GitHub, Microsoft’s software hosting service, has announced the acquisition of Semmle, a code analysis tool that allows developers to detect potential and critical security vulnerabilities in code.
The financial terms of the transaction have not been disclosed by the two companies. Nevertheless, GitHub intends to make Semmle’s automated code review products available through its GitHub Actions tool.
‘Open source has had a remarkable track record over the past 20 years. Today, almost all software from any vendor or community includes open source code in its supply chain. We all benefit from the open source model and we all have a role to play in the success of open source for the next 20 years,’ says GitHub in a blog article. ‘These two announcements are part of our broader strategy to secure the global code.’
‘We are very pleased to be joined by Semmle’s team and to welcome their world-renowned security engineers and researchers to GitHub. Together, we will bring their work to all open source communities and our customers. As a community of developers, maintenance managers and security researchers, we can all collaborate to create a more secure software,’ GitHub adds.
GitHub relies on source code security
GitHub, recently acquired by Microsoft, has recently focused a lot on security features. This new acquisition of Semmle is therefore entirely logical. The company will host a security webinar on 3 October, where it will share more about what to expect from Semmle and GitHub.
It should be recalled that GitHub has recently been the subject of severe criticism due to a series of data violations. Canonical, the manufacturer of the Ubuntu operating system, recently revealed that it had been attacked by hackers. In an official statement, the company said that hackers had compromised its GitHub account, the source code sharing platform, on 6 July 2019 and created 11 new repositories. It is believed that the attackers have no access to any sensitive information or manipulated source code.
GitHub faced a similar problem when a Chinese drone manufacturer, Da-Jiang Innovations, found itself in the cybersecurity category following a bug bounty issue. On 21 November 2017, Kevin Finisterre, an independent security researcher, said he found a private key published on the GitHub code sharing platform, after which he was able to access confidential and sensitive information about his customers and saw ‘unencrypted flight logs containing driver’s licences and identity cards’.
GitHub’s acquisition of Semmle, aimed at strengthening the security of the Microsoft subsidiary, will likely result in the integration of the company’s technology into GitHub. However, Semmle’s current services and customers will remain unchanged. In fact, the company says it will now be able to better serve its customers through its stake in GitHub. Existing Semmle products will work as before, but they’ll have new features with tight integration for GitHub.
Semmle engineers will join GitHub security engineers in this acquisition. ‘Software security is a community effort. No company can find all the vulnerabilities or secure the open source supply chain behind everyone’s code. Semmle’s community-based approach to identifying and preventing security vulnerabilities is the best way forward,’ says Nat Friedman, CEO of GitHub.
All this means that when open source code is in a GitHub repository, users can have reasonable confidence in security. What do you think about this?