Microsoft has boosted its security play via GitHub by buying code analysis firm Semmle in a pairing the firms hope will make hunting and fixing vulnerabilities as easy as a pull request.
Semmle has two main products, QL, a code analysis engine for product security teams to quickly find zero-days and variants of critical vulnerabilities, and LGTM aimed at development teams to identify vulnerabilities before they can creep into production.
In a blog post, GitHub CEO Nat Friedman explained, “Semmle’s revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants.”
He added, “Security researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries. These teams then share their queries with the Semmle community to improve the safety of code in other codebases.”
You can see where this is going.
GitHub product SVP Shanku Niyogi went on to claim in another post, that “The security lifecycle is broken, with IDing vulnerabilities being a manual ad hoc process, and disclosures “often not made responsibly – if they’re made at all.”
Equally importantly, depending on your point of view, fixes are often made outside normal open source workflows developers often don’t get alerts, and “Updating vulnerable dependencies takes too long or simply doesn’t happen at all.”
So, Niyogi wrote, “In the same way the pull request created a standard process for managing contributions, the ecosystem needs better-defined processes for managing vulnerabilities in open source code. This is what we’re setting out to build at GitHub.”
He added that GitHub has been approved as a CVE Numbering Authority for open source projects, which means “We’ll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry.”
Over at Semmel, Oege de Moor wrote “All this is happening today, but on a modest scale. True adoption will mean that every CVE comes with a Semmle query.”
“GitHub’s recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub.”
De Moore pledged “no disruption to existing users of Semmle products”. LGTM.com will remain free for public repositories and open source, and it’ll continue its open source research.”
The move is the latest in a security race between GitHub and rival repo manager cum DevOps platform GitLab. GitHub bought DependaBot earlier this year, as well as adding further security features of its own bat. GitLab hoovered up Gemnasium last year.
GitHub’s announcement came a day after GitLab said it had raised $268m, part of which would go to further boosting its security operations. Though presumably its potential shopping list is slightly shorter today than it was a week ago.