Check out all the on-demand sessions from the Intelligent Security Summit here.
Whether directly or indirectly, nearly all organizations depend on software created by the open-source community. In fact, an incredible 97% of applications incorporate open-source code, and 90% of organizations say they are using it in some way.
Still, as evidenced by Log4j and the SUNBURST/SolarWinds attack (and many others), open source can be rife with security vulnerabilities. According to Gartner, 89% of companies experienced a supplier risk event in the past five years, and Argon Security reports that software supply chain attacks grew by more than 300% between 2020 and 2021.
The work of the open-source community “is used in almost every software product, so securing it and protecting the community has a big impact,” said Mariam Sulakian, senior product manager at GitHub. “Vulnerabilities in open-source code can have a global ripple effect across the millions of people and services that rely on it.”
The leading hosting service offers several capabilities to help address this problem, and today announced expansions to two of them: GitHub’s secret scanning alerts are now available for free on all public repositories, and its push protection feature is now offered for custom secret patterns. Both capabilities are now in public beta.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
“As the largest open-source community in the world, GitHub is always working to make using and contributing to open source easier,” said Sulakian. “We give away our most advanced security tools for free on public repositories to help keep open source secure, and to keep those building it safe.”
Keeping secrets safe
“Malicious actors often target leaked secrets and credentials as starting points for larger attacks, like ransomware and phishing campaigns,” said Sulakian.
And, GitHub partners with more than 100 service providers to quickly remediate many exposed secrets through its secret scanning partner program.
For instance, in 2022, the hosting service has detected and notified on more than 1.7 million exposed secrets across public repositories. Breaking that down to daily numbers, GitHub finds more than 4,500 potential secrets leaked in public repositories.
Now, GitHub will empower open-source developers with these alerts too, and for free. Once enabled, GitHub directly notifies developers of leaked secrets in code. This enables them to easily track alerts, identify the leak’s source, and take action. For example, a user can receive an alert and track remediation for a leaked self-hosted HashiCorp Vault key, said Sulakian.
“Secret scanning for public repositories will help millions of developers avoid exposing their credentials and passwords by accident,” she said.
The gradual public beta rollout of secret scanning for public repositories began today and the feature should be available to all users by the end of January 2023.
“With secret scanning, we found a ton of important things to address,” said David Ross, staff security engineer with Postmates. “On the appsec side, it’s often the best way for us to get visibility into issues in the code.”
GitHub is pushing security forward
Similarly, businesses often have their own unique set of secrets that they want to detect when exposed — and protect before exposure, Sulakian explained.
With custom patterns, organizations scan for passwords in connection strings, private keys, and URLs that have embedded credentials (among other instances) across thousands of their repositories.
“But remediation takes time and significant resources,” said Sulakian.
To address this problem, GitHub introduced push protection to GitHub Advanced Security (GHAS) customers in April 2022. This capability seeks to proactively prevent leaks by scanning for secrets before they are committed.
In the eight months since that release, GitHub has prevented more than 8,000 secret leaks across 100 secret types, said Sulakian. With the enhanced capabilities announced today, organizations with GHAS have additional coverage for what are often their most important secret patterns: Those customized and defined internally to their organizations.
“With push protection, businesses can prevent accidental leaks of the most critical secrets,” said Sulakian.
Immediate intel before pushing a secret out
Push protection for custom patterns can be configured on a pattern-by-pattern basis at the organization or repository level, Sulakian explained. With the capability enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern. Organizations can decide what patterns to push-protect based on false positives.
Integrating this capability into a developer’s flow saves time and helps educate on best practices, said David Florey, software engineering director at Intel.
“If I attempt to push a secret, I immediately know it,” he said.
The GitHub tool stops him before a secret is pushed into the codebase, he said; whereas, if he relied solely on external scanning tools to scan the repository after the secret’s already been exposed, “I’ll need to quickly revoke the secret and refactor my code.”
Earlier detection, remediation
With threat actors increasingly targeting leaked secrets and credentials, GitHub customers are investing more resources to secure their growingly complex software supply chain, said Sulakian.
“Organizations constantly seek to detect and fix vulnerabilities earlier in the software lifecycle to improve overall security, save costs related to reactive work by appsec teams, and minimize damage,” said Sulakian.
GitHub helps application security teams rapidly identify and remediate the vulnerabilities in users’ code, she said. The company has developed its tools, many of them free, to integrate directly into developer workflows to enable more secure, faster coding. Recently, it also introduced private vulnerability reporting to help organizations easily disclose vulnerabilities and communicate with maintainers.
“Our philosophy is to make all our advanced security features available for free on public repositories,” said Sulakian.
Ultimately, she maintained, “as the home for open source and 94-plus million developers, GitHub can advance the state of software security more than any other team or platform.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.