Microsoft는 GitHub 보안을 확대하기 위해 Semmle을 인수

ment 9/20 '19 posted 뉴스 IT

• 그는 GitHub가 오픈 소스 프로젝트에 대한 CVE 번호 부여 기관으로 승인되었다고 덧붙였습니다.

• GitHub는 샌프란시스코에 기반을 둔 코드 분석 플랫폼 제조업체 Semmle을 인수하여 코딩 저장소의 보안을 강화했습니다.

• GitHub는 이러한 툴을 GitHub Actions에서 실행되는 CI 테스트의 일부로 모든 공용 리포지토리와 엔터프라이즈 고객에게 제공할 것이라고 밝혔습니다.

• “GitHub의 에코 시스템 보안을 위한 최근 조치 (관리자 보안 권고, 자동화된 보안 패치, 토큰 스캔 및 기타 보안 개발의 많은 발전)는 모두 같은 퍼즐 조각입니다.

• GitHub CEO Nat Frieman은“Semmle의 혁신적인 시맨틱 코드 분석 엔진을 사용하면 개발자들이 큰 코드베이스에서 코드 패턴을 식별하고 취약점 및 그 변형을 검색하는 쿼리를 작성할 수 있습니다.

• “Semmle은 Uber, NASA, Microsoft, Google의 보안 팀으로부터 신뢰를 받았으며 현재까지 오픈 소스 프로젝트에서 100 개가 넘는 CVE뿐만 아니라 세계 최대 코드베이스에서 수천 가지 취약점을 발견하는 데 도움이 되었습니다.

• 시간이 지남에 따라 GitHub 팀은 Semmle을 GitHub 워크 플로우에 밀접하게 통합 할 계획입니다.

• Semmle 보안 테스트에서 수작업을 많이 제거하고 대신 서비스의 분석 엔진을 사용하여 연구자가 코드를 테스트할 수있는 쿼리 언어를 제공합니다.

• 거래의 재정 조건은 두 회사에서 공개하지 않았습니다.

Microsoft buys Semmle in a bid to bulk out GitHub security [devclass.com]

Attention Required! | Cloudflare [www.darkreading.com]

Microsoft-owned GitHub acquires code analysis startup Semmle to bolster security [www.geekwire.com]

GitHub buys Semmle to add flaw-spotting code analysis into its repositories [www.theinquirer.net]

GitHub Buys Semmle To Improve Open-Source Code Security [www.crn.com]

Microsoft’s GitHub acquires Semmle, makers of a code analysis tool [www.onmsft.com]

GitHub acquires code analysis tool Semmle [techcrunch.com]

GitHub acquires Semmle to help developers spot security vulnerabilities [thenextweb.com]

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps... [www.theregister.co.uk]

Microsoft's Github acquires Semmle, a code analysis platform for finding zero-days [mspoweruser.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

9/20 '19 answered

So GitHub are becoming a CVE Numbering Authority. Nice!
— Dan Murphy (@DanHatesNumbers) September 18, 2019

Big news! Semmle is joining the @Github team to bring community-powered security analysis to millions of developers. Learn more from Semmle CEO @oegerikus here: https://t.co/iDN5RrY8J1
— Semmle (@Semmle) September 18, 2019

Holy shit, GitHub is becoming a CVE authority which will allow filing for CVE numbers directly from the web UI.

Also the new security advisory workflow is looking *sweet*!!
— yosh (@yoshuawuyts) September 18, 2019

Our mission is to build a global platform for developer collaboration. But that platform needs to be one that all of us can use to secure the world’s software, together.

Learn more on how you can help. https://t.co/I4FkD7y3Ye
— GitHub (@github) September 18, 2019

10 years ago I discovered the amazing @semmle technology and team, I knew they would make a difference in the industry. 1 year ago I was excited to join them, and today I am even more excited by the huge step we are taking by joining @github https://t.co/YKHOcRd7cD #securecode
— Xavier René-Corail (@XCorail) September 18, 2019

What a gr8 move.

I hear from ppl all the time that tell me how hard it is to get a CVE. Having @github as a CNA is critically important. https://t.co/5sGHPU0R2d
— Sean Kerner (@TechJournalist) September 18, 2019

We are @github now! \o/ https://t.co/u3N5ifHbAP
— Nico Waisman (@nicowaisman) September 18, 2019

@github would not issue CVE's for Microsoft applications as @Microsoft is already a CNA that issues their own. GitHub is allowed to issue CVE's for reported vulnerabilities assuming the vendor in question is not already a CNA (as far as I understand).
— Nathan McNulty (@NathanMcNulty) September 18, 2019

It says a lot about Github and by extension Microsoft that the overwhelming response to this announcement is positive. https://t.co/R00FBCXxCG
— Corey Quinn (@QuinnyPig) September 19, 2019

As for volume... just do a search for "fix buffer overflows" or "fix XSS" in issues and imagine them all having a nicely labelled CVE. It's an exciting time to be alive.
— Kurt Seifried (@kurtseifried) September 18, 2019

Apart from the news about acquisition of @Semmle which is a market leader in Variant Analysis, GitHub clearly sees the big picture of Application Security. Slow clap ? https://t.co/0X0A9itJnW
— Andrzej Dyjak (@andrzejdyjak) September 18, 2019

> GitHub ... is now a CVE Numbering Authority. ..Maintainers will be able to report vulnerabilities...GitHub will assign IDs & add [them] to the National Vulnerability Database.

