7.8 C
New York
Friday, November 25, 2022

How scanning GitHub can help secure the open-source software supply chain – VentureBeat

VentureBeat Homepage


Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

Supply chain security attacks have changed cybersecurity forever. Ever since President Biden released his Executive Order on Improving the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open-source security has been a top priority for organizations.
In fact, research shows that 73% of organizations have adopted measures to secure their software supply chains.
Continuing this trend, SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help enterprises secure their GitHub implementations. The solution will enable security and devops teams to scan GitHub configurations at scale and ensure the integrity of open-source software. 
GitHub supports over 1.5 million organizations and plays an integral role in many organizations’ software supply chains as a source-code management (SCM) solution for storing code updates and identifying issues. 
MetaBeat 2022
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
It’s no secret that vulnerabilities in open-source projects can be devastating. For instance, the remote exploitation exploit Log4j was used as part of over 840,000 attacks within 72 hours of discovery. 
Legit Security believes that securing GitHub is key to securing the open-source software supply chain, as exploits provide a means to modify source code, harvest secrets and initiate a supply chain attack. 
For instance, recently the organization disclosed attack vulnerabilities in open-source projects from Google and Apache, including a “GitHub environment injection” within the Google Firebase project that enables an attacker to take control of a project’s GitHub Actions CI/CD pipeline and modify the underlying source code.
GitHub occupies a unique place in the open-source ecosystem because, although it’s widely used, it’s often difficult to secure GitHub implementations because it’s time-consuming to discover misconfigurations for each repository. 
“It’s difficult and time-consuming to consistently enforce security across large GitHub implementations, and GitHub misconfigurations are a very common source of vulnerabilities. Different individuals often deploy GitHub instances with different configurations and settings,” said Legit Security cofounder and CTO Liav Caspi. 
“However, manually enforcing consistency across large GitHub organizations is very labor-intensive and prone to human error. Legitify addresses this by allowing security teams and devops engineers to manage and enforce their GitHub configurations in a secure and scalable way,” Caspi said. 
Legitify answers these challenges by enabling users to scan GitHub implementations by a specific instance, resource type or entire organization via the command line so they can detect security issues, categorize their severity and review remediation steps.
It’s important to note that Legit Security’s solution isn’t the only tool capable of scanning the security of GitHub code. GitHub Code Scanning, released in 2020, is a native solution that integrates with GitHub Actions to scan code as it’s developed and provides users with security reviews to identify vulnerabilities. 
Another tool offering this capability is SonarQube GitHub Action, which allows the user to employ a SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s parent company, SonarSource, raised $412 million in funding earlier this year to scan codebases for vulnerabilities. 
“Legitify is a unique open-source security tool designed for large enterprise deployments of GitHub. Legitify connects to GitHub via an access token and detects issues across four resource types: member, repository, actions and organization,” Caspi said. 
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Join metaverse thought leaders in San Francisco on October 4 to learn how metaverse technology will transform the way all industries communicate and do business.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
© 2022 VentureBeat. All rights reserved.
We may collect cookies and other personal information from your interaction with our website. For more information on the categories of personal information we collect and the purposes we use them for, please view our Notice at Collection.

source

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles