How Open Source Benefits Cyber Security

Transcript

1. LLNL-PRES-752254 This work was performed under the auspices of the

   U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC How Open Source Benefits Cyber Security Department of Energy – Cyber Conference Ian Lee [email protected] 2018-06-05

2. LLNL-PRES-752254 2 https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe

3. LLNL-PRES-752254 3 Django Con 2015 – Opening Keynote https://pbs.twimg.com/profile_images/444296717446287360/VGK7qhQa_400x400.jpeg https://upload.wikimedia.org/wikipedia/commons/thumb/5/50/18F_logo.svg/2000px-18F_logo.svg.png

   https://2015.djangocon.us/site_media/static/images/logo.png

4. LLNL-PRES-752254 4 Why am I passionate about Open Source? Leave

   things better than you found them.

5. LLNL-PRES-752254 5 § DOE Orders § DHS Binding Operational Directories

   § OMB Memorandums § System Compliance (CIS / STIG Benchmarks) § Vulnerability Scanning (Tenable) § Audits § ... Growing Compliance Requirements

6. LLNL-PRES-752254 6 OMB M-15-13: Require Secure Connections https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

7. LLNL-PRES-752254 7 https://https.cio.gov

8. LLNL-PRES-752254 8 8 https://18f.gsa.gov/2015/03/17/for-public-comment-the-https-only-standard/

9. LLNL-PRES-752254 9 https://github.com/gsa/https/issues?utf8=✓&q=label%3A%22Public+Comment%22

10. LLNL-PRES-752254 10 https://github.com/GSA/https/pull/108

11. LLNL-PRES-752254 11 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

12. LLNL-PRES-752254 12 https://github.com/dhs-ncats/pshtt

13. LLNL-PRES-752254 13 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

14. LLNL-PRES-752254 14 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

15. LLNL-PRES-752254 15 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

16. LLNL-PRES-752254 16 https://18f.gsa.gov/2017/05/25/from-launch-to-landing-how-nasa-took-control-of-its-https-mission/

17. LLNL-PRES-752254 17 https://pulse.cio.gov

18. LLNL-PRES-752254 18 https://pulse.cio.gov/https/agencies/

19. LLNL-PRES-752254 19 https://pulse.cio.gov/https/agencies/

20. LLNL-PRES-752254 20 https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

21. LLNL-PRES-752254 21 https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

22. LLNL-PRES-752254 22 https://cyber.dhs.gov

23. LLNL-PRES-752254 23 https://github.com/dhs-ncats/cyber.dhs.gov

24. LLNL-PRES-752254 24 https://github.com/NationalSecurityAgency

25. LLNL-PRES-752254 25 https://github.com/NationalSecurityAgency/SIMP

26. LLNL-PRES-752254 26 https://github.com/simp

27. LLNL-PRES-752254 27 https://github.com/nsacyber

28. LLNL-PRES-752254 28 https://nsacyber.github.io/WALKOFF/

29. LLNL-PRES-752254 29 https://nsacyber.github.io/WALKOFF/tutorials/build/index.html

30. LLNL-PRES-752254 30 https://github.com/nsacyber/WALKOFF/blob/gh-pages/tutorials/build/index.html

31. LLNL-PRES-752254 31 https://github.com/mitre/unfetter/pull/2/files

32. LLNL-PRES-752254 32 OWASP ZAP § “OWASP ZAP is more helpful

    to me because it’s open source because I can easily report and explain false positives to the open source maintainers, including reviewing the code to help identify why false positives are happening. When I have fewer false positives in my scans, I don’t have to do as much paperwork for my P-ATO.” — Britta Gustafson, GSA / 18F

33. LLNL-PRES-752254 33 https://github.com/zaproxy/zaproxy/issues?q=is%3Aissue+author%3Abrittag

34. LLNL-PRES-752254 34 https://bitbucket.org/cse-assemblyline/assemblyline

35. LLNL-PRES-752254 35 What are we doing?

36. LLNL-PRES-752254 36 https://software.llnl.gov

37. LLNL-PRES-752254 37 LLNL Open Source Presence https://software.llnl.gov/explore

38. LLNL-PRES-752254 38 LLNL Open Source Engagement https://software.llnl.gov/explore

39. LLNL-PRES-752254 39 LLNL Open Source Activities https://software.llnl.gov/explore

40. LLNL-PRES-752254 40

41. LLNL-PRES-752254 41 Science & Technology Review “Our large collection of

    software is a precious Laboratory asset, one that benefits both Lawrence Livermore, and in many cases, the public at large.” - Bruce Hendrickson Associate Director, Computation https://str.llnl.gov/2018-01/comjan18

42. LLNL-PRES-752254 42 https://www.exascaleproject.org/more-on-the-software-that-underpins-the-exascale-computing-project/

43. LLNL-PRES-752254 43 § “Federal Source Code Policy: Achieving Efficiency, Transparency,

    and Innovation through Reuseable and Open Source Software” — “Agencies shall make custom-developed code available for Government-wide reuse and make their code inventories discoverable at https://www.code.gov (“Code.gov”) […]” — “[…] establishes a pilot program that requires agencies, when commissioning new custom software, to release at least 20 percent of new custom-developed code as Open Source Software (OSS) […]” Federal Source Code Policy https://sourcecode.cio.gov

44. LLNL-PRES-752254 44 https://code.gov

45. LLNL-PRES-752254 45 https://code.gov/#/explore-code/agencies/DOE

46. LLNL-PRES-752254 46 Federal Source Code Policy Compliance (1 of 3

    out of 25) https://code.gov/#/policy-guide/docs/compliance/dashboard

47. LLNL-PRES-752254 47 https://osti.gov/doecode

48. LLNL-PRES-752254 48 https://github.com/doecode

49. LLNL-PRES-752254 49 https://government.github.com

50. LLNL-PRES-752254 50 US Government Organizations on GitHub https://government.github.com/community

51. LLNL-PRES-752254 51 https://blog.github.com/2018-06-04-github-microsoft/

52. Thank You! [email protected] @IanLee1521 // @LLNL_OpenSource https://speakerdeck.com/IanLee1521

53. This document was prepared as an account of work sponsored

    by an agency of the United States government. Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Rference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes.