How developer-first supply chain security helps you ship secure software fast

July 14, 2022 // 8 min read

image

Discover why supply chain security is needed and how GitHub’s supply chain security tool can help you ship secure software quickly.

Are you looking to secure your code but don’t want extra security steps slowing you down? These days, developers are often faced with a tough choice—to ship secure software slowly or insecure software quickly. Here at GitHub, we believe that you shouldn’t have to choose between one or the other. Read on to explore why supply chain security is needed, how dependencies are interwoven into your code, and how GitHub’s supply chain tool, Dependabot, can help.

This page will touch on the following topics:
Software supply chain
Open source vulnerabilities
Open source security
Software dependencies
Types of dependencies
Dependency changes
Managing dependencies
Software composition analysis (SCA)
Benefits of SCA
What is Dependabot?
Dependabot features
Turning on Dependabot
Dependabot and other GitHub tools

What is the software supply chain?

Software supply chain is a popular phrase that refers to how your software gets built using all the innersource and open source dependencies in your codebase. Maybe you're creating a JavaScript app that uses dependencies from npm, or maybe you're building a compiled app written in C# that uses a mix of innersource and Nugget dependencies. The threat model for each of these apps is different because of the software supply chain they depend on. GitHub is here to help you understand the software you use and keep it safer using innovative products like Dependabot.

What are open source vulnerabilities?

Open source vulnerabilities are security risks that live in your open source components. Most vulnerabilities result from well-intentioned mistakes involving a lack of security functionalities, non-ideally written code or weak integration of components. Unfortunately, they can easily be exploited by an attacker. Malicious actors can use your code's vulnerabilities to damage your systems, steal your data, or abuse your resources. And exploiting just one weakness can have profound repercussions by enabling hackers to leapfrog to other vulnerable services inside your environment.

Vulnerabilities can bite you hard when you're not looking—and compromise your entire project. Today's most common types of vulnerabilities include:

  • SQL injection This is a code injection attack that's triggered when a bad actor adds harmful logic into your SQL statements through user input. The vulnerability stems from not performing input sanitization or performing it incorrectly. Implications include unauthorized data access, modification and data loss, and changes to an application's content and behavior.

  • Command injection. This is another code injection attack that occurs when a malicious actor inserts a command into an application that will then be executed in the host system using the system's privileges. A command injection attack can compromise the application, its data, connected servers, and other infrastructure.

  • Cross-site scripting (XSS). This is a web injection attack where malicious scripts are injected into otherwise benign websites. Due to JavaScript scripts running on the victim's browser, XSS attacks are able to steal sensitive data like authentication cookies. This is common on public websites, where attackers can target the website's visitors by adding their own ads and phishing prompts.

  • Cross-site request forgery (CSRF). This attack forces the end-user to execute unwanted actions on a web application in which they're currently authenticated. Unwanted actions might include fund transfers or a change of personal information. Basically, these attacks take advantage of the target site's trust for requests initiated by authenticated users that in reality are initiated from elsewhere.


To learn more about the most frequent types of vulnerabilities out there, visit our vulnerability blog post.


What is open source security?

Open source security is a methodology that provides you with better visibility into the open source inventory of your applications. With open source security, you're able to easily identify all of your direct dependencies, indirect dependencies, and the slew of security information related to each one. Tracking these things manually is too time-consuming and is commonly done via software composition analysis (SCA), which we'll explore later on.

What are software dependencies?

A software dependency is a package or code library that is reused in a new piece of software. Using open source ensures you can focus on the differentiated parts of your project, and build on the solid foundations of the broader community.

These days, nearly all software projects have some form of dependencies. And the amount is not small—it's estimated that 60-90% of codebases are composed of open source components. Of course, if there are security issues in any of this code, it will affect the final product, just like security issues in proprietary code would.

What are the different types of dependencies?

There are two types of software dependencies: direct and indirect. Direct dependencies are libraries or packages that your code calls directly. Indirect dependencies are libraries or packages that your dependencies call. In other words, they're dependencies of dependencies.

