Microsoft buys Semmle in a bid to bulk out GitHub security
Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Source:-devclass.com
Microsoft has boosted its security play via GitHub by buying code analysis firm Semmle in a pairing the firms hope will make hunting and fixing vulnerabilities as easy as a pull request.
Semmle has two main products, QL, a code analysis engine for product security teams to quickly find zero-days and variants of critical vulnerabilities, and LGTM aimed at development teams to identify vulnerabilities before they can creep into production.
In a blog post, GitHub CEO Nat Friedman explained, âSemmleâs revolutionary semantic code analysis engine allows developers to write queries that identify code patterns in large codebases and search for vulnerabilities and their variants.â
He added, âSecurity researchers use Semmle to quickly find vulnerabilities in code with simple declarative queries. These teams then share their queries with the Semmle community to improve the safety of code in other codebases.âAdvertisement
You can see where this is going.
GitHub product SVP Shanku Niyogi went on to claim in another post, that âThe security lifecycle is broken, with IDing vulnerabilities being a manual ad hoc process, and disclosures âoften not made responsibly â if theyâre made at all.â
Equally importantly, depending on your point of view, fixes are often made outside normal open source workflows developers often donât get alerts, and âUpdating vulnerable dependencies takes too long or simply doesnât happen at all.â
So, Niyogi wrote, âIn the same way the pull request created a standard process for managing contributions, the ecosystem needs better-defined processes for managing vulnerabilities in open source code. This is what weâre setting out to build at GitHub.â
He added that GitHub has been approved as a CVE Numbering Authority for open source projects, which means âWeâll be able to issue CVEs for security advisories opened on GitHub, allowing for even broader awareness across the industry.â
Over at Semmel, Oege de Moor wrote âAll this is happening today, but on a modest scale. True adoption will mean that every CVE comes with a Semmle query.â
âGitHubâs recent moves to secure the ecosystem (with maintainer security advisories, automated security fixes, token scanning, and many other advances in secure development) are all pieces of the same puzzle. The Semmle vision and technology belong at GitHub.â
De Moore pledged âno disruption to existing users of Semmle productsâ. LGTM.com will remain free for public repositories and open source, and itâll continue its open source research.â
The move is the latest in a security race between GitHub and rival repo manager cum DevOps platform GitLab. GitHub bought DependaBot earlier this year, as well as adding further security features of its own bat. GitLab hoovered up Gemnasium last year.
GitHubâs announcement came a day after GitLab said it had raised $268m, part of which would go to further boosting its security operations. Though presumably its potential shopping list is slightly shorter today than it was a week ago.