Security

We’ve made huge advances in our security features at GitHub in 2020, with launches for code scanning, secret scanning, Dependabot version updates, dependency review, and more.

Last year at GitHub Universe, we introduced the GitHub Security Lab, which is committed to contributing resources, tooling, bounties, and security research to secure the open source ecosystem. We know…

Dependency review allows you to easily understand your dependencies before you introduce them to your environment. As part of a pull request, you can see what dependencies you’re introducing, changing, or removing, and information about their vulnerabilities, age, usage, and license.

In July 2020, we announced our intent to require the use of token-based authentication (for example, a personal access, OAuth, or GitHub App installation token) for all authenticated Git operations.…

Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.

This blog describes a security vulnerability in the infrastructure that supports Germany’s COVID-19 contact tracing efforts. The mobile (Android/iOS) apps are not affected by the vulnerability and do not collect and/or transmit any personal data other than the device’s IP address. The infrastructure takes active measures to disassociate true positives from client IP addresses.

Ubuntu 20.04 local privilege escalation using vulnerabilities in gdm3 and accountsservice (CVE-2020-16125, CVE-2020-16126, CVE-2020-16127)

In this post I’ll give details about how to exploit CVE-2020-6449, a use-after-free (UAF) in the WebAudio module of Chrome that I discovered in March 2020. I’ll give an outline of the general strategy to exploit this type of UAF to achieve a sandboxed RCE in Chrome by a single click (and perhaps a 2 minute wait) on a malicious website.

We recently shipped support for the origin-bound draft standard for security codes delivered via SMS. This standard ensures security codes are entered in a phishing-resistant manner. It accomplishes this by binding an SMS with…

Security is a complex area. One software component may break the assumptions made by another component and it is not always clear who should fix the code to remediate the security implications.

The most important way to protect supply chain threats? Scan code for security vulnerabilities, learn how to find vulnerabilities in code, and quickly patch them with dynamic code analysis tools.

Aimed at developers, in this series we introduce and explore the memory unsafe attack surface of interpreted languages.

Keep dependencies up to date, to make sure you can quickly apply a patch when it really matters – when there’s a critical security vulnerability.

GitHub dependency insights helps both developers and security teams manage their open source security with confidence—automatically compiling relevant CVE information, aiding in OSS license compliance, and helping them better understand their OSS dependency versions.

In this post I’ll show how input validation which should be used to prevent malformed inputs to enter our applications, open up the doors to Remote Code Execution (RCE).