Slide 1

Slide 1 text

(open source == secure)? Yes, if you audit it! Tales in a life of a product security engineer Paolo Perego – [email protected] openSUSE Conference [email protected] oSC22 @openSUSE

Slide 2

Slide 2 text

$ whoami Application security guy | OSCE | OSCP | | | Chaotic good drow ranger. πŸ’ πŸ‘¨β€πŸ‘©β€πŸ‘§β€πŸ‘¦ Blogger @codiceinsicuro. Product security @ SUSE🦎 I break other people code for living ( also help to find some fixes too ). Found me as @thesp0nge pretty everywhere

Slide 3

Slide 3 text

Is open source code secure?

Slide 4

Slide 4 text

If you answered β€˜yes’ quickly...

Slide 5

Slide 5 text

Which are the blockers? ● Lack of time auditing code for bugs ● Lack of security people interesting in actually reading and writing code ● Storytelling about offensive security is more attractive

Slide 6

Slide 6 text

My daily routine

Slide 7

Slide 7 text

Doing audits ● Evaluate package source code security posture – Static analysis – Dynamic analysis (try known attack patterns, fuzzing) ● Find bugs or spot improvements ● Trying to write exploit or even help maintainer suggesting patches ● Improve internal wiki with audit results ● Do responsible disclosure

Slide 8

Slide 8 text

Doing audits ● CLI / daemons – Memory issues – Race conditions – Unsafe configuration (config files, env variables) – Overflow situations – Denial of service ● Web applications – Owasp Top 10 – Logical flaws

Slide 9

Slide 9 text

Maintaining packages ● Task as a maintainer are: – Taking care of new releases – Applying or backport patches Reactive team ask – Create new packages and push for release

Slide 10

Slide 10 text

Make upstream a safer place ● 4 CVEs found (spacewalk and cobbler) and counting: β€’ CVE-2021-40348 β€’ CVE-2021-45083 β€’ CVE-2021-45082 β€’ CVE-2021-45081 β€’ Hardening suggestions for Factory services

Slide 11

Slide 11 text

Do responsible disclosure ● Cobbler report: https://seclists.org/oss-sec/2022/q1/146 ● Spacewalk report: https://www.openwall.com/lists/oss- security/2021/10/28/4

Slide 12

Slide 12 text

So, is open source secure? 1) The code is there Security researchers must understand and write code if they want to review it 2) Be responsible Help maintainers to fix their code and when they did it, then spread the word about your finding. Don’t run for twitter drama 3) Invest your time Auditing a source code is a time consuming activity. However, it’s a valuable investment for your career development. 4) So the answer is… The open source code is secure, if someone review it and help maintainers. Start today!

Slide 13

Slide 13 text

Thanks For any question, please feel free to open an issue here: https://github.com/thesp0nge/oSC22/issues