a popular package.
The security tool builds upon a feature called Dependency Graph that GitHub launched last month to map out how users’ projects connect with one another. It shows developers what external components their repositories use, which can be a major help in large projects maintained by multiple contributors. Thanks to the new update, they can now also have GitHub alert them when an exploit is found.
The tool relies on data from the U.S. government’s National Vulnerability Database. When a match is detected, GitHub says that the algorithms running behind the scenes not only send out an alert but also check if there’s a patched version of the affected package on its platform.
By default, notifications are only sent to the administrators of a project. More users and teams can be added to the mailing list through the GitHub management console. A developer could, for example, bring their organization’s cybersecurity group into the mix to help them quickly respond to new vulnerabilities.
GitHub’s security tool currently works with code written in JavaScript and Ruby. The company will add support for the Python programming language next year, as well as work to help developers identify exploits that aren’t listed in the National Vulnerability Database.
GitHub is not the only provider working to protect users from compromised packages. Docker Inc., the software container pioneer, last year launched a similar tool that can scan the application images in a company’s internal repository for known security issues.
Image: Unsplash
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
