Security News

A security researcher says he has earned $20,000 for a high-severity GitHub Enterprise vulnerability that might have allowed an attacker to execute arbitrary commands. GitHub Enterprise, the on-premises version of GitHub.com, is designed to make it easier for large enterprise software development teams to collaborate.

"So much of the world's development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code," Grey Baker, GitHub's Senior Director of Product Management, told Help Net Security. The engine can analyze code written in C, C++, C#, Java, JavaScript, TypeScript, Python and Go, but since the Code Scanning feature built on the open SARIF standard, it can also work with third-party analysis engines available from the GitHub Marketplace.

DefenseCode Group has announced that DefenseCode's Static Application Security Testing ThunderScan solution is now available as a GitHub Action, offering security vulnerability analysis across 30+ languages providing detailed vulnerability reports integrated into GitHub. Coinciding with the launch of code scanning, DefenseCode Group has released a GitHub Action for the ThunderScan SAST solution.

Checkmarx announced a new GitHub Action to bring comprehensive, automated static and open source security testing to developers. Checkmarx's new GitHub Action integrates the company's application security testing solutions - Checkmarx SAST and Checkmarx SCA - directly with GitHub code scanning, giving developers more flexibility and power to work with their preferred tools of choice to secure proprietary and open source code.

GitHub on Wednesday announced that its code scanning feature, which is designed to enable developers to easily identify vulnerabilities in their products before they reach production, is generally available. The code scanning feature was unveiled in May, but at the time it was still in beta.

Now available as a free GitHub App, NG SAST enables code analysis to be integrated into developer workflows in just a few clicks. Now that NG SAST is available through GitHub Marketplace, developers can make their own choices about which tools they adopt.

Ursem, self-appointed "Lamest hacker you know" found the leaked info in a simple search to see if someone "Is actually stupid enough to upload medical customer data to GitHub," he told DataBreach.net. The report describes one errant developer referred to as the "Typhoid Mary of Data Leaks" because of the multiple errors and repetition of these errors in his use of GitHub in relation to not just storage and management of medical data, but other files as well.

Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.

Solar Security has announced the release of a new version of its app security analyzer, Solar appScreener 3.6, which supports Pascal and features improved integration with GitLab, GitHub and Bitbucket code version management and storage systems. To meet international customers' needs, the new version of our app vulnerability and undocumented feature analyzer, Solar appScreener 3.6, now supports Pascal.

British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub - after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. CREST offers a certification called CRT: CREST Registered Tester.