Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(opensource == secure)? Yes, if you audit it!

Paolo Perego
June 03, 2022
Technology
0
210

(opensource == secure)? Yes, if you audit it!

Paolo Perego

June 03, 2022
Tweet

More Decks by Paolo Perego

See All by Paolo Perego
Vulnerability assessment and secure coding in Web Applications
thesp0nge
0
480
Cosa c'è che non va? - Viaggio verso il Nirvana del SSDLC
thesp0nge
0
55
Put yourself in the appsec pipeline
thesp0nge
0
140
Your web application seen from the hell's kitchen
thesp0nge
1
160
La sicurezza ai tempi dell'ASAP
thesp0nge
0
89
Io faccio application security e tu?
thesp0nge
1
45
Solid as Diamond: use ruby on a web application penetration test (for www.fdtict.it)
thesp0nge
4
510
Solid as Diamond: using ruby in a web application penetration test
thesp0nge
1
880
Ruby for penetration tester
thesp0nge
6
2.2k

Other Decks in Technology

See All in Technology
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
920
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
130
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
570
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
120
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
300
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.1k
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
290
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
490
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Designing Experiences People Love
moore
138
23k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Adopting Sorbet at Scale
ufuk
73
9.1k
The Language of Interfaces
destraynor
154
24k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
A Tale of Four Properties
chriscoyier
156
23k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M

Transcript

  1. (open source == secure)? Yes, if you audit it! Tales

    in a life of a product security engineer Paolo Perego – [email protected] openSUSE Conference [email protected] oSC22 @openSUSE

  2. $ whoami Application security guy | OSCE | OSCP |

    | | Chaotic good drow ranger. 🏒 👨‍👩‍👧‍👦 Blogger @codiceinsicuro. Product security @ SUSE🦎 I break other people code for living ( also help to find some fixes too ). Found me as @thesp0nge pretty everywhere

  3. Is open source code secure?

  4. If you answered ‘yes’ quickly...

  5. Which are the blockers? • Lack of time auditing code

    for bugs • Lack of security people interesting in actually reading and writing code • Storytelling about offensive security is more attractive

  6. My daily routine

  7. Doing audits • Evaluate package source code security posture –

    Static analysis – Dynamic analysis (try known attack patterns, fuzzing) • Find bugs or spot improvements • Trying to write exploit or even help maintainer suggesting patches • Improve internal wiki with audit results • Do responsible disclosure

  8. Doing audits • CLI / daemons – Memory issues –

    Race conditions – Unsafe configuration (config files, env variables) – Overflow situations – Denial of service • Web applications – Owasp Top 10 – Logical flaws

  9. Maintaining packages • Task as a maintainer are: – Taking

    care of new releases – Applying or backport patches Reactive team ask – Create new packages and push for release

  10. Make upstream a safer place • 4 CVEs found (spacewalk

    and cobbler) and counting: • CVE-2021-40348 • CVE-2021-45083 • CVE-2021-45082 • CVE-2021-45081 • Hardening suggestions for Factory services

  11. Do responsible disclosure • Cobbler report: https://seclists.org/oss-sec/2022/q1/146 • Spacewalk report:

    https://www.openwall.com/lists/oss- security/2021/10/28/4

  12. So, is open source secure? 1) The code is there

    Security researchers must understand and write code if they want to review it 2) Be responsible Help maintainers to fix their code and when they did it, then spread the word about your finding. Don’t run for twitter drama 3) Invest your time Auditing a source code is a time consuming activity. However, it’s a valuable investment for your career development. 4) So the answer is… The open source code is secure, if someone review it and help maintainers. Start today!

  13. Thanks For any question, please feel free to open an

    issue here: https://github.com/thesp0nge/oSC22/issues