Open source software has the potential to be very secure. Unlike proprietary code that can only be accessed directly by its own developers, anyone can vetopen source projects to spot flaws and bugs. In practice, though, being open source is no panacea. Now, code repository GitHub is rolling out a suite of tools collectively called GitHub Advanced Security that will make it easier to root out vulnerabilities in the open source projects managed on its platform.
Open source code present a few security challenges. In practice there aren't always enough people with the right expertise looking at it. And open source projects are generally ad hoc; they don't necessarily have a clear process in place for people to submit vulnerabilities, or the resources available for someone to patch them. Even if you surmount those hurdles, you may not know who's actually using your open source code and needs a patch.
"A lot of what we talk about is there’s a vulnerability, what’s the workflow for that vulnerability, now it gets addressed," says Jamie Cool, vice president of product for security for Microsoft-owned GitHub. "But the nirvana is you don’t introduce the vulnerability to begin with. You stop it from ever showing up. It really seems like this is a problem we should be able to help developers not introduce again and again, but by and large we haven’t succeeded at that as a software industry yet."
In September, GitHub acquired the code scanning tool Semmle as part of a plan to help the GitHub community catch common security flaws automatically. Advanced Security will include this tool, calling out which line of code contains a potential vulnerability, why it might be exploitable, and how to fix it. In addition to this automatic scanning, Semmle's technology can also be used manually by security researchers. GitHub's goal is to use Advanced Security as both a warning system for developers and a built-in framework for bug hunters to find and report additional issues.
GitHub Advanced Security also includes tools that scan user "repositories," essentially the folder where they store their development projects, for secret data like passwords and private keys that shouldn't be exposed and accessible. GitHub works with a number of partners, including Amazon Web Services and Alibaba, to understand the characteristics of their authentication tokens and spot them automatically. The feature has already been available to public repositories for a couple of years, but today GitHub is also adding support to scan private repositories as well. GitHub says that eight percent of active public repositories had a secret exposed in them during the last month alone.
With these new tools, GitHub is working to address security issues at a vast scale. Though not all open source projects rely on GitHub, themajority do, and the platform is as much a social network for the community as a development tool. By offering features like Advanced Security, GitHub can create an environment where more projects in the diverse landscape of open source have access to the same types of tools large companies build to improve and safeguard their proprietary code .
"The truth is for most maintainers they become maintainers by accident," says GitHub CEO Nat Friedman. "They make something, it becomes widely used and then suddenly they’re in this position of responsibility with regards to computer security—maybe for banks, for governments. They may not have a background in security and yet we have to make sure that the code they publish is secure. So the challenge is to make it automatic and make it natural."
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
高等应用数学问题的MATLAB求解
薛定宇、陈阳泉 / 清华大学出版社 / 2008-10 / 49.00元
薛定宇和陈阳泉编著的《高等应用数学问题的MATLAB求解》首先介绍了MATLAB语言程序设计的基本内容,在此基础上系统介绍了各个应用数学领域的问题求解,如基于MATLAB的微积分问题、线性代数问题的计算机求解、积分变换和复变函数问题、非线性方程与最优化问题、常微分方程与偏微分方程问题、数据插值与函数逼近问题、概率论与数理统计问题的解析解和数值解法等,还介绍了较新的非传统方法,如模糊逻辑与模糊推理、......一起来看看 《高等应用数学问题的MATLAB求解》 这本书的介绍吧!
