GitHub dependency graph delivers: 4M open-source vulnerabilities exposed

When GitHub introduced its dependency graph service in November to help developers track vulnerabilities in the open source code they use in their applications, it remained to be seen whether the service could move the needle in app security. Now, preliminary results from GitHub indicate that its alerting system is making significant strides in protecting programs that use open source code.

When GitHub compared dependency graphs of all public libraries with a list of vulnerable libraries in Ruby and JavaScript, the result was a staggering 4 million vulnerabilities in more than 500,000 repositories, which went out as alerts to repository administrators. Remarkably, by December 1, more than 450,000 vulnerabilities had been resolved by repository owners. They either removed the dependency or changed it to a secure version.

When GitHub announced its alert system, some skeptics pointed out that alerting administrators to vulnerabilities doesn't mean they're going to fix them, but GitHub's experience so far seems to contradict that assertion. GitHub has found that nearly 50% of alerts are acted on in a week, 30% are resolved in seven days, and another 15% are dismissed in the same time period. Most of the remaining alerts are in stale repositories that haven't been active in at least 90 days.

Christopher O’Rourke, founder and CEO of the security consulting company Soteria, said the data was novel and welcomed, and he was heartened by the responsiveness.

"I wish we could get that kind of response from the rest of the security world. This shows that people want to react to this information. They just didn't have it before."
Christopher O’Rourke

Application Security Research Update: The State of App Sec in 2018

Dependency graph fills a gap in app sec

Before GitHub developed its security alerts, developers had no effective way of being notified of vulnerabilities in code dependencies. Frank Moyer, CTO of the mobile development tools company Kobiton, noted that an indirect dependency code-tree could be more than 10 levels deep, so it came as no surprise that vulnerabilities went undetected. "GitHub's vast access to source code uniquely positions them to analyze these dependencies and alert developers when a vulnerability is discovered in one," he said.

Moyer said GitHub security alerts were a game-changer for source code.

"Just as McAfee helped raised awareness for desktop security, GitHub is raising awareness for application source code security. Naturally, increased awareness drives down the time it takes to eliminate insecurities from source code."
Frank Moyer

While developers appear keen to act on the information they're getting from GitHub, that might not be the case with enterprises, many of which cache "approved" versions of components in local respositories. Tim Mackey, a technical evangelist at Black Duck Software, said enterprises do that to ensure that whatever happens upstream doesn't break their applications.

"From a security perspective, a barrier to information flow is created, which limits the effectiveness of GitHub's efforts to apply the dependency information to a security problem," Mackey said.

Reality check: How big of a gap?

However, Jeff Williams, CTO and co-founder of Contrast Security, said that while applications use an average of 1.2 vulnerable libraries, there are far more vulnerabilities in an app's custom code—26.7 on average. "[While] updating these weak components is important, it is just a small part of making applications secure."

But Williams noted that GitHub's alert system was helping developers address vulnerabilities faster. "I strongly believe that this type of notification makes it much more likely that developers will see these problems and get them fixed quickly," Williams said. "Running scanning tools that generate PDF reports is just too time-consuming and breaks the software development workflow.

"GitHub has found an effective way to make security 'just work.'"
Jeff Williams

Randall Degges, head of developer advocacy at the identity management provider Okta, said that before the dependency graph alert system, many developers used tools to recursively parse through their project's dependencies, then scrutinize them for issues. Not anymore. "Not only does the dependency graph functionality remove that burden from individual developers, it keeps dependencies front-of-mind and helps developers proactively avoid issues before they arise."

Making vulnerabilities more apparent to developers and encouraging them to be proactive in addressing flaws will help GitHub move the needle in application security, noted Degges.

"The more visible and proactive security becomes, the farther we'll move away from the current failed model of retroactive security."
Randall Degges

If the alert system's early success continues, then the needle is going to move, reasoned Keith Meyers, director of development at QASymphony. "As long as the alert resolution rate remains high for a majority of the repositories, there should be an overall increase in market app integrity, quality, and security," he said.

Dependency graph alerts may move the needle, but only a tiny bit, maintained Williams. He noted that known vulnerabilities, such as those found by the dependency graph, are only a small part of the problem.

Big picture, in scope

While many people point out that 80% to 90% of applications are libraries, the "actual facts are telling," he said. In fact, 72% of libraries are never invoked at all, and there is almost three times more custom code in the average application than the library code that the application actually used. "That doesn’t mean they aren't important," Meyers said. "But don’t lose sight of the big picture here."

GitHub said that security alerts are opening the door for new ways to improve code checking and generation by combining publicly available data with its unique data set, and that more ways to create safer code are on the way. "It’s clear that GitHub is going to continue its initiative to bring more security tools for the open-source software ecosystem," said Arseny Reutov, head of the research for the application security tools development team at Positive Technologies.

"This is great news for application security, as serious security issues may be prevented at scale by GitHub."
Arseny Reutov

Reutov said that scale could be leveraged in the future beyond dependency checking, including automatic repositories scanning for hard-coded credentials or even static analysis capabilities.

Share your team's experiences with GitHub's dependency graph in the comments below.