AppSec is harder than you think. Here’s how AI can help.
In practice, shifting left has been more about shifting the burden rather than the ability. But AI is bringing its promise closer to reality. Here’s how.
Category
Security
Rotating credentials for GitHub.com and new GHES patches
GitHub received a bug bounty report of a vulnerability that allowed access to the environment variables of a production container. We have patched GitHub.com and rotated all affected credentials. If you have hardcoded or cached a public key owned by GitHub, read on to ensure your systems continue working with the new keys.
GitHub and the Ekoparty 2023 Capture the Flag
The GitHub Security Lab teamed up with Ekoparty once again to create some challenges for its yearly Capture the Flag competition!
Frenemies to friends: Developers and security tools
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table. Let's explore some effective strategies witnessed by the GitHub technical sales team to make this shift successful.
5 ways to make your DevSecOps strategy developer-friendly
Developers care about security, but poorly integrated tools and other factors can cause frustration. Here are five best practices to reduce friction.
Scaling vulnerability management across thousands of services and more than 150 million findings
Learn about how we run a scalable vulnerability management program built on top of GitHub.
Securing our home labs: Frigate code review
This blog post describes two linked vulnerabilities found in Frigate, an AI-powered security camera manager, that could have enabled an attacker to silently gain remote code execution.
Cueing up a calculator: an introduction to exploit development on Linux
Using CVE-2023-43641 as an example, I’ll explain how to develop an exploit for a memory corruption vulnerability on Linux. The exploit has to bypass several mitigations to achieve code execution.
Addressing post-quantum cryptography with CodeQL
Learn how researchers and security experts at GitHub, Microsoft, and Santander came together to address the challenges presented by the post-quantum cryptography world.
Securing our home labs: Home Assistant code review
The GitHub Security Lab examined the most popular open source software running on our home labs, with the aim of enhancing its security. Here's what we found and what you can do to better protect your own smart home.
Security best practices for authors of GitHub Actions
Improve your GitHub Action’s security posture by securing your source repository, protecting your maintainers, and making it easy to report security incidents.
Introducing AI-powered application security testing with GitHub Advanced Security
Learn about how GitHub Advanced Security’s new AI-powered features can help you secure your code more efficiently than ever.
Cybersecurity spotlight on bug bounty researcher @Ammar Askar
We’re excited to highlight another top contributing researcher to GitHub’s Bug Bounty Program—@Ammar Askar!
ICYMI: improved C++ vulnerability coverage and CodeQL support for Lombok
The effectiveness of a static application security solution hinges on its ability to provide extensive vulnerability coverage and support for a wide range of languages and frameworks. Today, we’re highlighting two releases that’ll help you discover more vulnerabilities in your codebase, so you can ship more secure software.
Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
In this post, I'll exploit CVE-2023-4069, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.
Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)
CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.