Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative Security: Securing Open Source Software

Published byΖεβεδαῖος Ακρίδας Modified over 5 years ago

Similar presentations

Presentation on theme: "Collaborative Security: Securing Open Source Software"— Presentation transcript:

1 Collaborative Security: Securing Open Source Software
ASD-W03 Collaborative Security: Securing Open Source Software Dr. Nicko van Someren Chief Technology Officer The Linux Foundation

2 Open Source Software has had it’s fair share of major security issues

3 Security Is Hard For Open or Closed Source - These Are Complex Systems
Sometimes it is hard for the same reasons as for closed source: Security is just hard, especially in complex systems There is always pressure for features before fixes Security is even harder to retrofit after the fact

4 FOSS Security Is Different Though
FOSS is not more or less secure, but it is different Typically there are many more people contributing Sometimes (often?) there is a culture of “code is more important than specification” Processes are often more ad hoc There may be less market pressure to put security first

5 Linus’s Law: “Given enough eyeballs, all bugs are shallow.”
We are experiencing market failures. 5

6 But what if you don’t have enough eyeballs?

7 Core Infrastructure Initiative Mission
The CII aims to substantially improve security outcomes in the FOSS projects that underpin the Internet The CII funds work in security engineering, security architecture, tooling, testing and training on key FOSS projects, as well as supporting general development on security-specific projects (such as crypto libraries) The CII is a project run by the Linux Foundation, a 501(c)6 non-profit corporation.

8 The Linux Foundation created the Core Infrastructure Initiative with support from 19 Industry Giants
The CII provides direct support to a few key projects - but it is impossible to support every project - or to support more than a few key developers on the most important project. Therefore we have to find other ways to improve quality. Security is never someone else’s problem.

9 What can we do to improve the security of Open Source Software?
We can do all the same things as we do when building commercial software The big difference is that we have to do it collaboratively, without having a top-down mandate demanding it

10 Security is a process, not a product
Think about security early. Think about security often. This requires buy-in from the whole project community Fostering a culture of security within your open source project is the single most important thing that you can do to improve your security outcomes Security needs to be given equal weight with scalability, performance, usability and all the other design factors that matter to your users

11 Applying “Best Practice” to FOSS
There are a great many widely known and widely used techniques that have been shown to improve security outcomes Use them! FOSS Tool: An easy-to-use check-list tool for assessing your project’s security posture

12 Security design Build a threat model and keep it up to date
Threat modeling doesn’t need to be hard or complex Tool: Elevation of Privilege Threat Modeling Card Game Don’t use weak crypto And definitely don’t try to design your own crypto! Know your dependencies Fix known broken things

13 Change control Tracking who proposed changes, who reviewed those changes and who released them is critical to security. This is often more complex in collaborative OS projects As it happens, failures here are how Heartbleed made it into OpenSSL As soon as your project has two or more people coding you need a policy for how code will get reviewed one

14 Change control Use a version-controlled source repository
FOSS Tool: git, Mercurial, bazaar Make code publicly visible between major releases Public code review before final release is valuable Change logs are a must If other people rely on your code, you can break their security by changing things in your code

15 Quality testing Not all bugs represent vulnerabilities
… but all vulnerabilities are bugs, and… It’s often very hard to tell the difference (at least until someone publishes an exploit!)

16 Quality testing Writing comprehensive tests is far less fun than writing new code to solve new and interesting problems But it’s a hell of a lot more fun than dealing with bugs after they get released Measure your test coverage and require collaborators to write tests for all contributed code FOSS Tools: gcov (C/C++), CodeCover (Java), CodeCoverage (Python), and many more…

17 Security analysis tools
Fancy commercial static analysis tools are expensive … Switching all of your compiler warnings on is not! Use linters, code complexity checkers, fuzzers and other analysis tools where you can; they all can help The earlier in the project you start using these the less you will have to deal with “low signal to noise ratio” FOSS Tools: SonarCube, FramaC, AFL & many more

18 Bug reporting: Closing the SDL loop
Bugs happen; you need a process for dealing with them Users need a way to report security vulnerabilities that doesn’t broadcast them to the whole world! Take reports of security vulnerabilities seriously Just because you can’t work out how to exploit a bug doesn’t mean that it can’t be exploited Tools: Bugzilla, Trac, GitHub Issues

19 What can users of Open Source Software do to make themselves safer?
There are many things that consumers of Open Source Software can do to make their deployments safer. In general these come down to two key areas: Know your dependencies Don’t freeload

20 Know your dependencies
There are many ways that you might be running FOSS: You bought a supported distribution You downloaded a FOSS application You bought a commercial application which uses a FOSS component internally One of your developers pulled a library from GitHub and embedded it in your infrastructure … the list goes on.

