The Open Source Software Security Summit: securing the world’s code together

Image of Mike Hanley

The world runs on software, which in turn relies on open source. In fact, 99% of the world’s software has at least some open source code in its DNA, meaning the apps and programs that power our lives reflect the hard work of open source developers. This also means that vulnerabilities in open source code can have a global ripple effect across the billions of developers and services that rely on it. As the world’s largest developer platform, GitHub takes those risks seriously and understands its responsibility to support the millions of developers on our platform in coding securely. As part of that responsibility, today, my colleague Stormy Peters and I are proud to represent GitHub at the White House’s Open Source Software Security Summit to share how securing open source begins by empowering developers.

It’s a timely gathering in light of the security events we witnessed in the past year, with SolarWinds and Log4j providing key reminders of the importance of securing critical code. We’ve seen how just one or two lines of vulnerable code can have a dramatic impact on the health, safety, and trustworthiness of entire systems in the blink of an eye. And while this is not a new issue, as we saw with Heartbleed, the recent events further underscored two ways the tech industry can come together and help. First, there must be a collective industry and community effort to secure the software supply chain. Second, we need to better support open source maintainers to make it easier for them to secure their projects.

So what is GitHub doing to address these opportunities? How can we make it easier for developers everywhere to build more secure code? And how can the industry improve how it securely uses and incorporates open source code?

GitHub’s mission is to be the home for all developers, and we do this by providing the best possible developer experience. That’s no different when it comes to security. Developers aren’t necessarily security experts—nor should they have to be—which is why we’re intently focused on making it easier for them to write more secure code in a frictionless way. Our tools like Dependabot and code scanning with CodeQL are freely available for open source and help maintainers quickly address security issues in their code and their dependencies. GitHub also helps maintainers respond to security vulnerabilities when they’re discovered. By providing a private space for maintainers to discuss, fix, obtain a CVE, and publish vulnerability information, we ensure a coordinated disclosure of new vulnerabilities. Once disclosed, the GitHub Advisory Database provides structured metadata about each vulnerability under an open source license. In 2022, we plan to expand our vulnerability management features for maintainers to include an option to receive private disclosures from security researchers.

As an industry, we must also come together and support the developers who design, build, and maintain the open source projects we depend on. In addition to tooling, GitHub offers ways developers can gain access to training and funding to help them better secure open source software. For example, for developers who want to learn more about security, the GitHub Security Lab offers free security training and educational materials to developers on subjects including tooling (CodeQL, fuzzing), defensive programming, and security best practices. Additionally, since launching GitHub Sponsors in 2019, we’ve seen millions of dollars flowing to open source projects across the globe every year – and in late 2020, we announced the ability for companies to financially contribute to the projects they depend on. As we work to roll this program out more widely, we see Sponsors financially enabling the open source developers who make the world’s most critical software.

GitHub is home to more than 73 million developers, four million organizations, and 200 million repositories. We see tremendous opportunity ahead to help the community realize a safer and more secure future for software.Through partnerships with governments, academia, developers, and other organizations, we can better protect and support the developers and software that power our world.