Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OSS enthusiast's days at a Japanese security vendor

OSS enthusiast's days at a Japanese security vendor

COSCUP 2022 OSPN Track session: https://coscup.org/2022/en/session/BBYBCF

Naruhiko Ogasawara

July 30, 2022
Tweet

More Decks by Naruhiko Ogasawara

Other Decks in Technology

Transcript

  1. An OSS enthusiast's
    days at a Japanese
    security vendor
    Naruhiko Ogasawara ([email protected])
    Twitter: @naru0ga
    Facebook: naruoga
    Telegram: @naruoga

    View full-size slide

  2. COSCUP 2022 2
    Agenda
    ● Who am I
    ● My company overviews
    ● My activities as the open source enthusiast
    ● What I learned from the OSS activity that I
    tried to bring to the company
    ● Conclusion

    View full-size slide

  3. COSCUP 2022 3
    Who am I
    ● 小笠原 (Ogasawara) 徳彦 (Naruhiko)
    ● Japanese Open Source enthusiast
    ● LibreOffice, Ubuntu, Desktop printing, ...
    ● An employee of a Japanese security vendor
    ● Senior security engineer
    ● Internal tool developer (Scala)
    ● River kayaker

    View full-size slide

  4. COSCUP 2022 4
    My company overviews
    ● Typical 3rd party security testing vendors
    ● Not a "OSS centric" software company
    ● Using several software both of proprietary and OSS
    ● Develop some software but not published as OSS
    ● Using international security standard developed by OWASP
    (Open Web Application Security Project) or CIS (Center for
    Internet Security)
    ● But we have open mind
    ● That’s why I belong to...

    View full-size slide

  5. COSCUP 2022 5
    My activities as the OSS enthusiast
    ● Translations
    ● User Interfaces / Help / Online Documents
    ● Having talks in several events like here
    ● Organizing OSS events
    ● File bug tickets for the Bug Tracking Systems
    ● Join open international discussions via BTS / forums /
    mailinglists
    ● (a little) code hack

    View full-size slide

  6. COSCUP 2022 6
    What I learned from the OSS activity that I
    tried to bring to the company
    ● Don't guess, just ask
    ● Send pull-req to upstream instead of internal
    forking
    ● But we have right to fork if upstream seems
    inactive

    View full-size slide

  7. COSCUP 2022 7
    Don't guess, just ask
    ● We Asians tend to try to guess why when we don't
    understand something about the behavior of
    software or the operation of a community.
    ● But especially in OSS, there is someone in front of
    you whom you can ask.
    ● It is better to ask than to guess.
    ● There's a language barrier, but machine translation
    should help you out!

    View full-size slide

  8. COSCUP 2022 8
    Ex.1 Don’t guess, just ask
    ● "Hey, the new version of this software has different
    behavior than prior one, I guess this should be a bug...
    Wait and see it will be solved."
    ● "The developer has their own user forum. Why not to ask
    it is a bug or expected change?"
    ● "OK, I will... Oh, they said it is expected. We must
    consider changing its use."
    ● Now there's a culture of listening in forums etc.
    without me having to say anything.

    View full-size slide

  9. COSCUP 2022 9
    Send pull-req to upstream instead of internal
    forking
    ● When we find something wrong with the OSS we are using,
    or something that behaves differently from what we want,
    we tend to solve it at our own hand (internal forking).
    ● However, if there are other people who have the same
    problem, fixing it upstream will increase the number of
    happy people.
    ● Also, we will not have to maintain our own solutions.
    ● So it is better to send a pull-req upstream than to fork
    internally.

    View full-size slide

  10. COSCUP 2022 10
    Ex.2 Send pull-req to upstream instead of
    internal forking
    ● "We found an error in the OWASP standard. We
    will not use it as it is, but will modify it."
    ● "Hmm, OWASP publish their standard in GitHub,
    I think we should send a pull-req or file an issue."
    ● "Oh, yes... The request has accepted, the
    standard has been fixed. Thanks!"
    ● Sending pull-req is also now our usual culture!

    View full-size slide

  11. COSCUP 2022 11
    But we have right to fork if upstream seems
    inactive
    ● In the previous lesson, I told that it is better to
    send a pull-req upstream than a fork.
    ● However, when the upstream project does not
    seem to be working, it is better to dare to fork to
    increase activity and increase the number of
    collaborators.
    ● Forking is also an important freedom and
    power of OSS.

    View full-size slide

  12. COSCUP 2022 12
    Ex.3 But we have right to fork if upstream
    seems inactive (jOpenDocument)
    ● Example 3-a: jOpenDocument
    ● jOpenDocument is the Java library to manipulate
    OpenDocument Format, LibreOffice's native format.
    ● This is powerful and useful, but unfortunately
    development has stopped since 2014.
    ● See the slide “Why ODF is the best intermediate format
    for report generation systems” in COSCUP 2020
    https://speakerdeck.com/naruoga/why-odf-is-the-best-intermediate-format-for-report-generation-systems

    View full-size slide

  13. COSCUP 2022 13
    Ex.3 But we have right to fork if upstream
    seems inactive (jOpenDocument)
    ● Our business is highly depend on the library.
    ● I pinged the original author via mailing list, but there was no
    answer.
    ● So I decided to fork it as my personal project.
    ● See the slide “jOpenDocument: Restarting the ODF manipulation Java
    library after a seven-years hiatus” in COSCUP 2021
    ● Then my colleague send some pull-req to support ODF 1.3,
    and several functional updates!!!
    ● And now we are considering it will be our companie's
    “official” OSS (means publish it via our own organization)
    https://speakerdeck.com/naruoga/jopendocument-restarting-the-odf-manipulation-java-library-after-a-seven-years-hiatus

    View full-size slide

  14. COSCUP 2022 14
    Ex.3 But we have right to fork if upstream
    seems inactive (OWASP Mobile Top 10)
    ● Example 3-b: OWASP Mobile Top 10
    ● This is the top 10 threats list for Mobile applications
    maintained by OWASP
    ● Similar than OWASP Top 10, web top 10 threats
    ● But last version is 2016 (6 years ago...)
    ● There is a github issue about
    updating in 2020
    but no response...

    View full-size slide

  15. COSCUP 2022 15
    Ex.3 But we have right to fork if upstream
    seems inactive (OWASP Mobile Top 10)
    ● JSSEC: Japan Smartphone Security Assosiation
    ● Japanese local assosiation founded to create security
    environment on smartphone for both users and service providers.
    ● I asked the members to:
    > Want something like the OWASP Mobile Top 10? Let's
    make one ourselves and say to OWASP, "Hey, we made
    something like this, can we help you out?"
    ● They were amused and I became the working group leader
    and we decided to implement this as this year's activity!

    View full-size slide

  16. COSCUP 2022 16
    Conclusion
    ● Hosting and contributing to OSS in the
    enterprise is important.
    ● But it is also important to bring the OSS
    culture into the company, even if only partially.
    ● If you are an OSS enthusiast, try to bring OSS
    culture to your company or organization!
    ● It will surely make your life easier!!!

    View full-size slide