GitHub issues final report on supply-chain source code intrusions – Naked Security

Early in April 2022, news broke that various users of Microsoft’s GitHub platform had suffered unauthorized access to their private source code.

GitHib has now updated its incident report to say that it is “In the process of sending the final expected notifications to GitHub.com customers who had either the Heroku or Travis-CI OAuth app integrations authorized in their GitHub accounts.”

The good news is that GitHub itself was not breached, so this is not cause for general concern for every GitHub user.

The bad news is that indirect intrusions of this sort are hard to predict.

GitHub, if you’ve never used it, is a cloud-based source code control system, best known for hosting the public repositories of many open source software projects.

Source code control systems do not just ensure that the latest version of your software is available for download, but also maintain a continuous history of all recent changes and why they were made (and, if necessary, why they were later rejected).

Source control systems typically also provide historical lists of official releases, tools for supporting and maintaining different release versions alongside each other, and online forums for reporting bugs and suggesting changes.

You’ve probably heard the jargon term pull request, which refers to a proposed change for which a contributor provides a potential code update, along with a justification for it. To the suggestions, of course, it’s essentially a push request, aiming to inject new code into the system; if approved by the project team, the code gets pulledor merged, into the codebase and becomes an official part of the project.

Source code control gives software projects a formal record of changes, which makes hunting down new bugs much easier because each change can be reviwed and re-tested individually.

It also makes it easier for developers scattered around the world to co-operate efficiently without inadvertently trampling on each others’ suggested updates.

Examples of popular open source projects hosted on GitHub include the cryptographic library OpenSSLMicrosoft’s own scripting language PowerShelland privacy-centric alternative browser Brave.

But not all GitHub projects are public, open-source repositories of code.

Many organizations use cloud-based tools like GitHub to host proprietary, closed-sourced projects that they do not want to become public knowledge.

Startups, for instance, many do not want potential competitors to know that they’re working on project X, or even that they’re experimenting in field Y at all.

Established software companies may have existing products that include algorithms and other intellectual property that they do not want competitors to be able to clone easily.

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!