GitHub announced it is releasing native mobile applications for iOS and Android, and unveiled a new approach to open source security during its annual developer event in San Francisco this week.
From today a mobile version of GitHub is available through a public beta with android “coming soon”. The mobile apps include many of the features of GitHub’s browser platform, allowing developers to access issues, pull requests and repositories.
GitHub Security Lab was also announced as part of a new approach to security. Described by GitHub as a new collaborative way to secure the code in critical open source projects, GitHub Security Lab is space for partners and security researchers to find and share the vulnerabilities of open source code.
And in an effort to close the security loop – ensure vulnerabilities are addressed and not just identified – GitHub announced several more security tools.
Erica Brescia, GitHubs new chief operating officer, told Which-50 the new collaborative approach to open source security will eventually be widely felt.
“I think this is a real opportunity to significantly increase the security of the software that literally everybody uses and I think that’s huge,” Brescia said.
“It’s very early days, but it’s great that we’ve gotten a variety of companies involved already and more that we’re talking. I think we’re going to see a lot of interesting growth there and a real community forum around solving these problems.”
99 per cent of software projects have some dependency on open source code, according to GitHub. But the nature of open source – copying and building on others’ code – means security is a constant challenge.
According to GitHub, 70 per cent of critical vulnerabilities remain unpatched 30 days after developers have been notified and 40 per cent of detected vulnerabilities aren’t part of a public database because they lack Common Vulnerability and Exposure identifiers when they are announced.
GitHub is releasing several new tools to help address vulnerabilities and ensure developers actually address security vulnerabilities when they are identified.
Notably, GitHub is making its code analysis engine, CodeQL, available for free to use on open source projects. According to the company, the engine allows users to query code as though it were data.
“If you know of a coding mistake that caused a vulnerability, you can write a query to find all variants of that code, eradicating a whole class of vulnerabilities forever,” a GitHub media announcement says.
The tool will allow the researchers to query open source code at a scale and in a way never before seen, potentially allowing the exposure of vulnerabilities in many major open source projects.
Facebook’s Fizz, for example was exposed as having a vulnerability in its code which would otherwise have been undetectable in an on stage demo of CodeQL.
“If GitHub is the home for all developers, which is our mission, we also need to give developers the tools to be able to maintain secure software so people feel safe using it,” Brescia said.
For the first time GitHub is releasing native applications for Android, iPhones, as well as iPad. According to the company, the collaborative nature of open source and GitHub’s often dispersed workforce means developers need more than just their computer.
“Nowadays, we don’t just write code. We collaborate as team members and we review each others code,” said Ryan Nystrom GitHub director of engineering.
“Today, it’s too hard to keep things moving without a computer. And that’s why we built GitHub for mobile.”
Brescia says the notification system has been designed with a work-life balance in mind and notifications can be muted muted.
“Giving people the ability to control notifications but [also] the option to get things done whenever and wherever they want to is actually a better enabler of that [work-life balance].”