here s where we are with open source security
play

Here's where we are with open source security and here's what we - PowerPoint PPT Presentation

Dec 24, 2023 •666 likes •931 views

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

  1. Here's where we are with open source security … and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative

  2. 2014 was a bad year for FOSS security

  3. The Linux Foundation created the Core Infrastructure Initiative with support from 19 Industry Giants

  4. Core Infrastructure Initiative Mission ▪ The CII aims to substantially improve security outcomes in the FOSS projects that underpin the Internet ▪ The CII funds work in security engineering, security architecture, tooling, testing and training on key FOSS projects, as well as supporting general development on security-specific projects (such as crypto libraries)

  5. Security Is Hard For Open or Closed Source - These Are Complex Systems

  6. FOSS Security Is Different FOSS is not more or less secure, but it is different • Typically there are many more people contributing • Sometimes (often?) there is a culture of “code is more important than specification” • Processes are often more ad hoc • There may be less market pressure to put security first

  7. Linus’s Law: “Given enough eyeballs, all bugs are shallow.”

  8. What if you don’t have enough eyeballs?

  9. Where is FOSS security in 2016 ▪ Things are better than 2014 … but we still have a long way to go ▪ Heartbleed, Shellshock, Poodle, ntpd DDoS etc. were a wake-up call to the open source projects as well as for users and the technology industry ▪ Security has become a higher priority for many projects

  10. The state of affairs is still highly variable ▪ Some projects have excellent security process and outcomes ▪ Many are OK ▪ Some are terrible ▪ Quite a lot simply don’t have anyone working on them

  11. Identifying potential sources of risk ▪ Orphan code in deployment is a problem • Ubuntu has nearly 50,000 packages recursively dependent on zlib; the last release was in 2013 ▪ Some projects have higher bug densities than others ▪ Code that runs with privileges is potentially more dangerous ▪ Code in memory-unsafe languages is more prone to certain types of dangerous bug

  12. Identifying at risk projects

  13. Making progress ▪ Direct investment has improved bug security process and security outcomes in many projects: • OpenSSL, GnuPG, OpenSSH and many more ▪ NTPSec fork has removed 75% of the code in ntpd without compromising the functionality ▪ Census project has allowed us to identify and target packages that are at risk ▪ Reproducible builds is allowing users to check binaries ▪ Badging has improved security process in 100s of projects

  14. The impact of the CII ▪ The CII has directly invested in dozens of projects • Typical distributions have 20,000+ packages • We are only scratching the surface in direct investment ▪ Some of our projects have very wide reach • The Fuzzing Project has tested and reported bugs on hundreds of projects • Reproducible Builds has tested ALL 23,931 Debian ‘testing’ source packages

  15. Reproducible Builds: Debian at 91.5%

  16. Successes with OpenSSL Governance ▪ Bugs are found faster and closed faster ▪ More progress on security roadmap items ▪ New release policies mean security updates are being deployed more quickly

  17. Where do we go next? ▪ Many bugs are staying unfixed for too long ▪ Many projects still resist any security improvements that impact performance ▪ Still too much orphan code in use

  18. Kees Cook’s Linux bug time line Critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.

  19. A cost worth paying ▪ Many of the well known and well understood ways to mitigate against the impact of security vulnerabilities have performance costs ▪ Deploying techniques for isolation and self-protection can significantly reduce the risk of harm from whole classes of bug, not just from individual, identified bugs ▪ Projects (and users) need to realise that these costs are worth paying

  20. Security is a process, not a product ▪ Projects like the CII Best Practice Badge have been encouraging projects to think more about their security process ▪ Even mature, well-run projects have been benefitting ▪ This requires buy-in from the whole project community

  21. Scaling up the impact of the CII ▪ Tools for testing • OWASP ZAP ▪ Tools for assessment • Fuzzing ▪ Tools for promoting best practices • Badging ▪ Tools for training

  22. The future of FOSS security ▪ Need to win hearts and minds ▪ No one size fits all ▪ Find the projects that matter ▪ Assess their status ▪ Work out what they need ▪ Provide it

  23. Conclusions ▪ In short, things are getting better but we still have a long way to go ▪ If Open Source software is to become the dominant force in corporate IT then security must be a core selling point ▪ Security must be something that projects thing about early and often and they must be willing to prioritise it as highly as other features

  24. Thank you. https://www.coreinfrastructure.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By Sevan Janiyan What is pkgsrc Cross platform packaging system 23 listed platforms in 2015Q3 release notes Strive to keep local changes minimal

563 views • 44 slides
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

462 views • 31 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario https://dadario.com.br - - - - - - - - - - - - - - Source: https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [1] Source:

752 views • 71 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts & Sciences Ubani A Balogun & Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

My Kind of Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and modular infrastructure built using open source and delivered with: Better quality and security Lower costs No vendor

941 views • 40 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3,

Parallelism and Ellipsis in Comparatives Katy Carlson Morehead State University k.carlson@moreheadstate.edu Virtual ECBAE3, July 2020 The Project in a Nutshell Comparative constructions can have a range of syntactic continuations, from

519 views • 35 slides
Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55 OpenSSL CCS bug 24-10-2015 4/55 gotofail 24-10-2015 5/55 Certifjcate handling 24-10-2015 6/55 CVE-2014-6321 in schannel a.k.a. Winshock

774 views • 55 slides
Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet

Variables CS105 : Saelee puts "Hello, Michael" puts "Pleased to meet you, Michael." puts "Michael, welcome to CS 105!" puts "The name of your instructor is Michael

677 views • 26 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef

Securely Implementing Network Protocols: Detecting and Preventing Logical Flaws Mathy Vanhoef (KU Leuven) Black Hat Webcast, 24 August 2017 @vanhoefm Introduction Many protocols have been affected by logical bugs Design flaws Implementation

692 views • 31 slides
Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek

Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek

Kirkwood at Westheimer Kirkwood at Overbrook Kirkwood at Southlake Kirkwood at Poplar Creek Kirkwood at Waldemar Kirkwood at The Steeples Kirkwood at The Abbey Kirkwood at Briar Forest Kirkwood at Kirkwood Plaza Kirkwood at Highgrove

447 views • 18 slides
Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation

Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation

Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS Pupil Accommodation Review Working Meeting #1 February 2, 2017 Elizabeth Simcoe Jr, Guildwood Jr, Jack Miner Sr & Poplar Road Jr PS PARC Agenda Welcome and

625 views • 34 slides
Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh

Robust and Anonymous Information Sharing among Autonomous Vehicles Muktadir Chowdhury, Ashlesh Gawande, Lan Wang Computer Science, U. Memphis Autonomous vehicles need reliable, trustworthy real-time data Car B can help Car A and C avoid

489 views • 6 slides

More recommend