Justin Hutchings
Director of Product Management for supply chain security. I manage the team that's behind Dependabot, the Advisory Database, and the dependency graph. Twitter: https://twitter.com/jhutchings0
We think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source. That’s why we’re investing in new ways to protect the open source ecosystem.
This is part of our Octoverse 2022 report, which explores the state of open source software, its impact on companies, and key trends shaping software development. |
Over the past several years—and the past year in particular—supply chain security in the open source ecosystem has become a large point of focus for the broader open source community—including the many companies and governments that rely on open source software.
As an industry and community, we have seen bad actors take over user accounts, corrupt popular open source dependencies, and take advantage of vulnerabilities in some of the biggest open source projects.
It’s no secret that a lot of our modern digital infrastructure runs on open source. The success of open source software (OSS), in part, comes down to the speed at which it’s developed by a global community of developers. But this speed can come at a cost if developers inherit the vulnerabilities in their supply chain.
At GitHub, we think a lot about a high-profile supply chain attack that might cause developers, teams, and organizations to lose trust in open source—because we know firsthand how important OSS is and how integral it will continue to be. We also know that staying on top of open source vulnerabilities can be a full-time job.
That’s why we’re investing in new ways to protect the supply chain that make it easier for security researchers to more effectively disclose vulnerabilities to developers, and make it easier for developers to verify the software they are installing is genuine. From the GitHub Security Lab to tools like Dependabot to GitHub Advanced Security, we’re working to help developers and companies monitor, alert, and automatically remediate vulnerabilities in OSS—and software more broadly—as soon they’re discovered. That’s why we offer security tools like Dependabot, code scanning, and secret scanning for free to developers on GitHub.
This is an important capability that effectively mitigates known vulnerabilities, but it’s not the only thing you need to do to protect your supply chain. Sophisticated attackers are increasingly attacking aspects of the supply chain to try to gain an advantage. A newer kind of risk is supply chain attacks. Recall the Solarwinds attack a few years back where an attacker injected malware into software from a company called Solarwinds which was a commercial developer dependency. By breaching the supply chain of a popular component, they were able to leverage this malicious code to attack a large number of additional targets.
At GitHub, we’re partnering with leaders in open source and security like the Open Source Security Foundation to help protect the supply chain against attacks by adding new kinds of signing, attestations, and policies to help developers install only safe dependencies. Whether you’re working in open source or at a company (or both), you can do your part to mitigate supply chain risks today by implementing current best practices.
A greater commitment to securing OSS from companies, open source developers, and even governments that collectively rely on open source solutions. We also anticipate more advances in security alerting tool threat detection capabilities and a focus on shifting left to build more secure code from the start through tools like GitHub Advanced Security.
You can find more expert predictions from our Octoverse 2022 report on the following topics: |
In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering you to secure yours.
We are excited to introduce the new CodeQL Community Packs, a comprehensive set of queries and models designed to enhance your code analysis capabilities. These packs are tailored to augment…
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.