Microsoft’s GitHub to warn programmers regarding vulnerable dependencies

At every pull request, Microsoft subsidiary GitHub will now warn programmers about vulnerable dependencies.

The announcement was made live on Tuesday at the GitHub Universe conference.

Keep in mind that most modern creations that come alive at the hands of programmers are not built entirely from the ground up.

Instead, they are a mix of newly written code and third-party code (so-called dependencies).

On top of that, this third-party code can be dependent on further third-party code to remain operational.

The problem is that every link in a chain is prone to potential problems, and the process of discovering and repairing them can take a while.

To address the issue, GitHub will not only display the existing dependency graph, but will also add notifications about dependency vulnerabilities into it.

According to Maya Kaczorowski, senior director of product management at GitHub, mitigating vulnerabilities introduces a significant amount of delay.

She revealed that GitHub now wants to increase its focus on giving developers the tools they need to detect vulnerabilities as early as possible.

In addition, she noted that slight automation changes have shown to have a significant effect on how quickly problems are both noticed as well as addressed.

Note that dependency vulnerabilities is a problem that the entire industry has been battling with for a lengthy period of time.

Chris Wysopal, co-founder and chief technology officer at the software vulnerability scanning service Veracode, notes that more software code is assembled from already-written code than the kind that is written from scratch.

According to the findings of Veracode, 70% of applications have open source packages.

This means that dependencies introduce additional risk factors and developers need to find a way to detect signs of trouble.

Having this detection included in the developers’ workflow where they can fix the problem appears to be the solution.