Microsoft adds ‘critical’ feature for GitHub security

A deeper integration between Microsoft Sentinel and GitHub is a win for application security, marking a major step toward helping companies address security challenges in the software supply chain, cybersecurity industry executives told VentureBeat.

The expanded integration announced today enables continuous threat monitoring for GitHub — the widely used code-hosting platform owned by Microsoft. It does so by tying enterprise-licensed GitHub repositories to Microsoft’s security information and event management (SIEM) platform, Sentinel, according to the company.

This allows Microsoft Sentinel to ingest GitHub audit logs, providing capabilities such as tracking for events — including new repository creation or deletion—and counts for the number of repository clones, Microsoft said in a post today.

“It is highly important to track the different activities in the company’s GitHub repository, to identify suspicious events, and to have the ability to investigate anomalies in the environment,” Microsoft product manager, Koby Mymon, wrote in the post.

Application insecurity

The announcement comes amid growing concerns about application security and the prevalence of insecure software supply chains. High-profile incidents have included the SolarWinds and Kaseya breaches, while overall attacks involving software supply chains surged by more than 300% in 2021, Aqua Security reported.

Open source vulnerabilities such as the widespread flaws in the Apache Log4j logging library and the Linux polkit program have underscored the issue. On Monday, The Open Source Security Foundation announced a new project designed to secure the software supply chain, backed by $5 million from Microsoft and Google.

The expanded integration between GitHub and Microsoft’s SIEM “provides critical visibility into software supply chain security risk — including commits that violate secure code policy or user attempts to overwrite code,” said Jasmine Hex, field security director at cyber asset management platform vendor JupiterOne, in an email.

A capacity for visibility and response is especially important because threat actors have escalated attempts to exploit Git services, Hex said.

“The integration between Microsoft Sentinel and GitHub will drive crucial situational awareness among security response teams by providing context into events,” she said. “Teams can understand if questionable GitHub changes are correlated with other high-risk patterns of behavior across different systems and services, such as suspicious user patterns or account changes.”

‘First step’

A company’s source code repository is among the most sensitive information many organizations have, noted John Bambenek, principal threat hunter at IT and security operations firm Netenrich.

“We have been struggling to keep up with even basic auditing tasks, now that cloud source code repositories are the norm,” Bambenek said in an email. “This [integration] is the first step to getting basic visibility and monitoring for control violations for organizations. And getting that into a SIEM means alerts can automatically be generated when there are suspicious events.”

Prakash Linga, cofounder and CEO at code security platform vendor BluBracket, said in an email that the move by Microsoft “represents a broader mainstream recognition that code and code repositories are a growing and largely unprotected risk surface.”

Clearly, event tracking and identifying suspicious activities in GitHub is crucial for mitigating the risk of data exfiltration and breeches, said Adam Gavish, cofounder and CEO at software-as-a-service (SaaS) security vendor DoControl.

But it’s important to also remember that many “insider” threats are accidental, with no malicious intent, Gavish said in an email. “It’s purely a matter of human error.”

For example, uploading the wrong source code to a public repo in GitHub — which was meant to be private — is likely the result of a developer not paying close enough attention, he said. Thus, along with event tracking, preventative measures to remove human error should be considered as well, Gavish said.

Growing business

Microsoft Sentinel now has 15,000 customers, up 70% from a year ago, Microsoft CEO Satya Nadella disclosed last week. All in all, Microsoft reports having 715,000 security customers. Revenue for its security business grew 45% year-over-year, surpassing $15 billion, during the past 12 months, Nadella said.

In other GitHub developments, the platform announced today that it has launched a new feature that allows companies and developers to offer project sponsors special access to a private repository. GitHub Sponsors was first introduced in 2019, enabling anyone to donate to open source projects and maintainers who dedicate their time to supporting critical software.

Now, however, there will be an extra perk for developers and companies that have enabled GitHub Sponsors for their projects — they will be able to reward and incentivize sponsors by giving them exclusive access to a private repository.

Meanwhile, GitHub also experienced an outage today, which lasted about 20 minutes and caused “degraded performance” for GitHub Actions, Issues, Pull Requests, and Codespaces, the company said.