This is part three of our GitHub series, where we have covered GitHub and Application Security, GitHub Dependabot, and now GitHub CodeQL. Following this blog, we will cover GitHub Secret Scanner. Some additional resources that might be helpful are the two blogs How GitHub Uses Dependabot and What are Software Dependencies. Let’s dive into CodeQL!
Dependabot is an awesome Dependency Monitoring tool that helps keep dependencies up to date. In real-time, it checks dependency files for outdated requirements and opens individual pull requests (PRs) for any it finds. Then, users can review, merge, and get to work on the latest, most secure releases.
When users check in an insecure dependency, or a new vulnerability is discovered in an existing dependency, Dependabot will notify users with security alerts for vulnerable dependencies. Additionally, Dependabot Alerts and Dependabot Security Updates watch the National Vulnerability Database and other sources for vulnerabilities in open source packages. If Dependabot finds a vulnerability in a leveraged package, it sends an alert. If it can suggest a fix, it also sends a PR to update the dependency manifest with the closest non-vulnerable version.
This year, Black Hat launched a new competition, Innovation Spotlight, where they asked cybersecurity startups that are less than two years old and have less than 50 employees to submit a 5-minute video highlighting the company's product and detailing the impact the product will have on the community. Because of the high volume of submission, the notification date was pushed out by two days. On July 14th, Tromzo received the amazing news that we were named as one of four finalists alongside Key Caliber, Normalyze, and Phylum.
Github is the largest code hosting collaboration platform for software engineers, programmers, and developers to build code. With version control and a focus on file content, GitHub makes it easy for developers to rename, split, and reorganize project files without restrictions. They can simply keep adding new files to the repository, and revisit a particular version of the project code almost immediately.
The main reasons developers LOVE GitHub:
Streamlines the development process
Allows for easier collaboration
Enables external parties to see these changes and contribute to the code
Version control - allowing for monitoring of the latest revisions
Software dependencies: a code library or package that is reused in a new piece of software. These software dependencies can come in two forms:
Direct: Libraries or packages your code calls directly (ie. a binary calls a method or function of another binary)
Transitive: Libraries or packages your dependencies call. These are dependencies of dependencies (ie. a binary makes a call to another through an intermediary).
By using pre-built software dependencies, developers can deliver software faster and on shorter release cycles. Yet dependencies introduce risks that are often overlooked. That is where Tromzo comes in with our unified developer-first application security management platform to:
Aggregate all dependencies (GitHub, Snyk, Aqua, etc.), associate that context with ownership metadata, allowing your AppSec team to know which developers and what teams own which dependencies. Additionally, we pull in licensing data and how relevant/fresh they are.
Implement security guardrails in CI/CD to enforce policies, guaranteeing proper hygiene of dependencies and ensuring every repository or container is scanned by a dependency/container scanner.
Automate vulnerability management by preventing insecure versions of dependencies being introduced and automatically triage vulnerabilities based on data that indicates whether it is a direct or transitive dependency, in a high risk code repository, or an unused internal code repository.
It is a tale as old as time, or in this case, a tale as old as code. Since the inception of applications, Security and Development teams have struggled to find a good balance between delivery/deployment speed and implementing security. This tale was only exasperated by the digital transformation where DevOps propelled applications and infrastructure and created a self-service culture. This movement has enabled developers to go from code-to-cloud in hours, which has been a phenomenal advancement for organizations. Where AppSec teams are struggling is that legacy AppSec systems and processes are known to impede security teams from being able to scale at the speed of their development counterparts. This has led to a lack of visibility or control over security risks and AppSec teams are completely unprepared to govern and secure the modern SDLC.
Additionally, we cannot expect developers to be security experts on top of their core goals. Organizations should however empower their developers by giving them access to secure frameworks, libraries, and defaults, making the most secure option the easiest choice. Security guardrails are designed to help organizations do exactly that.