Tag
GitHub Security Lab
Today’s most common security vulnerabilities explained
We're taking a look at some of the most common security vulnerabilities and detailing how developers can best protect themselves.
Removing the stigma of a CVE
Do you worry that a CVE will hurt the reputation of your project? In reality, CVEs are a tracking number, and nothing more. Here's how we think of them at GitHub.
Validate all the things: improve your security with input validation!
If there's one habit that can make software more secure, it's probably input validation. Here's how to apply OWASP Proactive Control C5 (Validate All Inputs) to your code.
Encoding and escaping untrusted data to prevent injection attacks
Practical tips on how to apply OWASP Top 10 Proactive Control C4.
Coordinated vulnerability disclosure (CVD) for open source projects
A comprehensive guide for vulnerability reporters.
Thinking beyond SQL injection: OWASP tips for secure database access
When it comes to secure database access, there's more to consider than SQL injections. OWASP Top 10 Proactive Control C3 offers guidance.
How the community powers GitHub Advanced Security with CodeQL queries
The GitHub Security Lab’s CodeQL bounty program fuels GitHub Advanced Security with queries written by the open source community.
How to leverage security frameworks and libraries for secure code
In this post, I’ll discuss how to apply OWASP Proactive Control C2: Leverage security frameworks and libraries.
How to define security requirements for your OSS project
Defining your security requirements is the most important proactive control you can implement for your project. Here's how.
Write more secure code with the OWASP Top 10 Proactive Controls
This lesser-known OWASP project aims to help developers prevent vulnerabilities from being introduced in the first place.
Blue-teaming for Exiv2: how to squash bugs by enrolling in OSS-Fuzz
OSS-Fuzz is Google’s awesome fuzzing service for open source projects. GitHub Security Lab's @kevinbackhouse describes enrolling a project.
Blue-teaming for Exiv2: adding custom CodeQL queries to code scanning
The Exiv2 team tightened our security by enabling GitHub’s code scanning feature and adding custom queries tailored to the Exiv2 code base.
Blue-teaming for Exiv2: three rules of bug fixing for better OSS security
When you're fixing a bug, especially a security vulnerability, you should add a regression test, fix the bug, and find & fix variants.
Blue-teaming for Exiv2: creating a security advisory process
This blog post is the first in a series about hardening the security of the Exiv2 project. My goal is to share tips that will help you harden the security of your own project.