Microsoft-owned code hosting repository GitHub has expanded its security alerts program to warn developers about known vulnerabilities in Java and .NET, two of today’s most popular programming languages.  GitHub’s security alerts service aims to help developers plug known security holes in dependencies used by projects hosted on GitHub.  Dependencies are packages, such as software libraries, written in different programming languages that a code repository may depend on. GitHub scans for vulnerabilities in dependencies, which until now has focussed on popular programming languages JavaScript, Ruby, and Python.  Bugs in open source libraries run the risk of quietly slipping into many projects when the same code is shared among developers.    The most well known case of a vulnerable dependency enabling a major data breach was credit firm Equifax, which used a vulnerable version of Apache Struts — a framework for building Java web apps.

Read full news article on CSO