Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

OSS enthusiast's days at a Japanese security ve...

OSS enthusiast's days at a Japanese security vendor

COSCUP 2022 OSPN Track session: https://coscup.org/2022/en/session/BBYBCF

Naruhiko Ogasawara

July 30, 2022
Tweet

More Decks by Naruhiko Ogasawara

Other Decks in Technology

Transcript

  1. An OSS enthusiast's days at a Japanese security vendor Naruhiko

    Ogasawara ([email protected]) Twitter: @naru0ga Facebook: naruoga Telegram: @naruoga
  2. COSCUP 2022 2 Agenda • Who am I • My

    company overviews • My activities as the open source enthusiast • What I learned from the OSS activity that I tried to bring to the company • Conclusion
  3. COSCUP 2022 3 Who am I • 小笠原 (Ogasawara) 徳彦

    (Naruhiko) • Japanese Open Source enthusiast • LibreOffice, Ubuntu, Desktop printing, ... • An employee of a Japanese security vendor • Senior security engineer • Internal tool developer (Scala) • River kayaker
  4. COSCUP 2022 4 My company overviews • Typical 3rd party

    security testing vendors • Not a "OSS centric" software company • Using several software both of proprietary and OSS • Develop some software but not published as OSS • Using international security standard developed by OWASP (Open Web Application Security Project) or CIS (Center for Internet Security) • But we have open mind • That’s why I belong to...
  5. COSCUP 2022 5 My activities as the OSS enthusiast •

    Translations • User Interfaces / Help / Online Documents • Having talks in several events like here • Organizing OSS events • File bug tickets for the Bug Tracking Systems • Join open international discussions via BTS / forums / mailinglists • (a little) code hack
  6. COSCUP 2022 6 What I learned from the OSS activity

    that I tried to bring to the company • Don't guess, just ask • Send pull-req to upstream instead of internal forking • But we have right to fork if upstream seems inactive
  7. COSCUP 2022 7 Don't guess, just ask • We Asians

    tend to try to guess why when we don't understand something about the behavior of software or the operation of a community. • But especially in OSS, there is someone in front of you whom you can ask. • It is better to ask than to guess. • There's a language barrier, but machine translation should help you out!
  8. COSCUP 2022 8 Ex.1 Don’t guess, just ask • "Hey,

    the new version of this software has different behavior than prior one, I guess this should be a bug... Wait and see it will be solved." • "The developer has their own user forum. Why not to ask it is a bug or expected change?" • "OK, I will... Oh, they said it is expected. We must consider changing its use." • Now there's a culture of listening in forums etc. without me having to say anything.
  9. COSCUP 2022 9 Send pull-req to upstream instead of internal

    forking • When we find something wrong with the OSS we are using, or something that behaves differently from what we want, we tend to solve it at our own hand (internal forking). • However, if there are other people who have the same problem, fixing it upstream will increase the number of happy people. • Also, we will not have to maintain our own solutions. • So it is better to send a pull-req upstream than to fork internally.
  10. COSCUP 2022 10 Ex.2 Send pull-req to upstream instead of

    internal forking • "We found an error in the OWASP standard. We will not use it as it is, but will modify it." • "Hmm, OWASP publish their standard in GitHub, I think we should send a pull-req or file an issue." • "Oh, yes... The request has accepted, the standard has been fixed. Thanks!" • Sending pull-req is also now our usual culture!
  11. COSCUP 2022 11 But we have right to fork if

    upstream seems inactive • In the previous lesson, I told that it is better to send a pull-req upstream than a fork. • However, when the upstream project does not seem to be working, it is better to dare to fork to increase activity and increase the number of collaborators. • Forking is also an important freedom and power of OSS.
  12. COSCUP 2022 12 Ex.3 But we have right to fork

    if upstream seems inactive (jOpenDocument) • Example 3-a: jOpenDocument • jOpenDocument is the Java library to manipulate OpenDocument Format, LibreOffice's native format. • This is powerful and useful, but unfortunately development has stopped since 2014. • See the slide “Why ODF is the best intermediate format for report generation systems” in COSCUP 2020 https://speakerdeck.com/naruoga/why-odf-is-the-best-intermediate-format-for-report-generation-systems
  13. COSCUP 2022 13 Ex.3 But we have right to fork

    if upstream seems inactive (jOpenDocument) • Our business is highly depend on the library. • I pinged the original author via mailing list, but there was no answer. • So I decided to fork it as my personal project. • See the slide “jOpenDocument: Restarting the ODF manipulation Java library after a seven-years hiatus” in COSCUP 2021 • Then my colleague send some pull-req to support ODF 1.3, and several functional updates!!! • And now we are considering it will be our companie's “official” OSS (means publish it via our own organization) https://speakerdeck.com/naruoga/jopendocument-restarting-the-odf-manipulation-java-library-after-a-seven-years-hiatus
  14. COSCUP 2022 14 Ex.3 But we have right to fork

    if upstream seems inactive (OWASP Mobile Top 10) • Example 3-b: OWASP Mobile Top 10 • This is the top 10 threats list for Mobile applications maintained by OWASP • Similar than OWASP Top 10, web top 10 threats • But last version is 2016 (6 years ago...) • There is a github issue about updating in 2020 but no response...
  15. COSCUP 2022 15 Ex.3 But we have right to fork

    if upstream seems inactive (OWASP Mobile Top 10) • JSSEC: Japan Smartphone Security Assosiation • Japanese local assosiation founded to create security environment on smartphone for both users and service providers. • I asked the members to: > Want something like the OWASP Mobile Top 10? Let's make one ourselves and say to OWASP, "Hey, we made something like this, can we help you out?" • They were amused and I became the working group leader and we decided to implement this as this year's activity!
  16. COSCUP 2022 16 Conclusion • Hosting and contributing to OSS

    in the enterprise is important. • But it is also important to bring the OSS culture into the company, even if only partially. • If you are an OSS enthusiast, try to bring OSS culture to your company or organization! • It will surely make your life easier!!!