Connect with us

Security

GitHub launches ‘Security Lab’ to help secure open source ecosystem

Published

on

Today, at the GitHub Universe developer conference, GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company said in a press release.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” it said.

Founding members include security researchers from organizations like Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne.

GitHub says Security Lab founding members have found, reported, and helped fix more than 100 security flaws already.

Other organizations, as well as individual security researchers, can also join. A bug bounty program with rewards of up to $3,000 is also available, to compensate bug hunters for the time they put into searching for vulnerabilities in open source projects.

Bug reports must contain a CodeQL query. CodeQL is a new open source tool that GitHub released today; a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. Besides GitHub, CodeQL is already being rolled out in other places to help with vulnerability code scans, such as Mozilla.

SolarWinds® Network Insight for Cisco ASA goes beyond basic up/down status. It can help provide comprehensive firewall performance, and also offers access control list monitoring.Downloads provided by SolarWinds

GitHub’s new Security Lab project did not come out of the blue. Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create “automated security updates.” When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled. [Also see official announcement.]

github-automated-fixes.png
Image: GitHub

Furthermore, GitHub also recently became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. GitHub didn’t apply to become a CNA for nothing.

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Previously, many open source project owners who hosted their projects on GitHub didn’t bother requesting a CVE number due to the arduous process.

However, getting CVE identifiers is crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open sourcec tools that they would have normally missed.[Also see official announcement.]

github-cve-advisory.png
Image: GitHub

And in addition to the new GitHub Security Lab, the code-sharing platform is also launching the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects. [Also see official announcement.]

And last, but not least, GitHub also updated Token Scanning, its in-house service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

Starting today, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent. [Also see official announcement.]

Source: https://www.zdnet.com/article/github-launches-security-lab-to-help-secure-open-source-ecosystem/

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

Firm introduces new cyberthreat detection service

Published

on

By

Sophos, a global leader in network and endpoint security, has announced the availability of a fully managed threat hunting, detection and response service, called Sophos Managed Threat Response.

The firm said the re-sellable service would provide organisations with a dedicated 24/7 security team to neutralise the most sophisticated and complex threats.

According to a statement, these threats include active attackers leveraging fileless attacks and administrator tools such as PowerShell to escalate privileges, exfiltrate data and spread laterally.

“Attacks like these are difficult to detect since they involve an active adversary using legitimate tools for nefarious purposes, and Sophos MTR helps eliminate this threat,” it said.

The Chief Technology Officer at Sophos, Joe Levy, said cybercriminals were adapting their methods and increasingly launching hybrid attacks that combined automation with interactive human ingenuity to more effectively evade detection.

He said, “Once they gain a foothold, they’ll employ ‘living off the land’ techniques and other deceptive methods requiring human interaction to discover and disrupt their attacks.

“For the most part, other managed detection and response services simply notify customers of potential threats and then leave it up to them to manage things from there.

“Sophos MTR not only augments internal teams with additional threat intelligence, unparalleled product expertise, and round-the-clock coverage, but also gives customers the option of having a highly trained team of response experts take targeted actions on their behalf to neutralise even the most sophisticated threats.”

Source:
https://punchng.com/firm-introduces-new-cyberthreat-detection-service/

Continue Reading

Security

Google now treats iPhones as physical security keys

Published

on

By

The latest update to Google’s Smart Lock app on iOS means you can now use your iPhone as a physical 2FA security key for logging into Google’s first-party services in Chrome. Once it’s set up, attempting to log in to a Google service on, say, a laptop, will generate a push notification on your nearby iPhone. You’ll then need to unlock your Bluetooth-enabled iPhone and tap a button in Google’s app to authenticate before the login process on your laptop completes. The news was first reported by 9to5Google.

Two-factor authentication is one of the most important steps you can take to secure your online accounts, and provides an additional layer of security beyond a standard username and password. Physical security keys are much more secure than the six digit codes that are in common use today, since these codes can be intercepted almost as easily as passwords themselves. Google already lets you use your Android phone as a physical security key, and now that the functionality is available on iOS it means that anyone with a smartphone now owns a security key without having to buy a dedicated device.

Attempting to log in to a Google service will send a push notification to your phone over Bluetooth.

The new process is similar to the existing Google Prompt functionality, but the key difference is that Smart Lock app works over Bluetooth, rather than connecting via the internet. That means your phone will have to be in relatively close proximity to your laptop for the authentication to work, which provides another layer of security. However, the app itself doesn’t ask for any biometric authentication — if your phone is already unlocked then a nearby attacker could theoretically open the app and authenticate the login attempt.

According to one cryptogopher working at Google, the new functionality makes use of the iPhone processor’s Secure Enclave, which is used to securely store the device’s private keys. The feature was first introduced with the iPhone 5S, and Google’s app says that it requires iOS 10 or later to function.

The new iPhone support appears to be limited to authenticating Google logins from the Chrome browser. When we attempted to use an iPhone to authenticate a login of the same service (we tested with Gmail) using Safari on a MacBook, we were prompted to insert our key fob (which we don’t have), meaning it created an extra step in our login process where we had to pick an alternative 2FA option.

Source:
https://www.theverge.com/2020/1/15/21066768/google-iphone-ios-security-key-2-factor-authentication

Continue Reading

Security

Samsung made a fingerprint-secured portable SSD

Published

on

By

Portable SSDs have become quite popular lately but only a handful of them offer proper security so Samsung is taking matters into its own hands by introducing the T7 Touch with fingerprint reader identification. This way you can rest assured that your sensitive data is safe even if you misplace the actual drive.

Samsung made a fingerprint-secured portable SSD

The T7 Touch succeeds the T5 from last year by offering a capacitive fingerprint scanner and AES 256-bit hardware encryption and password for added security. Moreover, the T7 Touch boasts about 1 GB/s read and 1 GB/s read speeds, which is almost twice as fast as its predecessor.

Connectivity options include USB-C to USB-C and USB-C to USB-A while the connector of the device supports 10Gbps speeds over USB 3.2 (Gen 2).

The T7 Touch comes in three flavors – 500GB for $129, 1TB for $229 and 2TB for $399 with planned availability this month. The available paint jobs of the titanium case are black and silver and the whole thing weighs just 58 grams.

Source:
https://www.gsmarena.com/samsung_made_a_fingerprintsecured_portable_ssd-news-40949.php

Continue Reading
Advertisement

Trending

%d bloggers like this: