GitHub releases advisory database to improve software supply chain security
Software development platform GitHub has opened its advisory database to community contributions, allowing anyone to contribute information and intelligence on security vulnerabilities to help improve supply chain security softwares.
The full contents of the database will also now be published in a new, freely accessible public repository under a Creative Commons license. Experts say sharing such data is key to improving the security of software supply chains and addressing software risks.
Security community to benefit from free and open data
Millions of developers and businesses use GitHub to build, ship, and maintain software. By making its advisory database publicly open to community contributions, the company said security researchers, academics and enthusiasts will be able to provide, share and benefit from additional information and context to dig deeper. community understanding and awareness of safety advisories.
“GitHub believes that free and open security data is essential to enabling the industry as a whole to better secure our software supply chains,” the company added.
“The GitHub Advisory Database is the largest database of software dependency vulnerabilities in the world. By making it easier to contribute and consume, we hope it will fuel even more experiences and further contribute to improving the security of all software.
GitHub has built a user interface for making contributions, which GitHub Security Lab researchers will review. Contributors can suggest changes or provide context on packages, affected versions, and impacted ecosystems, and will get public credit on their GitHub profile once their contribution is accepted. The Open-Source Vulnerabilities (OSV) format will be used for advisories in the repository, GitHub said.
“For vulnerability management in open source to scale, security advisories need to be widely available and easily accessible to everyone,” says Oliver Chang, software engineer for Google’s open source security team. “OSV provides this capability.”
Data sharing is an integral part of software supply chain security
GitHub’s move is a step forward in securing open source projects and libraries, said Yaniv Balmas, vice president of research at Salt Security. CSOs. “The number of publicly reported software vulnerabilities is at an all-time high and continues to increase year over year. Good and consistent information sharing could be one of the most effective ways to solve this problem,” he said.
Since GitHub owns most of the open source code, opening the advisory database to community contributions will give software publishers greater visibility into the status of security issues in each software release. or shared library they use, as well as helping vulnerability hunters report and fix bugs, Balmas adds.
“It will also help solve the problem of software supply chain attacks, as it will give vendors a clearer view of every shared software component they use and the status of their security issues.”
ESET Global Cybersecurity Advisor Jake Moore agrees. “The software supply chain has taken a huge hit over the past few years, with vulnerabilities being exposed and shared in dark markets before their victims have even had a chance to respond,” he says, adding that sharing new threat information within trusted communities will allow those who may not be the best protected to access the latest updates and patch information.