21 Know your dependencies
In order to ensure that the FOSS that you use is safe you need to know: What open source components you are using? What versions you are currently running, and where? How these components can be updated, where do you get the update, what do you need to do to install them? Only when you have all this can you consider monitoring the vulnerability announcements

22 Know your dependencies
Supported distributions make their business by solving these problems, but only for the bits that they supply For commercial software, demand that your vendor disclose the FOSS components in their applications. For internal apps, there are commercial scanning tools In many cases proactive scanning with ‘fgrep –i copyright’ can be a useful first step Remember, version numbers are important

23 Don’t Freeload!

24 Don’t freeload! “Maybe part of the reason that the Heartbleed bug had such a big impact is that more than $1 trillion per year of business was being run on a project that had received only $3,000 in support in the preceding year”

25 Don’t freeload! Open Source projects rely on more than cash donations.
They rely on a vibrant community forming around them. You can support projects by providing: Detailed feedback and analysis of bugs you find Patches, both to fix bugs and add capabilities When you build a business around a project, engineers Engagement with the community to crowd-source support and help share knowledge

26 Conclusions Projects must think about security early & often and they must be willing to prioritise it as highly as other features Most of the ways that we can make open source software more secure are common industry “best practices”. It is simply a matter of choosing to adopt them. For users, the most important factor is to track what FOSS projects you use in your infrastructure Contribute! Your feedback, time, engineers, and money!

27 Thank you.

Download ppt "Collaborative Security: Securing Open Source Software"

Similar presentations

Version Control Systems Phil Pratt-Szeliga Fall 2010.

Version Control Systems Phil Pratt-Szeliga Fall 2010.
Static Code Analysis and Governance Effectively Using Source Code Scanners.

Static Code Analysis and Governance Effectively Using Source Code Scanners.
Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.

Desktop Security: Worms and Viruses Brian Arkills, C&C NDC-Sysmgt.
Sudheesh Singanamalla. Editable and Free Every open source software is free to download and use for a lifetime. At the same time it gives the transparency.

Sudheesh Singanamalla. Editable and Free Every open source software is free to download and use for a lifetime. At the same time it gives the transparency.
Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.

Software Assurance Session 13 INFM 603. Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security.
Turning Software Projects into Production Solutions Dan Fraser, PhD Production Coordinator Open Science Grid OU Supercomputing Symposium October 2009.

Turning Software Projects into Production Solutions Dan Fraser, PhD Production Coordinator Open Science Grid OU Supercomputing Symposium October 2009.
© 2002 IBM Corporation Confidential | Date | Other Information, if necessary June, 2011 Made available under the Eclipse Public License v 1.0 1 Mobile.

© 2002 IBM Corporation Confidential | Date | Other Information, if necessary June, 2011 Made available under the Eclipse Public License v Mobile.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
WATERFALL DEVELOPMENT MODEL. Waterfall model is LINEAR development lifecycle. This means each phase must be completed before moving onto the next!!! WHAT.

WATERFALL DEVELOPMENT MODEL. Waterfall model is LINEAR development lifecycle. This means each phase must be completed before moving onto the next!!! WHAT.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Unlocking the Community Toolchest Tony Atkins UHI Millenium Institute.

Unlocking the Community Toolchest Tony Atkins UHI Millenium Institute.
How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.

How We Got Here PC and Internet changed the rules –Viruses, information sharing, “outside” and “inside” indistinguishable –Vulnerability research for.
Chapter 25 – Configuration Management 1Chapter 25 Configuration management.

Chapter 25 – Configuration Management 1Chapter 25 Configuration management.
Image by apaixonada: Talking people into creating patches.

Image by apaixonada: Talking people into creating patches.
How To Get Involved In Open Source Nick Burch Senior Developer, Alfresco Software VP ConCom, ASF Member.

How To Get Involved In Open Source Nick Burch Senior Developer, Alfresco Software VP ConCom, ASF Member.
Thinking Outside the Box Linux. Question: What form of transportation racks up the most passenger miles per year? Not cars Not bicycles Not buses Not.

Thinking Outside the Box Linux. Question: What form of transportation racks up the most passenger miles per year? Not cars Not bicycles Not buses Not.
Code Simplicity: Software Design In Open Source Projects Max Kanat-Alexander

Code Simplicity: Software Design In Open Source Projects Max Kanat-Alexander
Common System Exploits Tom Chothia Computer Security, Lecture 17.

Common System Exploits Tom Chothia Computer Security, Lecture 17.
THE BEST CRM SOFTWARE FOR YOUR BUSINESS

THE BEST CRM SOFTWARE FOR YOUR BUSINESS

Similar presentations

Ads by Google