(open source == secure)? Yes, if you audit it! Tales in a life of a product security engineer Paolo Perego – [email protected] openSUSE Conference [email protected] oSC22 @openSUSE 

$ whoami Application security guy | OSCE | OSCP | | | Chaotic good drow ranger. 🏒 👨‍👩‍👧‍👦 Blogger @codiceinsicuro. Product security @ SUSE🦎 I break other people code for living ( also help to find some fixes too ). Found me as @thesp0nge pretty everywhere 

Is open source code secure? 

If you answered ‘yes’ quickly... 

Which are the blockers? ● Lack of time auditing code for bugs ● Lack of security people interesting in actually reading and writing code ● Storytelling about offensive security is more attractive 

My daily routine 

Doing audits ● Evaluate package source code security posture – Static analysis – Dynamic analysis (try known attack patterns, fuzzing) ● Find bugs or spot improvements ● Trying to write exploit or even help maintainer suggesting patches ● Improve internal wiki with audit results ● Do responsible disclosure 

Doing audits ● CLI / daemons – Memory issues – Race conditions – Unsafe configuration (config files, env variables) – Overflow situations – Denial of service ● Web applications – Owasp Top 10 – Logical flaws 

Maintaining packages ● Task as a maintainer are: – Taking care of new releases – Applying or backport patches Reactive team ask – Create new packages and push for release 

Make upstream a safer place ● 4 CVEs found (spacewalk and cobbler) and counting: • CVE-2021-40348 • CVE-2021-45083 • CVE-2021-45082 • CVE-2021-45081 • Hardening suggestions for Factory services 

Do responsible disclosure ● Cobbler report: https://seclists.org/oss-sec/2022/q1/146 ● Spacewalk report: https://www.openwall.com/lists/oss- security/2021/10/28/4 

So, is open source secure? 1) The code is there Security researchers must understand and write code if they want to review it 2) Be responsible Help maintainers to fix their code and when they did it, then spread the word about your finding. Don’t run for twitter drama 3) Invest your time Auditing a source code is a time consuming activity. However, it’s a valuable investment for your career development. 4) So the answer is… The open source code is secure, if someone review it and help maintainers. Start today! 

Thanks For any question, please feel free to open an issue here: https://github.com/thesp0nge/oSC22/issues