Connect with us


GitHub security alerts now support Java and .NET projects



Code hosting service GitHub has updated its platform this week, and among the many developer-centric changes, the company also rolled out three new security features for project owners.

The most important of these new security improvements is the expansion of the Security Alerts feature, which now also supports Java and .NET projects, on top of the original JavaScript, Ruby, and Python.

GitHub launched this feature last year, and it works by scanning a project’s dependencies for outdated libraries and modules for which known vulnerabilities exist.

If GitHub’s scanner finds that a developer has used an old library that’s affected by a known security bug, it will show or send an alert, urging the developer to update his project’s dependencies.

GitHub launched this feature to great success in November 2017 for JavaScript and Ruby projects and later expanded it to Python projects in July 2018.

Industry experts anticipated that GitHub would expand support for Java –one of the most used programming languages thanks to the success of the Android OS– and .NET –expected move after Microsoft bought GitHub earlier this year.

By default, GitHub will scan manifest files such as package.json (for JavaScript projects), gemfiles (for Ruby projects), requirements.txt or Pipfile.lock (for Python projects), pom.xml (for Java projects), and one of the many .NET manifest files such as app.manifest, project.json, .csproj files, and .MSBuild files –so make sure your project uses one.

The security alerts feature is available for all users, and they can find it in each GitHub project’s “Insights” tab, under the “Alert” option.

Image: GitHub

In case developers manage a large number of projects and don’t have the time to manually visit each project’s GitHub page, GitHub also lets developers set different notification methods such as:

  • A banner in the GitHub interface
  • Web notifications on the GitHub domain
  • Email notifications for each new vulnerability
  • Daily or weekly email digests of all new vulnerabilities

GitHub’s security alerts system isn’t perfect, as it can only detect vulnerabilities that have received a CVE identifier and have been indexed in the DHS’s NVD portal. Some vulnerabilities are expected to slip through the cracks, but GitHub’s alerts system has already proven to be very effective.

In a blog post in March, GitHub said that within a month of its launch last year, developers acted on security alerts and removed 450,000 vulnerabilities from their projects.

But the expanded security alerts weren’t the only security-themed updates that GitHub announced. The company also rolled out something called GitHub Token Scanning.

This new tool is still in beta. GitHub says Token Scanning will help maintainers of public code repositories. The tool works by scanning users’ public source code in search of API or other authentication tokens.

These tokens are the equivalent of leaving a server password in the code, and GitHub plans to alert users if they accidentally leave one inside their projects.

Currently, GitHub Token Scanning supports token formats for services like Amazon Web Services (AWS), Azure, GitHub, Google Cloud, Slack, and Stripe.

Besides alerting the user, GitHub says this new service will also alert the provider as well, so they can invalidate or revoke the token to prevent abuse.

Last but not least, GitHub also announced the Security Advisory API. This new API will provide developers with an API that aggregates all security-related information for their accounts. This not only includes security alerts for vulnerabilities in project dependencies, but also alerts for accounts that use weak or already-compromised passwords, alerts for attempts to break into a GitHub account, and more.

The API is intended for developers that manage a large number of projects or for companies who want to make sure their projects and employee access live up to its internal security standards.

Readers who are interested in finding out more about the other changes made to the GitHub platform can read about developer and business-related updates, here.


Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading