while using open source
play

While Using Open Source Guy Bar Gil, Product Manager 1 2 3 - PowerPoint PPT Presentation

Jan 02, 2024 •326 likes •739 views

How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&A Staying Secure The Equifax Breach 2 Introduction Slide Two dogs + one cat In my free time I enjoy: Sports

  1. How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager

  2. 1 2 3 SmallComp ’ s M&A Staying Secure The Equifax Breach 2

  3. Introduction Slide • Two dogs + one cat • In my free time I enjoy: • Sports • Reading • Traveling Guy Bar Gil, Product Manager 3

  4. 1 The Equifax Breach 4

  5. • Consumer credit reporting agency • Equifax collects and aggregates information • 800M+ individual consumers • 88M+ businesses • Publicly traded (NYSE), 9.5K+ employees, $3.14B in revenues (2016)

  6. Apache Struts • Open-source framework, for creating Java web applications. • CVE-2017-5638 allows remote code execution through the web applications.

  7. The Equifax Breach – A Timeline Hackers gained access to Equifax ’ s Hackers begin Equifax publicized March 15 th July 29 th March 9 th exfiltrating data. the breach systems. May 13 th September 7 th March 10 th Equifax renews their Equifax's IT CVE-2017-5638 was • expired public-key published. department ran a certificate series of scans to The Apache Software • Foundation released a identify unpatched patch for the systems. vulnerability. Equifax administrators • were told to apply the patch to any affected systems.

  8. Incident Aftermath $3 billion 145 million The amount Equifax spent upgrading its People affected by the breach . security and resolving consumer claims

  9. What Can We Learn? #1 Act Fast Exploits are public for everyone #2 Continuously Monitor 300 new vulnerabilities published every month #3 Get the Basics Right Millions spent on security gear but it was poorly implemented 9

  10. 2 SmallComp’s M&A 10

  11. SmallComp ’ s M&A • SmallComp required to do an open- source audit. • Found a dependency licensed under AGPL. 11

  12. $4M Dollars in Escrow • Terms of the escrow: • Remove any trace of AGPL from the software. • 80% of customers must deploy the updated software to production. • Two year timeframe. • Development/deployment-related costs taken from the escrow. 12

  13. Solving The Problem Isn’t So Easy Two main obstacles: Development + QA time is 1 year for 1 person. • SmallComp ’ s customers are hospitals, where • solutions are often manually deployed and technicians are required to train staff. 13

  14. They Did It! SmallComp was able to fulfill the terms of the escrow after 1 year and 8 months! 14

  15. How Do We Avoid This Situation? #1 Set Clear Policies for the whole company in regards to licensing #2 Communicate the company ’ s policies to developers #3 Enforce make sure your policies are being enforced 15

  16. 3 Staying Secure 16

  17. Step 1: Create Transparency Transparency is the baseline to everything • Understand exactly what you’re using: • Direct Dependencies • Transitive Dependencies • Source files • 17

  18. Lots of jars ? 18

  19. Lots of jars, but lots more java beans ? 19

  20. Step 2: Detect Potential Issues • Match your components to the most comprehensive DB possible: • Published CVEs • Vulnerabilities published in security advisories • Vulnerabilities detected by research teams • Thorough license detection 20

  21. Step 3: Prioritize How would you prioritize your vulnerabilities? 21

  22. Step 3: Prioritize • Prioritize by: • Business risk • Exploitability • Severity • Availability of fixes • Effectiveness 22

  23. Vulnerabilities Prioritization 23

  24. After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective. 24

  25. Step 4: Execution Understand the best path to remediation Upgrade the component ’ s version? • Change the component? • Set up an external defense? • 25

  26. 2 3 4 1 Create Detect Issues Prioritize Execute Transparency 26

  27. Let’s Talk About Implementation!

  28. Step 1 : Creating Transparency Identify the processes in your software development lifecycle (SDLC) 28

  29. Step 2: Detect Where you want to implement security checks • Where you can automate • 29

  30. Development 30

  31. Build 31

  32. Deploy 32

  33. Maintain New vulnerabilities are constantly being published 33

  34. Step 3: Prioritize Act on early -> Shifting left • Avoid allowing vulnerable components • reach deployment 34

  35. Detect Issues As Early As Possible 35

  36. Step 4: Execution Who ’ s responsibility is it? Security team: • Setting policies • Educating developers • Development team: • Execution • 36

  37. Developers need robust tools, that fit into their workflows 37

  38. #1 Educate On the basics of open-source security & compliance Empower Teams #2 By providing them the right tools #3 Enable Success By creating a shared mission 38

  39. “ Don ’ t Be That Guy 39

  40. Q & A

  41. Thank You! For any questions, please contact me: Guy.bar-gil@whitesourcesoftware.com 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source Software Amazing times for Open Source Software! Commercial Success Fantastic Success of Open Source Based Businesses! RedHat Acquired by IBM

1.19k views • 52 slides
Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric Promislow ActiveState Software Inc. OpenKomodo: Own Your IDE Copenhagen, Denmark April 2, 2008 1 History Perl for Windows Active Python,

820 views • 65 slides
Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview Open Source hardware (This is the smallest font) Business model Example circuit, concept -> production Make circuit boards with Open

806 views • 78 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Design principles for 5G Toward a new paradigm, All-IT Network architecture Unbundling Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD) Unbundled Function Blocks Open Source Hardware (OCP,

180 views • 15 slides
OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A

OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A

OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A VIABLE FOUNDATION FOR THE SUSTAINABLE FUTURE OF THE WORLD S CREATIVE ECONOMY. FIGURE A Figure A. Skok, 2012, p. 13 WHAT IS AN OPEN SOURCE PROGRAM?

343 views • 8 slides
Looking Back, Looking Forward A Personal Career Reflection Mr Alan Corry Finn Executive Director

Looking Back, Looking Forward A Personal Career Reflection Mr Alan Corry Finn Executive Director

Looking Back, Looking Forward A Personal Career Reflection Mr Alan Corry Finn Executive Director of Nursing, and Director of Primary Care & Older Peoples Services Western HSC Trust NIPE PEC C Annu nual Confe ferenc rence 8 March

378 views • 11 slides
Newcastle upon Tyne Age Friendly Cultural City Alison Flanagan Wood Newcastle City Council Arts

Newcastle upon Tyne Age Friendly Cultural City Alison Flanagan Wood Newcastle City Council Arts

Newcastle upon Tyne Age Friendly Cultural City Alison Flanagan Wood Newcastle City Council Arts Development Officer alison.flanaganwood@newcastle.gov.uk Sharon Bailey The Grange Centre/ Artist & Creative Producer sharonbailey8796@gmail.com

345 views • 32 slides
Nomura Investors Day 2010 Wholesale Division Update April 28, 2011 Jesse Bhattal Jesse Bhattal

Nomura Investors Day 2010 Wholesale Division Update April 28, 2011 Jesse Bhattal Jesse Bhattal

Nomura Investors Day 2010 Wholesale Division Update April 28, 2011 Jesse Bhattal Jesse Bhattal President and Chief Executive Officer, Wholesale Division E Executive Summary ti S Challenged financial performance FY10/11 Year of transition,

164 views • 14 slides
What enables low- capacity SMEs to innovate in collaboration with academic partners? Research

What enables low- capacity SMEs to innovate in collaboration with academic partners? Research

What enables low- capacity SMEs to innovate in collaboration with academic partners? Research Papers by: Sigrid Rajalo and prof Maaja Vadi 1 University of Tartu, Estonia 2/28/2020 2 Estonia- borderline between West and East 2004

255 views • 24 slides
8th Annual Student Success Conference A Coordinated Culture of Care for Student Success Dr. Brett

8th Annual Student Success Conference A Coordinated Culture of Care for Student Success Dr. Brett

8th Annual Student Success Conference A Coordinated Culture of Care for Student Success Dr. Brett Carter Associate Vice Chancellor and Dean of Students UNC Greensboro Pa rtic ipa nts will b e a b le to ide ntify spe c ific ste ps to c

932 views • 30 slides
response to those in greatest need Introduction to our work The Boaz Trust supports destitute

response to those in greatest need Introduction to our work The Boaz Trust supports destitute

Catch -Hold- Release Developing a compassionate response to those in greatest need Introduction to our work The Boaz Trust supports destitute asylum seekers. Destitute asylum seekers are people who are refused asylum, but are not

254 views • 11 slides
Call to Action: Attorney Well-Being in the Large Firm Justice David Lillehaug Robert Zeglovitch

Call to Action: Attorney Well-Being in the Large Firm Justice David Lillehaug Robert Zeglovitch

Call to Action: Attorney Well-Being in the Large Firm Justice David Lillehaug Robert Zeglovitch KZ Workplace February 28, 2019 5 Goals for Today Understand why large firms should emphasize well-being Consider a large firm case study

622 views • 38 slides
Investor Presentation Istanbul, Turkey March 2020 Agenda 1. Turkey at a Glance 2. Our

Investor Presentation Istanbul, Turkey March 2020 Agenda 1. Turkey at a Glance 2. Our

Investor Presentation Istanbul, Turkey March 2020 Agenda 1. Turkey at a Glance 2. Our Markets Private Pension System Life Insurance 3. Corporate Profile 4. Financial Results 2 Turkey at a Glance Turkey at a Glance

519 views • 47 slides

More recommend