Our Greatest Vulnerability For the Internet? A Large Scale Compromise of Git Hub Code!

Our new world is not being built by governments, it is being built in GitHub

If you wanted to open-up the security of the Internet, where would you start? Discover a zero-day vulnerability? Scan the Internet for known vulnerabilities? Well, probably the easiest way is to high-jack a well used Git Hub repository and insert a back door. Then, if unnoticed, your back-door code will be pushed out to every user who uses the code. If it’s a small code responsibility, too, then no-one might notice that you had changed the code.

In our traditional models of software, such as with C++, C# and Java, we sign code with encryption keys, and then check the validity of the code we are integrating with. When we call our modules, we check their signature and know that we can trust the code. But what we are really checking is that the creator of the code has checked it, and signed it with their private key.

In a world with JavaScript, Python and Ruby, this type of checking does not quite happen, and a good deal relies on the owners of Git Hubs to make sure their code is clean. Along with this, the distributors of the software, such as through NPM (‘npm install’) and PyPI (‘pip install’), need to be checking the…