Search results for: Security

You can now authenticate to SSH using a FIDO2 security key by adding a sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com SSH key to your account. SSH security keys store secret key material on…

GitHub has been at the forefront of security key adoption for many years. We were an early adopter of Universal 2nd Factor (“U2F”) and were also one of the first…

We are implementing a change to the default notification settings for security alerts. Previously, if you had permission to view security alerts in a repository, you would receive notifications for…

The new security overview for organizations and teams – which provides a high-level view of the application security risks a GitHub organization is exposed to – is now in beta…

GitHub Advanced Security helps you create secure applications with a community-driven, developer-first approach. Today, we are excited to announce two updates: Beta of the new security overview for organizations and…

Security researchers provide a critical service to developers by identifying vulnerable software, but unfortunately, many developers don’t know the people behind this work. GitHub Security Advisories allow developers to provide…

Security research makes us all safer, but too often developers face ambiguous rules and possible criminal liability when they do quality assurance work to find security holes in their stack.…

GitHub Advanced Security customers can now view their active committer count and the remaining number of unused committer seats on their organization or enterprise account’s Billing page. If Advanced Security…

Why did I get logged out of GitHub.com? On the evening of March 8, we invalidated all authenticated sessions on GitHub.com created prior to 12:03 UTC on March 8 out…

Two weeks ago, we kicked off GitHub InFocus, a global virtual series just for software teams. Last week, we learned what powers a successful DevOps program. Next up: Security. We…

Save the date! March 17 to 21, take your chance with the GitHub CTF “A Call to Hacktion!” What is a CTF? In software security, a Capture the Flag (CTF)…

The world runs on software, and a large portion of it, especially the open source software that’s part of everything we experience, is built by millions of developers on GitHub…

GitHub Advanced Security customers can now view their active committer count for any Advanced Security enabled repositories on their organization or enterprise account’s Billing page. These changes help billing administrators…

Security Advisories and GitHub Advisory Database now include Common Weakness Enumeration (CWE) and Common Vulnerability Scoring System (CVSS) information for advisories. When you create a Security Advisory to disclose a…

Security vulnerabilities can be unpleasant to address, and that only gets worse the more you have. When you’re dealing with a large volume of vulnerabilities, you need to be able…

We’ve made huge advances in our security features at GitHub in 2020, with launches for code scanning, secret scanning, Dependabot version updates, dependency review, and more.

GitHub Advanced Security is an add-on to GitHub Enterprise which allows you to use security features like code scanning, secret scanning, and dependency review on your private repositories. To help…

Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know…

Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license.

In this blog post we demonstrate how to integrate the GitHub Advanced Security code scanning capability into our Azure DevOps Pipelines. We provide code snippets and examples that can guide you or your developers working to integrate Code Scanning into any 3rd Party CI tool.

In this post I’ll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I’ll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.