the work of security teams
play

The work of security teams Mateusz Kocielski shm@NetBSD.org - PowerPoint PPT Presentation

Nov 17, 2023 •160 likes •355 views

The work of security teams Mateusz Kocielski shm@NetBSD.org LogicalTrust pkgsrccon Krak ow, July 02, 2016 THANKS kamil@ & co-organizers THANKS kamil@ & co-organizers *applause.wav* whoami(1) pentester at LogicalTrust

  1. The work of security teams Mateusz Kocielski shm@NetBSD.org LogicalTrust pkgsrccon Krak´ ow, July 02, 2016

  2. THANKS kamil@ & co-organizers

  3. THANKS kamil@ & co-organizers *applause.wav*

  4. whoami(1) ◮ pentester at LogicalTrust ◮ open source committer: ◮ NetBSD - libsaslc(3), bozohttpd(8), hacking random things & secteam member ◮ PHP - bug finding & fixing ◮ security: ◮ PHP - CVE-2010-1868, CVE-2010-1917, CVE-2010-4150, CVE-2010-4156, CVE-2011-1938, CVE-2016-5768, ... ◮ stunnel - CVE-2013-1762 ◮ OpenSSH - CVE-2011-0539 ◮ Apache - CVE-2014-0117, CVE-2014-0226 ◮ FreeBSD - CVE-2015-1414 ◮ NetBSD - CVE-2015-8212, ... ◮ ...

  5. NetBSD & Security ◮ exploit mitigations ◮ ASLR ◮ PaX ◮ SSP ◮ FORTIFY ◮ kernel based NULL pointer dereferences ◮ blacklistd(8) ◮ veriexec(8) ◮ ... ◮ see security(7) ◮ it’s clear we all care about security

  6. Motivation behind this talk ◮ what’s going on behind security-team@ ◮ what we do ◮ what need to be done to issue a security report ◮ what can be done better

  7. security-related groups in the NetBSD ◮ security-alert@ - Security Alert Team ◮ An emergency contact address for notifying the NetBSD project of security issues. Less of a formal ’group’ than security-officer@. ◮ security-team@ - Security Team ◮ Responsible for handling security issue resolution and announcements. ◮ security-officer@ - Security-Officer ◮ Responsible for assisting to resolve security issues and preparing announcements. ◮ pkgsrc-security@ - pkgsrc Security Team ◮ Responsible for handling pkgsrc security issues.

  8. security-team@ - what you do? ◮ we try to keep the NetBSD code safe ◮ pressure of time ◮ we assist in ◮ cooperating with 3rd parties to exchange information on issues ◮ evaluating potential vulnerabilities ◮ preparing patches ◮ preparing advisories ◮ cooperating with other devs to keep our codebase safe ◮ http://www.netbsd.org/support/security/advisory.html ◮ 252 advisories since 1998 ◮ whole bug cycle usually takes from few hours to days

  9. security-team@ - advisories - stats per year 2000. 17 2001. 18 2002. 27 2003. 18 2004. 10 2005. 13 2006. 26 2007. 7 2008. 15 2009. 13 2010. 13 2011. 9 2012. 4 2013. 13 2014. 15 2015. 12 2016. 5

  10. security-team@ - cooperating with 3rd parties/devs ◮ cooperating with 3rd parties ◮ ”Hey NetBSD, there’s a bug in XXX” ◮ receiving confidential information about bugs in 3rd party software ◮ coordinated disclosure (usually information is embargoed until someday) ◮ ”Hey 3rd party software, there’s a bug in XXX” ◮ communication usually bases on trust → we have to keep the information in confidential ◮ ”Hey TCP-stack wizard, there’s a nasty bug in TCP implementation, may I ask you to help us fix that?”

