GitHub now warns devs about bugs that led to Equifax breach

  • Liam Tung (CSO Online)
  • 19 October, 2018 05:39

Microsoft-owned code hosting repository GitHub has expanded its security alerts program to warn developers about known vulnerabilities in Java and .NET, two of today’s most popular programming languages. 

GitHub’s security alerts service aims to help developers plug known security holes in dependencies used by projects hosted on GitHub. 

Dependencies are packages, such as software libraries, written in different programming languages that a code repository may depend on.

GitHub scans for vulnerabilities in dependencies, which until now has focussed on popular programming languages JavaScript, Ruby, and Python. 

Bugs in open source libraries run the risk of quietly slipping into many projects when the same code is shared among developers.   

The most well known case of a vulnerable dependency enabling a major data breach was credit firm Equifax, which used a vulnerable version of Apache Struts — a framework for building Java web apps. Hackers exploited the Struts flaw to steal personal information from over 145 million people. 

GitHub's security alerts could have a big impact on security of projects that may come to affect end-users. In May, GitHub reported having found four million vulnerabilities in half a million repositories when it was only scanning for bugs in Ruby and JavaScript dependencies. That led to a major clean up effort that resulted in repository owners fixing 450,000 vulnerabilities.     

The addition of Java and Microsoft’s .NET marks a major expansion given their widespread use among programmers. 

Java has consistently run second to the most popular language, JavaScript, over the past three years, according to GitHub’s 2018 Octoverse report, while .NET is one of the world’s top programming languages.    

GitHub’s security alerts only provide alerts for bugs in packages that are assigned a Common Vulnerabilities and Exposures (CVE) number, which could mean some bugs are missed.  

But, as GitHub notes, it does use public commits on GitHub and a review process to detect bugs that haven’t been assigned a CVE.