GitHub Brings Semmle Aboard to Weed Out Code Vulnerabilities


GitHub, the popular website for open source developers and their files, has acquired Semmle, a start-up that analyzes computing code for flaws in a drive to shore up programming security.

Semmle, which emerged in 2006 from research conducted at Britain’s Oxford University, helps developers and security researchers uncover security vulnerabilities in code. Its clientsOpens a new window include Google, NASA and Nasdaq.

As the company’s chief executive and one of its founders, former Oxford professor Oege de Moor explaineOpens a new window d, researchers set out 13 years ago to query source code like any other type of data to secure the software it eventually underpins.

A manual and informal process

But the process is complicated by different stages of development and participants along the way, as Shanku Niyogi, GitHub’s senior vice president, noted. Identifying vulnerabilities is still largely a manual and informal process, with plenty of discrepancies in the ways that security alerts are reported or resolved.

GitHubOpens a new window wants to streamline the typical security vulnerability process to link researchers, maintainers and developers seamlessly to make sure nothing has been missed.

“Software security is a collective problem, a responsibility that involves producers and consumers of code, open source maintainers, security researchers, and security teams,” Niyogi wrote. He said the premise behind Semmle’s purchase was for GitHub to offer the open source community the tools it needs to secure its software.

Semmle’s code analysis engine, QL, is a powerful query languageOpens a new window used to analyze code. QL also underpins the start-up’s second offering, LGTM, or “Looks Good to Me,” a software engineering analytics platform providing a semantic code search to identify critical vulnerabilities in codeOpens a new window .

“An important measure of the success of Semmle’s approach is the number of vulnerabilities that have been identified and disclosed through their technology,” Niyogi wrote. “Today, over 100 [Common Vulnerabilities and Exposures] in open source projects have been found using Semmle, including high-profile projects like Apache Struts, Apple’s XNU, the Linux Kernel, Memcached, U-Boot, and VLC. No other code analysis tool has a similar success rate.”

Nat Friedman, GitHub chief executive, agreed. “Software security is a community effort,” he wrote. “No single company can find every vulnerability or secure the open source supply chain behind everyone’s code. Semmle’s community-driven approach to identifying and preventing security vulnerabilities is the best way forward.”

When it disclosed the Semmle purchase, GitHub also announced it was becoming a CVE Numbering Authority. This essentially means that code writers will have an easier time to report vulnerabilities with GitHub assigning an identification number to each report, which will in turn be flagged on the National Vulnerability DatabaseOpens a new window .

Microsoft’s controversial purchase

GitHub, a subsidiary of Microsoft, has been adding companies to its stable since January. In June, it bought Pull Panda, a start-up that builds code review tools for GitHub developers and in May it purchased Dependabot, a tool that automatically opens pull requests to update dependencies in some of the main programming languages, such as Ruby, Python, JavaScript and Java.

Rival code repositories including GitLab and Atlassian-owned BitBucket claimed to see large influxes of disgruntled developers to their sites following news of Microsoft’s GitHub purchase.

Many open source advocates have been mistrustful of the huge software company formerly run by Steve Ballmer, who famously described open source programming language Linux as a “cancer”.

Under the leadership of CEO Satya Nadella, however, Microsoft has pledged its commitment to open source development and to GitHub’s developer-first ethos.

“Microsoft has heritage here.” Nadella saidOpens a new window . “We were a developer tools company first and now, of course, we are all in on open source, and that’s what really brings us together with GitHub.”