While both types of dependencies require management to control security risks, indirect dependencies require extra consideration because it's not immediately obvious when they're at play. Indirect dependencies become nested inside other dependencies, forming a hidden but complex dependency tree that can be easily missed when attempting to secure your supply chain.

At a glance: The two types of dependencies

  • Direct dependencies are libraries and packages that your code calls directly
  • Indirect dependencies are libraries and packages that your dependencies call

Securing both types is crucial, but it's harder to detect transitive dependencies.

How has the dependency landscape changed over time?

Back in the day, downloading and installing a library was tedious work. Because of this, reusing smaller packages was impractical. But over the past two decades, tools like Maven and npm made consuming and working with small packages easier. Ever since, the number of packages available for developers has exploded. Software packages are now a significant part of modern applications.

However, the industry is now being faced with a slew of security issues and problems. As mentioned, if a bug is present in a dependency, that can affect the whole app. Plus, dependencies can quickly become outdated, limiting the quality of the software that calls them, or even causing the entire application to fail.

While using dependencies can help you build software quicker, there are a number of issues in dependencies that can go awry, including:

  • Security vulnerabilities that impact your entire program
  • Outdated code that compromises the quality of your software

What happens when organizations don't manage dependencies?

There can be a lot of frustration when you've installed software packages that depend on specific versions of other software packages—and solving for one dependency breaks the compatibility of another. Like a game of whack-a-mole, this will put you in a never-ending mess of dependency pain.

That's why it's important for you to effectively manage your dependencies all throughout the software development life cycle (SDLC).

What is software composition analysis (SCA)?

SCA is an automated process that identifies the open source components in your codebase. Such tools inspect package managers, source code, manifest files, container images, binary files, and more. These components are compared against the GitHub Advisory Database, which includes information from the National Vulnerability Database (NVD) and other databases.

What are vulnerability databases?

Vulnerability databases store information about known and common vulnerabilities. The NVD is the US government's vulnerability repository and is widely used in the open source community. GitHub has its own GitHub Advisory Database, which includes advisories from all over the open source world.

What supply chain components do SCA tools inspect?

  • Package managers
  • Manifest files
  • Binary files
  • Source code
  • Container images
  • Approved components
  • Developer downloads
  • Code reuse
  • Commercial apps
  • Third-party libraries
  • Outsourced development

What are the benefits of SCA?

When it comes to securing your supply chain, SCA tools offer security, speed, and reliability. Manual tracking of open source components no longer works, given the vast amount that's used these days. Plus, the increasing prevalence of cloud-native applications and more-complex technologies, make dependable SCA tools mandatory.

Never force a human to do what a robot can. –Motto of the GitHub security team

As teams build and ship software faster due to the adoption of DevOps methodologies, you need a security solution that can maintain your development velocity—just like an SCA tool.

But not all SCA tools are created equal. It's best to select an SCA tool that scans open source components within containerized environments, identifies any vulnerabilities, and automatically enforces policies. Good SCA tools also have native support for the specific container registry your IT is using.

When it comes to organizations, the SCA tool should additionally let you know whether its code communicates with the impacted library and suggest fixes when able. The tool should also identify open source libraries in the codebase that need to be patched or updated.

What is Dependabot and how can Dependabot keep my supply chain secure?

Dependabot is GitHub's SCA tool. Dependabot makes it easy to secure your supply chain by helping you to identify your dependencies, the vulnerabilities in those dependencies, and suggesting ways to fix, patch, or update them. The tool fits natively into your developer workflow so you can secure your supply chain in minutes.

Dependabot catches vulnerabilities from your dependencies in real-time, allowing you to understand:

  • The vulnerability data for each dependency, as published by GitHub's Advisory Database
  • The impact of the vulnerability in your project—for example, if your code is making a vulnerable call
  • How to take action and fix the vulnerability with a Dependabot pull request or with another workaround

Dependabot also helps you keep your dependencies up-to-date with Dependabot version updates—which can help you avoid many potential vulnerabilities on your project, in the first place!

Dependabot helps us write more secure code. –Max Williams, Principal Systems Engineer, Delivery Hero

What are the different features of Dependabot?

