Repo manager keeps its developer-driven promise with fresh security updates

Following its acquisition by Microsoft for $7.5 billion in stock last year, GitHub was keen to stress it would be business as usual, maintaining its independence and “developer-first” ethos.

And the introduction of a series of security improvements for the repository hosting service aims to do just that, by giving businesses and users better visibility of their collaboration and dependencies.

Take, for example, the beta launch of organization insights, a new function that allows GitHub Enterprise users to monitor how their organizations are collaborating on the platform.

“This allows large enterprises to get a deeper look into software development trends at their organizations and helps them stay ahead of their talent needs, where the future is taking them, and which languages are being used the most,” Mario Rodriguez, senior product director for GitHub Enterprise, told The Daily Swig.

“In addition, companies going through a DevOps transformation who are looking to improve their code reuse, code review practices, and overall collaboration now have valuable insights aggregated across their development teams.”

Also new is dependency insights, providing built-in auditing and reporting functions for the open source projects that an enterprise depends on.

This includes the ability to drill down on security vulnerabilities and open source licenses with a simple dashboard, says senior product manager of security, Justin Hutchings.

“We know that modern software development organizations rely on increasing amounts of open source code, but like any code, open source code is not without risks,” Hutchings said.

“When we talk to customers, they tell us that they’re worried about what happens if they miss a security vulnerability or accidentally ship something that depends on a very restrictive license.

“With this new dashboard, enterprises can easily identify what licenses they’re using, who they’re getting their projects from, who’s contributing, and more.”

The latest improvements come as GitHub marks five years of its successful bug bounty program, which also continues to expand.

In 2018 alone, it paid out $250,000 to researchers through this and other initiatives, such as awarding grants to researchers. Bounty levels have been bumped up, with the most critical vulnerabilities now attracting more than $30,000.

GitHub has also improved its Legal Safe Harbor terms with the promise that good-faith violations of its bounty policy will be protected and authorized, and says it will do its best to protect users from third parties that don’t have the same level of protection.

Frontline protection

In March last year, GitHub suffered a major distributed denial-of service (DDoS) attack. Indeed, this is believed to have been the biggest ever recorded.

The company immediately called in the services of its DDoS mitigation service Akamai Prolexic, which took over all traffic and routed it through its scrubbing centers to identify and block malicious packets; within minutes, the attack had dropped off.

Since then, says Sam Kottler, senior manager of infrastructure, GitHub has ramped up network capacity within its facilities around the world.

“We’ve significantly grown our transit capacity over the years, which has allowed us to withstand certain volumetric attacks without impact to users,” he told The Daily Swig.

“We’re continuing to deploy additional transit capacity, add points of presence, and develop robust peering relationships across a diverse set of exchanges.”


RELATED Safe harbor needs to be built to provide haven for ethical hackers