GitHub now warns devs about bugs that led to Equifax breach
- 19 October, 2018 05:39
Microsoft-owned code hosting repository GitHub has expanded its security alerts program to warn developers about known vulnerabilities in Java and .NET, two of today’s most popular programming languages.
GitHub’s security alerts service aims to help developers plug known security holes in dependencies used by projects hosted on GitHub.
Dependencies are packages, such as software libraries, written in different programming languages that a code repository may depend on.
Bugs in open source libraries run the risk of quietly slipping into many projects when the same code is shared among developers.
The most well known case of a vulnerable dependency enabling a major data breach was credit firm Equifax, which used a vulnerable version of Apache Struts — a framework for building Java web apps. Hackers exploited the Struts flaw to steal personal information from over 145 million people.
The addition of Java and Microsoft’s .NET marks a major expansion given their widespread use among programmers.
GitHub’s security alerts only provide alerts for bugs in packages that are assigned a Common Vulnerabilities and Exposures (CVE) number, which could mean some bugs are missed.
But, as GitHub notes, it does use public commits on GitHub and a review process to detect bugs that haven’t been assigned a CVE.