It has been announced that GitHub has opened up its security Advisory Database to community contributions with the aim of furthering the security of the software supply chain. Independent security researchers, academics, and enthusiasts are now able to submit their own research into security vulnerabilities into the open source development platform to provide further insight into existing vulnerabilities.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
InfoSec Expert
February 25, 2022 4:27 pm

Accurate, timely, and consistent vulnerability information about open source software components is a crucial part of securing a software supply chain and driving down risk. The National Vulnerability Database (NVD) from US NIST attempts to be a list of all known vulnerabilities in any piece of software, but its shortcomings are well known. In an industry where hours can make a difference, new known vulnerabilities can take weeks to appear in NVD. Furthermore, severity scoring lacks consistency, and metadata such as the affected versions of software can be unreliable. 

The problems with NVD are addressed by various security vendors with enhanced vulnerability databases, such as Synopsys’s Black Duck Security Advisories (BDSA). A dedicated team of security researchers provide much faster, more consistent, more reliable information for paying customers. 

GitHub’s Advisory Database is another enhanced vulnerability database, but is publicly available and can be enhanced by community submissions. While a crowdsourced vulnerability database is an interesting idea, only time will tell if it is successful. What’s the motivation for contributors? How fast, accurate, and consistent can community contributions be? 

Perhaps the combination of (1) focus on open source projects, (2) freely available information, and (3) community support will make the GitHub Advisory Database a perfect fit for the open source community, but paying customers are likely to continue requiring the speed, accuracy, and consistency of commercial enhanced vulnerability databases.

Last edited 9 months ago by Jonathan Knudsen
Gary Robinson
InfoSec Expert
February 24, 2022 12:52 pm

GitHub has an impressive community and all efforts to make it easier to flag security issues are welcomed.  

While there have always been efforts in the security community to have an open discussion on security issues in open source libraries, it’s been slightly more directed at security practitioners.  Hopefully this feature in GitHub will make it easier for everyone to submit potential security issues. 

It’s been recognized over the last few years that the number of security issues being raised is rapidly growing – in 2015 6,504 CVEs were recognized, while in 2021 that more than tripled to 20,142 – and the security community dealing with reviewing these submissions have been under pressure, especially at the governmental level. 

It remains to be seen the volume of new security issues this feature will add, and it would be interesting to see metrics on the number of successful, duplicate, and rejected submissions to monitor how the process is working.

Last edited 9 months ago by Gary Robinson
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x