How Open Source Benefits Cyber Security

C416a04a16b233e65afd993815c167dd?s=47 Ian Lee
June 05, 2018

How Open Source Benefits Cyber Security

With the perpetual increase in cyber security requirements, it is foolish for DOE elements to not collaborate on common solutions to the same problems. This talk will highlight several recent instances where an open source approach, across government agencies, has significantly lowered the barriers to successful compliance and modernization of cyber security practices and IT assets. It will serve as a call to action to further combine our resources as we strive to do more with less.

Prepared by LLNL under Contract DE-AC52-07NA27344.

C416a04a16b233e65afd993815c167dd?s=128

Ian Lee

June 05, 2018
Tweet

Transcript

  1. LLNL-PRES-752254 This work was performed under the auspices of the

    U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344. Lawrence Livermore National Security, LLC How Open Source Benefits Cyber Security Department of Energy – Cyber Conference Ian Lee ian@llnl.gov 2018-06-05
  2. LLNL-PRES-752254 2 https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe

  3. LLNL-PRES-752254 3 Django Con 2015 – Opening Keynote https://pbs.twimg.com/profile_images/444296717446287360/VGK7qhQa_400x400.jpeg https://upload.wikimedia.org/wikipedia/commons/thumb/5/50/18F_logo.svg/2000px-18F_logo.svg.png

    https://2015.djangocon.us/site_media/static/images/logo.png
  4. LLNL-PRES-752254 4 Why am I passionate about Open Source? Leave

    things better than you found them.
  5. LLNL-PRES-752254 5 § DOE Orders § DHS Binding Operational Directories

    § OMB Memorandums § System Compliance (CIS / STIG Benchmarks) § Vulnerability Scanning (Tenable) § Audits § ... Growing Compliance Requirements
  6. LLNL-PRES-752254 6 OMB M-15-13: Require Secure Connections https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf

  7. LLNL-PRES-752254 7 https://https.cio.gov

  8. LLNL-PRES-752254 8 8 https://18f.gsa.gov/2015/03/17/for-public-comment-the-https-only-standard/

  9. LLNL-PRES-752254 9 https://github.com/gsa/https/issues?utf8=✓&q=label%3A%22Public+Comment%22

  10. LLNL-PRES-752254 10 https://github.com/GSA/https/pull/108

  11. LLNL-PRES-752254 11 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

  12. LLNL-PRES-752254 12 https://github.com/dhs-ncats/pshtt

  13. LLNL-PRES-752254 13 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

  14. LLNL-PRES-752254 14 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

  15. LLNL-PRES-752254 15 https://18f.gsa.gov/2017/01/06/open-source-collaboration-across-agencies-to-improve-https-deployment/

  16. LLNL-PRES-752254 16 https://18f.gsa.gov/2017/05/25/from-launch-to-landing-how-nasa-took-control-of-its-https-mission/

  17. LLNL-PRES-752254 17 https://pulse.cio.gov

  18. LLNL-PRES-752254 18 https://pulse.cio.gov/https/agencies/

  19. LLNL-PRES-752254 19 https://pulse.cio.gov/https/agencies/

  20. LLNL-PRES-752254 20 https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

  21. LLNL-PRES-752254 21 https://pulse.cio.gov/https/domains/#q=Department%20of%20Energy

  22. LLNL-PRES-752254 22 https://cyber.dhs.gov

  23. LLNL-PRES-752254 23 https://github.com/dhs-ncats/cyber.dhs.gov

  24. LLNL-PRES-752254 24 https://github.com/NationalSecurityAgency

  25. LLNL-PRES-752254 25 https://github.com/NationalSecurityAgency/SIMP

  26. LLNL-PRES-752254 26 https://github.com/simp

  27. LLNL-PRES-752254 27 https://github.com/nsacyber

  28. LLNL-PRES-752254 28 https://nsacyber.github.io/WALKOFF/

  29. LLNL-PRES-752254 29 https://nsacyber.github.io/WALKOFF/tutorials/build/index.html

  30. LLNL-PRES-752254 30 https://github.com/nsacyber/WALKOFF/blob/gh-pages/tutorials/build/index.html

  31. LLNL-PRES-752254 31 https://github.com/mitre/unfetter/pull/2/files

  32. LLNL-PRES-752254 32 OWASP ZAP § “OWASP ZAP is more helpful

    to me because it’s open source because I can easily report and explain false positives to the open source maintainers, including reviewing the code to help identify why false positives are happening. When I have fewer false positives in my scans, I don’t have to do as much paperwork for my P-ATO.” — Britta Gustafson, GSA / 18F
  33. LLNL-PRES-752254 33 https://github.com/zaproxy/zaproxy/issues?q=is%3Aissue+author%3Abrittag

  34. LLNL-PRES-752254 34 https://bitbucket.org/cse-assemblyline/assemblyline

  35. LLNL-PRES-752254 35 What are we doing?

  36. LLNL-PRES-752254 36 https://software.llnl.gov

  37. LLNL-PRES-752254 37 LLNL Open Source Presence https://software.llnl.gov/explore

  38. LLNL-PRES-752254 38 LLNL Open Source Engagement https://software.llnl.gov/explore

  39. LLNL-PRES-752254 39 LLNL Open Source Activities https://software.llnl.gov/explore

  40. LLNL-PRES-752254 40

  41. LLNL-PRES-752254 41 Science & Technology Review “Our large collection of

    software is a precious Laboratory asset, one that benefits both Lawrence Livermore, and in many cases, the public at large.” - Bruce Hendrickson Associate Director, Computation https://str.llnl.gov/2018-01/comjan18
  42. LLNL-PRES-752254 42 https://www.exascaleproject.org/more-on-the-software-that-underpins-the-exascale-computing-project/

  43. LLNL-PRES-752254 43 § “Federal Source Code Policy: Achieving Efficiency, Transparency,

    and Innovation through Reuseable and Open Source Software” — “Agencies shall make custom-developed code available for Government-wide reuse and make their code inventories discoverable at https://www.code.gov (“Code.gov”) […]” — “[…] establishes a pilot program that requires agencies, when commissioning new custom software, to release at least 20 percent of new custom-developed code as Open Source Software (OSS) […]” Federal Source Code Policy https://sourcecode.cio.gov
  44. LLNL-PRES-752254 44 https://code.gov

  45. LLNL-PRES-752254 45 https://code.gov/#/explore-code/agencies/DOE

  46. LLNL-PRES-752254 46 Federal Source Code Policy Compliance (1 of 3

    out of 25) https://code.gov/#/policy-guide/docs/compliance/dashboard
  47. LLNL-PRES-752254 47 https://osti.gov/doecode

  48. LLNL-PRES-752254 48 https://github.com/doecode

  49. LLNL-PRES-752254 49 https://government.github.com

  50. LLNL-PRES-752254 50 US Government Organizations on GitHub https://government.github.com/community

  51. LLNL-PRES-752254 51 https://blog.github.com/2018-06-04-github-microsoft/

  52. Thank You! ian@llnl.gov @IanLee1521 // @LLNL_OpenSource https://speakerdeck.com/IanLee1521

  53. This document was prepared as an account of work sponsored

    by an agency of the United States government. Neither the United States government nor Lawrence Livermore National Security, LLC, nor any of their employees makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Rference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States government or Lawrence Livermore National Security, LLC. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States government or Lawrence Livermore National Security, LLC, and shall not be used for advertising or product endorsement purposes.