sb-as logo
Story image

GitHub rolls out security alerts feature for Python

16 Jul 2018

GitHub has rolled out security alerts for Python, which allows users to receive alerts whenever their code repositories depend on packages with known security vulnerabilities.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities,” GitHub says.

“Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The development follows last year’s releases that track security vulnerabilities in both Ruby and JavaScript packages.

The company says that since the launch of those alerts, it has identified millions of vulnerabilities. The vulnerabilities are most often Common Vulnerabilities and Exposures, or CVEs.

According to a GitHub blog from November 2017, the security alert system has been highly successful, with many vulnerability alerts resulting in patches in fewer than seven days.

 “We found over four million vulnerabilities in over 500,000 repositories and displayed an alert to repository admins in their dependency graphs and repository home pages (for Ruby and Javascript),” GitHub says in a blog.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version. Since then, our rate of vulnerabilities resolved in the first seven days of detection has been about 30%.

“Additionally, 15% of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

These features are now available for Python users.

Users can make the most of Python security alerts through the following tips:

First, ensure that you have checked in a requirements.txt or Pipfile.lock file inside of repositories that have Python code.

Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.

When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.

To configure the kind or frequency of notifications you receive, visit your profile’s notification settings page and select your preferred option.

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More
Story image
Video: 10 Minute IT Jam – F-Secure talks APTs and the Lazarus Group
We spoke to F-Secure's director of detection and response, Matt Lawrence.More
Story image
Global attack volume down, but fraud and cyber threats still going strong
“The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry."More
Download image
74% of APAC IT leaders say security culture is essential to business success
You can join these leaders in designing security awareness and training with your employees in mind.More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More