Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in open source projects

August 12, 2019

Security in open source projects

Security in open source projects


August 12, 2019

More Decks by jmortegac

Other Decks in Technology


  1. AGENDA • Security in open source projects • Vulnerabilities in

    dependencies • Detecting vulnerabilities in code base • Improving security in open source
  2. AGENDA Functionality vs security • Security is always a secondary

    concern • Primary goal of software is to provide some functionality or services • Managing associated risks to software we are developing is a derived/ secondary concern
  3. AGENDA Functionality vs security Functionality is about what software should

    do, security is (also) about what it should not do
  4. Coding Flaws • flaws that can be understood looking at

    the program itself. ◦ confusing two program variables and errors in the program logic • problems in the interaction with the underlying platform or other systems and services ◦ buffer overflows in C(++) code ◦ integer overflows in most programming languages ◦ SQL injection, XSS, CSRF in web-applications
  5. Buffer overflow // A C program to demonstrate buffer overflow

    #include <stdio.h> #include <string.h> #include <stdlib.h> int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // should allocate 8 bytes = 2 double words, // To overflow, need more than 8 bytes... char buffer[5]; // copy the user input to mybuffer, without any // bound checking a secure version is srtcpy_s() strcpy(buffer, argv[1]); printf("buffer content= %s\n", buffer); return 0; }
  6. Know your dependencies • What open source components you are

    using? • What versions you are currently running, and where? • How these components can be updated, where do you get the update, what do you need to do to install them?
  7. Third-party libraries Reusable Components = Reusable Vulnerabilities • Attackers are

    increasingly targeting popular libraries and 3rd party components • Up to 90% of the attack surface of an application may be due to 3rd party code
  8. Bandit SELECT %s FROM derp;” % var “SELECT thing FROM

    ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
  9. Open Source Security What can we do to improve the

    security of Open Source Software? • We can do all the same things as we do when building commercial software • The big difference is that we have to do it collaboratively.
  10. Open Source Security OSS is not more or less secure,

    but it is different • Typically there are many more people contributing • Sometimes there is a culture of “code is more important than specification” • There may be less market pressure to put security first
  11. Secrets searching on github ◦ Credentials(Cryptographic keys, BBDD credentials, API

    tokens (AWS), SSH keys) ◦ Infrastructure(Services configuration (DHCP, SMTP, etc),IPs and internal URLs) ◦ Code(Commits, History, Comments, Dependencies, Vulnerabilities)
  12. Secrets searching on github • Private keys (id_rsa, id_dsa, *.pfx)

    • History files (.bash_history and similar) - these often have passwords which were mistyped • Log files (/var/log/*) - again, they often have details you might forget to look for in .htaccess, .htpasswd - Apache directory specific configuration files • web.config - IIS directory specific config file • wp-config.php - Wordpress config
  13. CONCLUSIONS • Open source maintainers ◦ Practice secure code review

    ◦ Regularly audit your code base for vulnerabilities ◦ Define a process for communication of responsible disclosures
  14. CONCLUSIONS • Open source developers ◦ Follow responsible disclosure policies

    if you are reporting a security vulnerability ◦ Subscribe to the security communication channels of your open source dependencies
  15. CONCLUSIONS • Security is a very important aspect of software

    development. • Measures can be taken to integrate it in the Software Development Life Cycle. • It is possible to effectively integrate security into agile development as well