How Dependabot empowers you to keep your projects secure
We want to take away the pain and effort of keeping your code secure, so check out how Dependabot empowers developers to keep to their projects secure.
Let’s face it: security for developers isn’t always the top priority. It’s something we know we should do, but frequently it competes with shipping deadlines, or is left until later in the development process. Unclear ownership further complicates things. And most of us don’t receive regular security training, we only get a few security pointers during a project kick-off.
At GitHub, we want to take away the pain and effort of keeping your code secure. This involves providing you with a complete, native, and automated approach—one that reduces your risk, increases your productivity, and improves your time-to-market. From helping you identify supply chain vulnerabilities before you introduce security tech debt into your codebase, to giving you an active database of known vulnerabilities—we want to make security a lot less bothersome. After all, security that is painless is also the most effective.
Security risks are more prevalent than ever
Over the years, we’ve seen that open source software (OSS) poses risk. When the Java-based logging tool, Log4j was exploited in late 2021—potentially compromising millions of apps—the world once again felt just how critical security is to OSS.
It’s clear we need to do a better job. Over the past 10 years, we’ve seen billions of dollars go into application security testing tools but without much success. A whopping 85% of applications still contain known vulnerabilities, 1 with 84% of security flaws happening accidentally at the application layer 2. In 2021, we witnessed software supply chain attacks increase by a terrifying 650% 3. As time goes on, our digital infrastructure will only continue to grow and we don’t expect these stats to slow. It’s anticipated that bad actors will continue to target the supply chain at an ever-increasing rate through existing and emerging tactics.
* 85% of applications contain known vulnerabilities
* 84% of security breaches occur accidentally at the application layer
What are you supposed to do?
You probably feel overwhelmed with how you can keep your supply chain code secure. And with the continued pressure to ship more frequently, you don’t necessarily have the time to understand what types of vulnerabilities may affect you (and, let’s not forget that finding and fixing a vulnerability doesn’t mean you’re secure forever). You also probably don’t have the space to learn about the many security solutions being marketed to you. Or even figure out where in your workflow you need to “shift left.”
Plus, as you may know from experience, current application security solutions are difficult to embed into your developer workflow, without the dreaded, repetitive context switching from tab to tab and explanation to explanation. And even when solutions are integrated, we often find ourselves disabling them due to noise, an increase in testing failure, system performance impacts, and reduced development velocity.
We have to make securing our software simpler and less cumbersome. After all, we’re big on automating things to make people’s lives easier, so implementing something difficult that will give us more headache is the last task on our to-do list.
Automating vulnerability management
That’s why, here at GitHub, we’re pleased to offer comprehensive, native security scanning capabilities that are tailored for developers. These include Dependabot, code scanning with CodeQL, and secret scanning. We knew it was important for us to provide solutions that are built directly into the developer workflow—so you wouldn’t have to waste time learning a new platform or installing third-party apps.
Dependabot is GitHub’s supply chain security experience and makes it easy to find and fix vulnerable dependencies in your repository. It’s always on to alert you about vulnerabilities in the software you depend on. You can even go further by enabling Dependabot security updates, and Dependabot will automatically create pull requests to fix security alerts as they happen.
In all, Dependabot gives you peace of mind. Instead of worrying about your next big security issue, you can let Dependabot do the heavy lifting—so you can focus on building great code.
To learn more about how to easily get started with Dependabot, visit our GitHub Docs page.
1Osterman Research Report, Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software, _2021_
2Synopsys, _How Shifting Security Left Enables More Robust Defense Applications, 2020
3Sonatype, State of the Software Supply Chain Report, 2021
Tags:
Written by
Related posts
Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects
Can an attacker execute arbitrary commands on a remote server just by sending JSON? Yes, if the running code contains unsafe deserialization vulnerabilities. But how is that possible? In this blog post, we’ll describe how unsafe deserialization vulnerabilities work and how you can detect them in Ruby projects.
10 years of the GitHub Security Bug Bounty Program
Let’s take a look at 10 key moments from the first decade of the GitHub Security Bug Bounty program.
Where does your software (really) come from?
GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.