GitHub Foreshadows Automated Security Fixes

2 November 2018
Justin Warren

While GitHub Actions hogged the limelight at GitHub’s Universe conference a few weeks ago, several other announcements combined foreshadow an interesting future for code security.

“We want security to be ambient around you,” said Sam Lambert, GitHub Head of Platform.

Sam Lambert, GitHub Head of Platform, presents at GitHub Universe 2018
Sam Lambert, GitHub Head of Platform, presents at GitHub Universe 2018

GitHub announced Java and .NET support to the previously announced security vulnerability alerts feature. This adds to the existing support for Javascript, Ruby, and Python. It provides developers with a clear indication that their code has a vulnerability that needs fixing, which is useful, but only does half the job.

There are quite a few flaw detection tools, because detecting a problem is the (relatively) easy part. The harder part is fixing the flaws.

And this is where the announcements start getting really interesting.

GitHub announced a feature called Suggested Changes that essentially embeds a pull request into a code review comment. It’s quite focused and tactical, which is great, but it highlights a key part of development workflow: what you do after you detect a flaw.

You can define flaw quite broadly: It could be a feature that hasn’t been been implemented yet, a bug in the code, or a dependency that needs updating (to support new features or fix bugs), or lots of other nuanced things. Fixing that flaw usually means changing code in some way, and fully fleshed out pull requests provide this functionality. Suggested Changes just makes it faster and easier to make obviously necessary changes with low friction.

Now add in the research by Omoju Miller, Senior Data Scientist, Machine Learning and her team applied across the set of code that GitHub can see, and all the known flaws and their known fixes. Combine it with the standard developer workflow in GitHub coupled to a programmable API (which already exists) and you have an automated break/fix engine for lots of common, obvious software flaws that cause security issues.

“Soon we’ll know what a security fix is at a code level,” said Jason Warner, GitHub SVP of Technology.

Altogether this creates a system where you can automatically fix a lot of security flaws. The power of open source means that if someone, somewhere fixes a standard flaw in a standard way, everyone else can reap the benefits as automation applies the fix to all the code that needs it.

While Warner accused me of somehow getting access to GitHub’s roadmap (I’ve never seen it, for the record) these seem like pretty logical and obviously good things to do. The entire momentum of the industry is moving this way, and I’m somewhat disappointed it’s taken this long.

The incredible rise of IoT devices and cheap computers running cheap software embedded into just about everything makes this kind of advance pretty urgent, in my opinion. As an industry, we have to do a vastly better job of deploying secure code, and that means it has to be much cheaper and easier to do.

Soon we may very well be able to demand: Computer, heal thyself.

I travelled to GitHub Universe as a guest of GitHub. Read my full disclosure statement here.

This article first appeared in here.