Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How Open Source Benefits Cyber Security

Ian Lee
June 05, 2018
Technology
0
610

How Open Source Benefits Cyber Security

With the perpetual increase in cyber security requirements, it is foolish for DOE elements to not collaborate on common solutions to the same problems. This talk will highlight several recent instances where an open source approach, across government agencies, has significantly lowered the barriers to successful compliance and modernization of cyber security practices and IT assets. It will serve as a call to action to further combine our resources as we strive to do more with less.

Prepared by LLNL under Contract DE-AC52-07NA27344.

Ian Lee

June 05, 2018
Tweet

More Decks by Ian Lee

See All by Ian Lee
Building DevOps into HPC System Administration
ianlee1521
0
21
Keeping It All Safe: LLNL HPC Security Architecture
ianlee1521
0
43
Development of the TOSS 4 STIG
ianlee1521
0
67
You Must Unlearn What You Have Learned
ianlee1521
0
36
SC21: Addressing Cybersecurity Standards / Policies in HPC Environments
ianlee1521
0
45
Intro to Git for Security Professionals - WWHF WW 2021
ianlee1521
0
92
Releasing Your First (Python) Open Source Project to the Masses!
ianlee1521
0
230
Intro to Git for Security Professionals
ianlee1521
0
380
2020 LLNL Computing Virtual Expo
ianlee1521
0
190

Other Decks in Technology

See All in Technology
30点で打席に立つ
konifar
56
34k
セキュアエレメントによるWireGuardのセキュリティ強化
kmwebnet
0
380
Failures and learnings during the adoption of DDD
mploed
0
240
Jagu'e'r Tech Writers Meetup #1
yamahiro
0
160
備えあれば患いなし:効率的なインシデント対応を目指すSREの取り組み
kazumax55
0
2.7k
230928 watsonx.ai 利用準備とデモアプリ紹介(前編:環境構築編)
teruterubohz_ibm
0
100
Deploy web frontend apps with AWS CDK
tmokmss
1
150
EQを高めて不快な感情に立ち向かえ
yamasatimi
1
400
LLMアプリケーションの安定性を高めるための精度評価・改善
nrryuya
3
1.4k
電動マイクロモビリティのシェアサービス「LUUP」におけるEnabling SLOの実践
grimoh
1
350
SLOを組織文化にするための挑戦
yukin01
1
1.5k
ChatGPTを前に頭が真っ白を乗り越え人が答えることが困難な認知負荷MAXなタフクエスチョンをどんどん回答させてプロダクト価値を爆速探求するぞ/cognitive_load_question_and_chatgpt
moriyuya
2
390

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
Building Applications with DynamoDB
mza
87
5.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.4k
Making the Leap to Tech Lead
cromwellryan
119
8.1k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
Why Our Code Smells
bkeepers
PRO
329
56k
Design by the Numbers
sachag
272
18k
Designing for humans not robots
tammielis
246
24k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
30k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Become a Pro
speakerdeck
PRO
8
3.5k

Transcript

  1. LLNL-PRES-752254
    This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory
    under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC
    How Open Source Benefits Cyber Security
    Department of Energy – Cyber Conference
    Ian Lee
    [email protected]
    2018-06-05

    View Slide

  2. LLNL-PRES-752254
    2
    https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe

    View Slide

  3. LLNL-PRES-752254
    3
    Django Con 2015 – Opening Keynote
    https://pbs.twimg.com/profile_images/444296717446287360/VGK7qhQa_400x400.jpeg
    https://upload.wikimedia.org/wikipedia/commons/thumb/5/50/18F_logo.svg/2000px-18F_logo.svg.png
    https://2015.djangocon.us/site_media/static/images/logo.png

    View Slide

  4. LLNL-PRES-752254
    4
    Why am I passionate about Open Source?
    Leave things better
    than you found them.

    View Slide

  5. LLNL-PRES-752254
    5
    § DOE Orders
    § DHS Binding Operational Directories
    § OMB Memorandums
    § System Compliance (CIS / STIG Benchmarks)
    § Vulnerability Scanning (Tenable)
    § Audits
    § ...
    Growing Compliance Requirements

    View Slide

  6. LLNL-PRES-752254
    6
    OMB M-15-13: Require Secure Connections
    https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

    View Slide

  7. LLNL-PRES-752254
    7
    https://https.cio.gov

    View Slide

  8. LLNL-PRES-752254
    8
    8
    https://18f.gsa.gov/2015/03/17/for-public-comment-the-https-only-standard/

    View Slide

  9. LLNL-PRES-752254
    9
    https://github.com/gsa/https/issues?utf8=✓&q=label%3A%22Public+Comment%22

    View Slide

  10. LLNL-PRES-752254
    10
    https://github.com/GSA/https/pull/108

    View Slide

  11. LLNL-PRES-752254
    11
    https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

    View Slide

  12. LLNL-PRES-752254
    12
    https://github.com/dhs-ncats/pshtt

    View Slide

  13. LLNL-PRES-752254
    13
    https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

    View Slide

  14. LLNL-PRES-752254
    14
    https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

    View Slide

  15. LLNL-PRES-752254
    15
    https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

    View Slide

  16. LLNL-PRES-752254
    16
    https://18f.gsa.gov/2017/05/25/from-launch-to-landing-how-nasa-took-control-of-its-https-mission/

    View Slide

  17. LLNL-PRES-752254
    17
    https://pulse.cio.gov

    View Slide

  18. LLNL-PRES-752254
    18
    https://pulse.cio.gov/https/agencies/

    View Slide

  19. LLNL-PRES-752254
    19
    https://pulse.cio.gov/https/agencies/

    View Slide

  20. LLNL-PRES-752254
    20
    https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

    View Slide

  21. LLNL-PRES-752254
    21
    https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

    View Slide

  22. LLNL-PRES-752254
    22
    https://cyber.dhs.gov

    View Slide

  23. LLNL-PRES-752254
    23
    https://github.com/dhs-ncats/cyber.dhs.gov

    View Slide

  24. LLNL-PRES-752254
    24
    https://github.com/NationalSecurityAgency

    View Slide

  25. LLNL-PRES-752254
    25
    https://github.com/NationalSecurityAgency/SIMP

    View Slide

  26. LLNL-PRES-752254
    26
    https://github.com/simp

    View Slide

  27. LLNL-PRES-752254
    27
    https://github.com/nsacyber

    View Slide

  28. LLNL-PRES-752254
    28
    https://nsacyber.github.io/WALKOFF/

    View Slide

  29. LLNL-PRES-752254
    29
    https://nsacyber.github.io/WALKOFF/tutorials/build/index.html

    View Slide

  30. LLNL-PRES-752254
    30
    https://github.com/nsacyber/WALKOFF/blob/gh-pages/tutorials/build/index.html

    View Slide

  31. LLNL-PRES-752254
    31
    https://github.com/mitre/unfetter/pull/2/files

    View Slide

  32. LLNL-PRES-752254
    32
    OWASP ZAP
    § “OWASP ZAP is more helpful to me
    because it’s open source because I can
    easily report and explain false positives
    to the open source maintainers,
    including reviewing the code to help
    identify why false positives are
    happening. When I have fewer false
    positives in my scans, I don’t have to
    do as much paperwork for my P-ATO.”
    — Britta Gustafson, GSA / 18F

    View Slide

  33. LLNL-PRES-752254
    33
    https://github.com/zaproxy/zaproxy/issues?q=is%3Aissue+author%3Abrittag

    View Slide

  34. LLNL-PRES-752254
    34
    https://bitbucket.org/cse-assemblyline/assemblyline

    View Slide

  35. LLNL-PRES-752254
    35
    What are we doing?

    View Slide

  36. LLNL-PRES-752254
    36
    https://software.llnl.gov

    View Slide

  37. LLNL-PRES-752254
    37
    LLNL Open Source Presence
    https://software.llnl.gov/explore

    View Slide

  38. LLNL-PRES-752254
    38
    LLNL Open Source Engagement
    https://software.llnl.gov/explore

    View Slide

  39. LLNL-PRES-752254
    39
    LLNL Open Source Activities
    https://software.llnl.gov/explore

    View Slide

  40. LLNL-PRES-752254
    40

    View Slide

  41. LLNL-PRES-752254
    41
    Science & Technology Review
    “Our large collection of software is a
    precious Laboratory asset, one that
    benefits both Lawrence Livermore, and in
    many cases, the public at large.”
    - Bruce Hendrickson
    Associate Director, Computation
    https://str.llnl.gov/2018-01/comjan18

    View Slide

  42. LLNL-PRES-752254
    42
    https://www.exascaleproject.org/more-on-the-software-that-underpins-the-exascale-computing-project/

    View Slide

  43. LLNL-PRES-752254
    43
    § “Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation
    through Reuseable and Open Source Software”
    — “Agencies shall make custom-developed code available for Government-wide reuse and
    make their code inventories discoverable at https://www.code.gov (“Code.gov”) […]”
    — “[…] establishes a pilot program that requires agencies, when commissioning new custom
    software, to release at least 20 percent of new custom-developed code as Open Source
    Software (OSS) […]”
    Federal Source Code Policy
    https://sourcecode.cio.gov

    View Slide

  44. LLNL-PRES-752254
    44
    https://code.gov

    View Slide

  45. LLNL-PRES-752254
    45
    https://code.gov/#/explore-code/agencies/DOE

    View Slide

  46. LLNL-PRES-752254
    46
    Federal Source Code Policy Compliance (1 of 3 out of 25)
    https://code.gov/#/policy-guide/docs/compliance/dashboard

    View Slide

  47. LLNL-PRES-752254
    47
    https://osti.gov/doecode

    View Slide

  48. LLNL-PRES-752254
    48
    https://github.com/doecode

    View Slide

  49. LLNL-PRES-752254
    49
    https://government.github.com

    View Slide

  50. LLNL-PRES-752254
    50
    US Government Organizations on GitHub
    https://government.github.com/community

    View Slide

  51. LLNL-PRES-752254
    51
    https://blog.github.com/2018-06-04-github-microsoft/

    View Slide

  52. Thank You!
    [email protected]
    @IanLee1521 // @LLNL_OpenSource
    https://speakerdeck.com/IanLee1521

    View Slide

  53. This document was prepared as an account of work sponsored by an agency of the United States
    government. Neither the United States government nor Lawrence Livermore National Security, LLC,
    nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability
    or responsibility for the accuracy, completeness, or usefulness of any information, apparatus,
    product, or process disclosed, or represents that its use would not infringe privately owned rights.
    Rference herein to any specific commercial product, process, or service by trade name, trademark,
    manufacturer, or otherwise does not necessarily constitute or imply its endorsement,
    recommendation, or favoring by the United States government or Lawrence Livermore National
    Security, LLC. The views and opinions of authors expressed herein do not necessarily state or
    reflect those of the United States government or Lawrence Livermore National Security, LLC, and
    shall not be used for advertising or product endorsement purposes.

    View Slide