As code libraries grow in size and complexity, it increases the difficulty in finding hidden vulnerabilities. The most efficient way for developers to find potential exploits and malicious code is through automated analysis.
Code security company, Semmle, has two products, QL and LGTM, that automate and help software security teams find zero-day exploits and variants of critical vulnerabilities. It’s the type of code automation service that would be perfect for a community like GitHub, which is why Microsoft recently announced that GitHub had acquired Semmle.
To alleviate the concerns of current customers, Oege de Moor, Co-founder and CEO of Semmle, said
there will be no disruption to existing users post-acquisition.
GitHub and Semmle are deeply committed to securing the open source ecosystem, and as part of that commitment, LGTM.com will continue to be available for free for public repositories and open source.
Nat Friedman, CEO of GitHub, said they plan to
bring [Semmle’s] work to all open-source communities and to [their] customers.
GitHub is made up of public and private code repositories, which means the acquisition of Semmle’s technology goes well beyond altruism. GitHub will be able to offer automated security analysis as a fee-based value-added service to customers that host propriety code on its platform.
The purchase of Semmle is a smart business move by Microsoft’s GitHub since it should be profitable for the company while also continuing to benefit the open-source community.