• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Tech News»GitHub targets vulnerable open source components
Tech News

GitHub targets vulnerable open source components

August 11, 2022No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
GitHub targets vulnerable open source components
Share
Facebook Twitter LinkedIn Pinterest Email

GitHub has introduced an automated alert mechanism to enable developers to address vulnerabilities in the open source components their code uses.

According to GitHub, the new feature, called Dependabot alert for vulnerable GitHub Actions, will make it easier for developers to stay up to date and fix security vulnerabilities using their Actions workflows.

Vulnerabilities such as Log4j have shone a spotlight on the weakness of open source security, and US president Joe Biden has made software security a national priority. His executive order on cyber security requires that only companies that use secure software development lifecycle practices and meet specific federal security guidance will be able to sell to the federal government.

The strength of open source code is that external code modules can be pulled into a project from a public repository such as GitHub. This makes it easy for developers to incorporate functionality without having to write all the code themselves. The open source modules are maintained by third-party developers.

However, as Computer Weekly has previously reported, if a security risk is discovered in the open source module, projects that depend on this module are also at risk. In many cases, developers whose code requires such modules may not be aware that the open source code they have incorporated into their own project has a security risk.

This is the situation GitHub hopes to address with Dependabot alerts for vulnerable GitHub Actions.

The GitHub Advisory Database shows that there are over 173,000 vulnerabilities in GitHub that have not been reviewed

In a blog post discussing Dependabot alerts for vulnerable GitHub Actions, Kate Catlin, senior product manager at GitHub, and Brittany O’Shea, an author on the GitHub blog, said the Alerts will be powered by the GitHub Advisory Database.

“When a security vulnerability is reported in an action, our team of security researchers will create an advisory to document the vulnerability, which will trigger an alert to impacted repositories,” they wrote.

At the time of writing, the GitHub Advisory Database has 8,543 advisories that have been reviewed, 1,560 of these have been classified as “critical”. But, to demonstrate the scale of the problem facing the open source community, the database shows that there are over 173,000 vulnerabilities in GitHub that have not been reviewed. 

There is general consensus that global collaboration is needed to keep open source code secure. In January this year, a number of major tech firms, including Google and IBM, participated in the White House Open Source Software Security Summit.

To coincide with the summit, Kent Walker, president of global affairs at Google and Alphabet, posted a blog discussing the need to secure open source code effectively.

“Growing reliance on open source means it’s time for industry and government to come together to establish baseline standards for security, maintenance, provenance and testing – to ensure national infrastructure and other important systems can rely on open source projects,” he wrote.

Jamie Thomas, enterprise security executive at IBM, who also attended the summit, said: “Today’s meeting made clear that government and industry can work together to improve security practices for open source. We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that should meet the most rigorous security requirements, and promoting a collaborative national effort to expand skills training and education in open source security and reward developers who make important strides in the field.”

Potentially, Dependabot alerts for vulnerable Actions can be linked into continuous integration and deployment (CI/CD) processes to enable developer teams to prioritise developer work and address security issues more quickly.

Source link

See also  Netflix’s latest Stephen King trailer focuses on Mr. Harrigan’s iPhone
components GitHub open source targets vulnerable
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Bose Ultra Open Earbuds review

February 16, 2024

OnePlus Open review

October 19, 2023

The Myth of ‘Open Source’ AI

August 29, 2023

Meta’s Open Source Llama Upsets the AI Horse Race

July 26, 2023
Add A Comment

Comments are closed.

Editors Picks

The most effective iPhone 13 Mini display screen protectors for 2022

August 1, 2022

Tech that analyzes videos wins top prize at Univ. of Washington computer science showcase – Startup

November 18, 2022

Adobe buys Figma, Uber gets hacked, and Google shrinks Area 120 • DailyTech

September 17, 2022

LK-99 Is Fueling a DIY Superconductivity Race

August 2, 2023

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.