Learn how we’re managing feature releases and establishing best practices within and across teams at GitHub using GitHub Projects.
Let’s face it: security for developers isn’t always the top priority. It’s something we know we should do, but frequently it competes with shipping deadlines, or is left until later in the development process. Unclear ownership further complicates things. And most of us don’t receive regular security training, we only get a few security pointers during a project kick-off.
At GitHub, we want to take away the pain and effort of keeping your code secure. This involves providing you with a complete, native, and automated approach—one that reduces your risk, increases your productivity, and improves your time-to-market. From helping you identify supply chain vulnerabilities before you introduce security tech debt into your codebase, to giving you an active database of known vulnerabilities—we want to make security a lot less bothersome. After all, security that is painless is also the most effective.
Over the years, we’ve seen that open source software (OSS) poses risk. When the Java-based logging tool, Log4j was exploited in late 2021—potentially compromising millions of apps—the world once again felt just how critical security is to OSS.
It’s clear we need to do a better job. Over the past 10 years, we’ve seen billions of dollars go into application security testing tools but without much success. A whopping 85% of applications still contain known vulnerabilities, 1 with 84% of security flaws happening accidentally at the application layer 2. In 2021, we witnessed software supply chain attacks increase by a terrifying 650% 3. As time goes on, our digital infrastructure will only continue to grow and we don’t expect these stats to slow. It’s anticipated that bad actors will continue to target the supply chain at an ever-increasing rate through existing and emerging tactics.
* 85% of applications contain known vulnerabilities
* 84% of security breaches occur accidentally at the application layer
You probably feel overwhelmed with how you can keep your supply chain code secure. And with the continued pressure to ship more frequently, you don’t necessarily have the time to understand what types of vulnerabilities may affect you (and, let’s not forget that finding and fixing a vulnerability doesn’t mean you’re secure forever). You also probably don’t have the space to learn about the many security solutions being marketed to you. Or even figure out where in your workflow you need to “shift left.”
Plus, as you may know from experience, current application security solutions are difficult to embed into your developer workflow, without the dreaded, repetitive context switching from tab to tab and explanation to explanation. And even when solutions are integrated, we often find ourselves disabling them due to noise, an increase in testing failure, system performance impacts, and reduced development velocity.
We have to make securing our software simpler and less cumbersome. After all, we’re big on automating things to make people’s lives easier, so implementing something difficult that will give us more headache is the last task on our to-do list.
That’s why, here at GitHub, we’re pleased to offer comprehensive, native security scanning capabilities that are tailored for developers. These include Dependabot, code scanning with CodeQL, and secret scanning. We knew it was important for us to provide solutions that are built directly into the developer workflow—so you wouldn’t have to waste time learning a new platform or installing third-party apps.
Dependabot is GitHub’s supply chain security experience and makes it easy to find and fix vulnerable dependencies in your repository. It’s always on to alert you about vulnerabilities in the software you depend on. You can even go further by enabling Dependabot security updates, and Dependabot will automatically create pull requests to fix security alerts as they happen.
In all, Dependabot gives you peace of mind. Instead of worrying about your next big security issue, you can let Dependabot do the heavy lifting—so you can focus on building great code.
To learn more about how to easily get started with Dependabot, visit our GitHub Docs page.
1Osterman Research Report, Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software, _2021_
2Synopsys, _How Shifting Security Left Enables More Robust Defense Applications, 2020
3Sonatype, State of the Software Supply Chain Report, 2021