  11. security-team@ - evaluating potential vulnerabilities ◮ evaluating bug impact ◮ local DoS that can be triggered by privileged user � = remote code execution due to bug in kernel ◮ trying to figure out the root cause ◮ looking for solutions and workarounds ◮ trying to figure out technical implications

  12. security-team@ - preparing patches ◮ working with random parts of the code ◮ security related patches should be crafted with carefulness ◮ PHP fixed few bugs... and introduced other vulnerabilities :) ◮ arrange pull-ups to supported branches ◮ coordinate devs ◮ need to deal with different versions of 3rd party software ◮ like unmaintained OpenSSL 0.9.x in NetBSD 5.x

  13. security-team@ - preparing advisory ◮ provide information on ◮ vulnerable branches ◮ technical details ◮ solutions and workarounds ◮ how to deal with bug ◮ how to fix from autobuilds ◮ how to fix from source ◮ requires writing in English... ◮ usually painful process (at least for me :))

  14. security-team@ - what can be done better? ◮ minimize time frame between notification about the bug and advisory publication ◮ binary patches (see FreeBSD’s freebsd-update(1)) ◮ Security Notices ◮ proactive NetBSD code audits

  15. Reporting a security issue ◮ contact security-alert@ (remember about PGP) ◮ send-pr(1) ◮ if you suspect the bug is important, then use security-alert@ ◮ provide as many details as you can ◮ root case/patches more than welcome

  16. How you can help? ◮ fix bugs from coverity scans ◮ notify us if you see potential hole in the NetBSD ◮ audit the NetBSD code ◮ try to provide as many details as you can ◮ we need fresh blood - join us to make the NetBSD safer place for you and me

  17. my projects - fuzzing + rump Become a hero: ◮ I’m fuzzing various parts of the NetBSD using rump(7) ◮ now I’m focused on network stack ◮ Address Sanitizer (other sanitizers?) ◮ if you want to join me, drop me a line → shm@NetBSD.org ◮ think about your master thesis/research/fun ◮ test my SMEP/SMAP implementation

  18. Q&A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives?

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives?

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives? Lunch? Recharge? Pre-Enrollment? Academic Teams On Team English Language Arts Social Studies Science Off

202 views • 9 slides
IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am I? Chris van Breda, CD, CISSP, EnCE Click to add subtitle 2 Theme for the 2006 conference Sharing Intelligence in Global Response working

894 views • 72 slides
Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key

Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key

Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key Learnings Two different types of work ; two different ways of thinking Accelerate discovery Maximize Learning MVPs Idea flow Better Ideas Collective

761 views • 55 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Practices and Charter Research Branch Security Council Affairs Division Department of Political Affairs United Nations August

490 views • 28 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is

FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is

MANAGEMENT FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is inter-connected HR Fin Prod Mkt IT Admin What is a Team? Two or more An unit of two or more people people who interact and

329 views • 15 slides
Thank you to you and your teams for all your work on the budget. This framework includes all of

Thank you to you and your teams for all your work on the budget. This framework includes all of

10/6/2017 TO: Chancellors FROM: Jim Johnsen RE: Budget Development Thank you to you and your teams for all your work on the budget. This framework includes all of the information we received from the universities. I look forward to our

324 views • 8 slides
Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team

Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team

Team Development Team Development Part III: Part III: Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team Member Expectations Which expectations from our handout can we now add to our list?

645 views • 21 slides
Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in

Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in

Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in Teams Effectively Agile Review Team Dynamics How do distributed agile teams perform? Work in Class Review & Agile Processes

454 views • 24 slides
Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides
Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex

Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex

Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex Coordinator Texas Department of Agriculture Flex Reverse Site Visit 2016 Why Have Velocity Teams? Improve quality outcomes Peer to Peer Support

236 views • 12 slides
Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter:

Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter:

Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter: Lisa McAulay Regional Manager and Occupational Therapist for Fit For Work Masters Degree at AUT My research is focused on how New Zealand teams

468 views • 21 slides
Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

255 105 0 149 149 149 225 225 225 68 84 106 84 28 0 0 0 153 65 0 102 Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer joao.santos@zalando.de Autonomously @joaomcsantos Europython 2015

