AGENDA ● Security in open source projects ● Vulnerabilities in dependencies ● Detecting vulnerabilities in code base ● Improving security in open source
AGENDA Functionality vs security ● Security is always a secondary concern ● Primary goal of software is to provide some functionality or services ● Managing associated risks to software we are developing is a derived/ secondary concern
Coding Flaws ● flaws that can be understood looking at the program itself. ○ confusing two program variables and errors in the program logic ● problems in the interaction with the underlying platform or other systems and services ○ buffer overflows in C(++) code ○ integer overflows in most programming languages ○ SQL injection, XSS, CSRF in web-applications
Buffer overflow // A C program to demonstrate buffer overflow #include #include #include int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // should allocate 8 bytes = 2 double words, // To overflow, need more than 8 bytes... char buffer[5]; // copy the user input to mybuffer, without any // bound checking a secure version is srtcpy_s() strcpy(buffer, argv[1]); printf("buffer content= %s\n", buffer); return 0; }
Know your dependencies ● What open source components you are using? ● What versions you are currently running, and where? ● How these components can be updated, where do you get the update, what do you need to do to install them?
Third-party libraries Reusable Components = Reusable Vulnerabilities ● Attackers are increasingly targeting popular libraries and 3rd party components ● Up to 90% of the attack surface of an application may be due to 3rd party code
Open Source Security What can we do to improve the security of Open Source Software? ● We can do all the same things as we do when building commercial software ● The big difference is that we have to do it collaboratively.
Open Source Security OSS is not more or less secure, but it is different • Typically there are many more people contributing • Sometimes there is a culture of “code is more important than specification” • There may be less market pressure to put security first
Secrets searching on github ● Private keys (id_rsa, id_dsa, *.pfx) ● History files (.bash_history and similar) - these often have passwords which were mistyped ● Log files (/var/log/*) - again, they often have details you might forget to look for in .htaccess, .htpasswd - Apache directory specific configuration files ● web.config - IIS directory specific config file ● wp-config.php - Wordpress config
CONCLUSIONS ● Open source maintainers ○ Practice secure code review ○ Regularly audit your code base for vulnerabilities ○ Define a process for communication of responsible disclosures
CONCLUSIONS ● Open source developers ○ Follow responsible disclosure policies if you are reporting a security vulnerability ○ Subscribe to the security communication channels of your open source dependencies
CONCLUSIONS ● Security is a very important aspect of software development. ● Measures can be taken to integrate it in the Software Development Life Cycle. ● It is possible to effectively integrate security into agile development as well
jmortega
guchey
yayoi_dd
miu_crescent
egmc
soracom
kentosuzuki
oracle4engineer
opelab
kmwebnet
hankehly
mashiike
hiashisan
3n
colly
jensimmons
speakerdeck
bkeepers
danielanewman
jennybc
schacon
garrettdimon
chriscoyier
frogandcode
mojombo