Dependabot includes a suite of best-in-class features, including:

  • Dependency graph. This graph identifies all upstream dependencies and public downstream dependents of a repository or package. You can view dependencies and any detected vulnerabilities in your dependency graph.

  • Dependabot alerts. These alerts inform you of repositories affected by newly discovered vulnerabilities based on GitHub's dependency graph and the GitHub Advisory Database.

  • Dependabot security updates. These updates are automated pull requests sent to you from Dependabot to update a dependency to the minimum version that resolves a known vulnerability.

  • Dependabot version updates. These updates check for new versions of your dependencies and suggest updates—all on the configurations you set.

How do I turn on Dependabot?

Turning on Dependabot is easy. Simply follow these five steps:

  1. Go to GitHub.com.
  2. Navigate to the main page of the repository.
  3. Under your repository name, click Settings.
  4. On the left sidebar, click Code security and analysis.
  5. Finally, click the Enable button for Dependency graph and Dependabot alerts. If you'd like Dependabot to help you update your dependencies, also click Enable for Dependabot security updates.


Created just for you, Dependabot is:

  • Built for you. You can choose how often you get notifications and what type of notifications you receive. Dependabot alerts are sorted by a "most important" calculation, which takes into account a vulnerability's impact, relevancy, and actionability to help you prioritize alerts. For example, when vulnerabilities call known vulnerable functions, that's factored in our calculation (and vulnerable function call information is also available with your Dependabot alert).

  • Built from the community. The GitHub Advisory Database, which powers Dependabot alerts, is the largest database of vulnerabilities in software dependencies in the world. It's maintained by a dedicated team of full-time curators and supported by contributions from the entire GitHub community.

  • Forever free. GitHub believes that free and open security data and solutions are critical to empowering the industry and to best securing our software supply chains.

How do Dependabot products work together with other GitHub security tools?

At GitHub, we provide a suite of developer-first security tools to help you find and fix vulnerabilities. While Dependabot helps you secure your supply chain, our other security products work synergistically with Dependabot to keep your code secure from nearly every angle.

  • Code scanning, powered by CodeQL, is a static application security testing (SAST) product that catches common patterns in your code. It can also run within your pull requests, detecting vulnerabilities before they reach your main branch. Beyond protecting your code, CodeQL teaches you what to look out for in the future, as each query contains information on the vulnerability pattern detected, including examples of vulnerable code, secure ways to implement the same code, and external references.

- To learn more about how to get started with code scanning and CodeQL, visit our GitHub Docs code scanning page.


  • Secret scanning prevents unauthorized access and breaches. It does this by proactively searching your repositories for leaked secrets that may have accidentally been pushed into your code. This involves scanning your code for patterns from our partners, including AWS, Slack, Google Cloud, and Azure. Because scans take less than a second, we can quickly catch leaks as they occur.

- To learn more about how to get started with secret scanning, visit our GitHub Docs secret scanning page.


  • Security overview provides a single, centralized view of the security risks in your entire organization. This is especially powerful if you're responsible for hundreds or thousands of repositories. The tool shows the known security risks, as well as unknown risks where security features haven't yet been configured.

- To learn more about security overview, visit our security overview Docs page.


All of these tools are part of GiHub Advanced Security (GHAS) for enterprises. GHAS natively embeds security into the developer workflow—enabling you to secure your software supply chain and proprietary code across the software lifecycle. With GHAS, automated security checks are run with every pull request. Identified security issues are then shared immediately within the familiar GitHub workflow. This empowers you to fix vulnerabilities in minutes, not the industry standard of months.


- To learn more about GHAS, visit our GHAS Docs page.


Security is critical, but reliability is important too. We depend on GitHub to deploy our products quickly and safely. –Lee Cookson, Engineering Director, Dow Jones

To speak with a representative about how GitHub can help your organization secure your code, sign up for a free demo.

Secure code without disrupting innovation Scaling GitHub Advanced Security
GitHub Advanced Security helps you find and fix security issues in your code earlier to scale and automate your application security.

Learn more
Let's talk about how you can scale and adopt GitHub Advanced Security in an auotmated and structured fashion.

Learn more


Tags

Wondering how GitHub can help your business?

Tell us more about your needs

octocaptcha spinner