511 views • 40 slides
T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the

T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the

T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the congestion is caused by non- recurring incidents. For every additional minute taken to clear a traffic incident, it will extend the duration an

241 views • 13 slides
TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership

TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership

LEADING TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership development for middle managers, those who manage other managers LEADING TEAMS DES ran 3 pilots 34 agencies participated UPDATE

456 views • 12 slides
1 What makes a successful Successful software teams team? Studies show a 10 to 1 difference

1 What makes a successful Successful software teams team? Studies show a 10 to 1 difference

Why teams? CSE 403 Lecture 9 Project teams Team size Team structure Many different models Bigger is better Smaller is better Software development teams Chief programmer team Key points Brooks Surgeon team Technical

282 views • 3 slides
Grid Operational Security: from EGEE to EGI Mingchao Ma STFC RAL, UK ISGC 2010, Taipei,

Grid Operational Security: from EGEE to EGI Mingchao Ma STFC RAL, UK ISGC 2010, Taipei,

Grid Operational Security: from EGEE to EGI Mingchao Ma STFC RAL, UK ISGC 2010, Taipei, Taiwan Overview Current EGEE operational security Transition - a regional view ROC in EGEE NGI in EGI Challenges in EGI and

638 views • 19 slides
What do ALL NGIs need to do? Requirements for operational security Sven Gabriel (Nikhef) EGEE

What do ALL NGIs need to do? Requirements for operational security Sven Gabriel (Nikhef) EGEE

Enabling Grids for E-sciencE What do ALL NGIs need to do? Requirements for operational security Sven Gabriel (Nikhef) EGEE Operational Security Coordination Team http://cern.ch/osct/ www.eu-egee.org Information Society and media EGEE-III

311 views • 13 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
EUDAT AND SECURITY Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W

EUDAT AND SECURITY Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W

EUDAT AND SECURITY Urpo Kaila, EUDAT Security Officer urpo.kaila@csc.fi, security@eudat.eu WISE W orkshop for I nformation S ecurity for E -infrastructures 2015-10-20, Barcelona This work is licensed under the Creative Commons CC-BY 4.0

563 views • 30 slides
MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y

MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y

MANAGING INF ORMAT ION PRIVACY & SE CURIT Y RE MOT E L Y Pr e se nte d by: Mar y Golab, IPO In c ollabor ation with Damian Hollow, URO & She lle y Gar r e tt, CISO Offic e F OI P L ia iso n Offic e r (F L O) Me e ting

263 views • 12 slides
Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise ,

Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise ,

Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise , Riccardo Traverso, Anh Truong FBK-Irst, Trento, Italy Metodi dichiarativi nella verifica di sistemi parametrici Milano, 25-26 Settembre, 2014 Ranise

577 views • 40 slides
BUSINESS AND SECURITY Chris Klimek TALKING POINTS PERSONAL BUSINESS IMPORTANCE EXTERNAL

BUSINESS AND SECURITY Chris Klimek TALKING POINTS PERSONAL BUSINESS IMPORTANCE EXTERNAL

BUSINESS AND SECURITY Chris Klimek TALKING POINTS PERSONAL BUSINESS IMPORTANCE EXTERNAL BRAND UNDERSTANDI OF FACTORS NG SECURITY LOOKING FOR THE RIGHT FIT Walk me through the process of how you would start looking for a job or

916 views • 45 slides
OPERATING SEGMENT RECONCILIATION 1Q 2018 SHW Operating Segments: 1Q 2018 Latin America

OPERATING SEGMENT RECONCILIATION 1Q 2018 SHW Operating Segments: 1Q 2018 Latin America

OPERATING SEGMENT RECONCILIATION 1Q 2018 SHW Operating Segments: 1Q 2018 Latin America Paint Stores Coatings Sales: $2,080.4M Sales: $656.4M Sales: $1,227.8M Profit: $337.4M Profit: $74.2M Profit: $90.8M The Americas Group

458 views • 8 slides

More recommend