Sounds like there'll be an influx of CVEs now. What "CVE" means is probably going to change a bit ?
— Rijnard van Tonder (@rvtond) September 18, 2019

Incredible, industry-shifting work at @github & @Semmle in helping the entire software supply chain detect, eradicate, and prevent entire classes of security vulnerabilities.
Honestly this has me hopeful that finally, we may see certain classes of bugs eradicated in my lifetime. https://t.co/sa234NzK7h
— Katie Moussouris (@k8em0) September 18, 2019

GitHub acquires code analysis tool Semmle | Microsoft’s GitHub today announced that it has acquired Semmle, a code anal ... https://t.co/5QTDLWtEZ8
— NICEBROgg (@NICEBROgg) September 18, 2019

1/7 I’m overjoyed to share that @semmle is joining @github! https://t.co/K7wTLs5WJL
— Oege de Moor (@oegerikus) September 18, 2019

A warm welcome to Oege and the rest of @Semmle! This really confirms the value of treating code as data, and on behalf of the Semantic Code team, I can't wait to see what we can build together! (And I'm also excited to have more Oxonians on the team ?) https://t.co/XKLDEWCYuC
— Douglas Creager (@dcreager) September 18, 2019

badass acquisition.. congrats to all Semmle hackers there for joining GitHub :)https://t.co/L7vXKOF6qe @fjserna @nicowaisman @agustingianni @mmolgtm @Nosoynadiemas @kevin_backhouse et al.
— Shift Red (@Shiftreduce) September 18, 2019

GitHub Becomes CVE Numbering Authority, Acquires Semmle https://t.co/cxv0g3XRLD
— Nicolas Krassas (@Dinosn) September 19, 2019

#GitHub acquires code analysis tool #Semmle - "GitHub has a “unique opportunity and responsibility to provide the tools, best practices, and infrastructure to make software development secure.” https://t.co/Jiyj4Ejp5M @techcrunch @github @asseh @faatz #code #softwaredevelopment
— Shirin Mohammadi (@shirin_moha) September 19, 2019

Microsoft’s GitHub today announced that it has acquired Semmle, a code analysis tool that helps developers and security researchers discover potential vulnerabilities in their code.https://t.co/z5uyUaW0WS pic.twitter.com/2Dl5THqJLr
— AlternativeTo (@AlternativeTo) September 19, 2019

GitHub acquires code analysis tool Semmle https://t.co/1MJTTx8TWQ
— Mark Adcock (@techforecastis) September 19, 2019

GitHub acquires Semmle which automatically analyze code for security vulnerabilities.#software #coding #security #EIIRTrends https://t.co/Q9eBkOmSR7 https://t.co/rlMQ4xrCVU
— Pareekh Jain (@pareekhjain) September 18, 2019

badass acquisition.. congrats to all Semmle hackers there for joining GitHub :)https://t.co/L7vXKOF6qe @fjserna @nicowaisman @agustingianni @mmolgtm @Nosoynadiemas @kevin_backhouse et al.
— Shift Red (@Shiftreduce) September 18, 2019

ほう / “GitHub acquires code analysis tool Semmle – TechCrunch” https://t.co/pXqP2jO3Sb
— Kosei Kitahara (@Surgo) September 18, 2019

GitHub acquires Semmle to help developers spot security vulnerabilities https://t.co/Bw7NpmAIrT
— TNW (@thenextweb) September 19, 2019

permanent link

Open Wiki - Feel free to edit it. -

9/20 '19 answered

Microsoft는 GitHub 보안을 확대하기 위해 Semmle을 인수 https://t.co/vI2NDfdM8F
• GitHub CEO Nat Frieman은“Semmle의 혁신적인 시맨틱 코드 분석 엔진을 사용하면 개발자들이 큰 코드베이스에서 코드 패턴을 식별하고 취약점 및 그 변형을 검색하는 쿼리를 작성할 수 있습니다.
— editoy (@editoy) September 20, 2019

Big congrats to the @Semmle on their acquisition by Github. Great code = secure code. This is a?match. Congrats @oegerikus and team! https://t.co/nqWgxChn0o
— vas natarajan (@vas) September 18, 2019

permanent link

Reply with curations

Related

Featured