GitHub tempts enterprises with Semmle, security enhancements

GitHub's recent improvements to security and added programs aimed at corporate developers show how the software development platform provider is trying to score big in the enterprise.

With GitHub's September 2019 acquisition of Semmle and its QL code analysis engine, it will allow security researchers and development teams to use the tool to identify security vulnerabilities through variant analysis. GitHub will extend the Semmle capabilities to the more than 100 million repositories and enterprises as part of its continuous integration tests that run on GitHub Actions.

"GitHub has focused a good bit recently on security and I think they're saying we can manage the source code, validate all your source is secure, build your source and thus you have a managed or curated set of source, components and deliverables in a secure supply chain," said Thomas Murphy, a Gartner analyst.

Comprehensive security features are crucial to enterprise acceptance of any technology. By shoring up the quality and security of the software repositories it hosts, GitHub becomes more attractive to development teams -- large and small.

"We're going to support that lone Ruby developer just as much as that large-scale maintainer in an enterprise," said Dana Lawson, Github's vice president of engineering.

Moreover, "You're going to see this continuation of doubling down on security for the enterprise," she added.

Indeed, as home for most of the world's open source software, GitHub has a responsibility to do more to ensure it is secure, according to Shanku Niyogi, senior vice president of product at GitHub, in a blog post.

GitHub has focused a good bit recently on security and I think they're saying we can manage the source code, validate all your source is secure, build your source and thus you have a managed or curated set of source, components and deliverables in a secure supply chain.

GitHub has also become a Common Vulnerabilities and Exposures (CVE) Numbering Authority to make it easier for source code maintainers to report vulnerabilities directly from their repositories. And GitHub will assign a CVE ID, post to the CVE List and then to the National Vulnerability Database on the maintainer's behalf. This could potentially expose more vulnerabilities, Gartner's Murphy said. Semmle has found more than 100 CVEs in open source projects.

GitHub has also introduced a free, 14-day trial of GitHub Enterprise Cloud. The offer provides access to GitHub Actions, which has built-in CI/CD as well as an ecosystem of community-built workflows and actions; GitHub Package Registry, which supports JavaScript, RubyGems, Java, NuGet, and Docker; Dependabot, which helps users automate fixes, as it keeps their projects secure by monitoring dependencies and automatically opening pull requests to fix known vulnerabilities; and the Enterprise Cloud, which facilitates connecting instances, streamlining billing, creating company-wide security policies and more.

GitHub and other developer communities now realize that enterprises are at the cusp of shifting their businesses to cloud-native technologies, such as multi-cloud management, said Charlotte Dunlap, an analyst at GlobalData in Santa Cruz, Calif.

"This shift is the result of key OSS innovations such as Kubernetes, which have been behind numerous vendor releases enabling rapid operational provisioning for moving apps into production," she said.