(opensource == secure)? Yes, if you audit it!

Transcript

1. (open source == secure)? Yes, if you audit it! Tales

   in a life of a product security engineer Paolo Perego – [email protected] openSUSE Conference [email protected] oSC22 @openSUSE

2. $ whoami Application security guy | OSCE | OSCP |

   | | Chaotic good drow ranger. 🏒 👨‍👩‍👧‍👦 Blogger @codiceinsicuro. Product security @ SUSE🦎 I break other people code for living ( also help to find some fixes too ). Found me as @thesp0nge pretty everywhere

3. Is open source code secure?

4. If you answered ‘yes’ quickly...

5. Which are the blockers? • Lack of time auditing code

   for bugs • Lack of security people interesting in actually reading and writing code • Storytelling about offensive security is more attractive

6. My daily routine

7. Doing audits • Evaluate package source code security posture –

   Static analysis – Dynamic analysis (try known attack patterns, fuzzing) • Find bugs or spot improvements • Trying to write exploit or even help maintainer suggesting patches • Improve internal wiki with audit results • Do responsible disclosure

8. Doing audits • CLI / daemons – Memory issues –

   Race conditions – Unsafe configuration (config files, env variables) – Overflow situations – Denial of service • Web applications – Owasp Top 10 – Logical flaws

9. Maintaining packages • Task as a maintainer are: – Taking

   care of new releases – Applying or backport patches Reactive team ask – Create new packages and push for release

10. Make upstream a safer place • 4 CVEs found (spacewalk

    and cobbler) and counting: • CVE-2021-40348 • CVE-2021-45083 • CVE-2021-45082 • CVE-2021-45081 • Hardening suggestions for Factory services

11. Do responsible disclosure • Cobbler report: https://seclists.org/oss-sec/2022/q1/146 • Spacewalk report:

    https://www.openwall.com/lists/oss- security/2021/10/28/4

12. So, is open source secure? 1) The code is there

    Security researchers must understand and write code if they want to review it 2) Be responsible Help maintainers to fix their code and when they did it, then spread the word about your finding. Don’t run for twitter drama 3) Invest your time Auditing a source code is a time consuming activity. However, it’s a valuable investment for your career development. 4) So the answer is… The open source code is secure, if someone review it and help maintainers. Start today!

13. Thanks For any question, please feel free to open an

    issue here: https://github.com/thesp0nge/oSC22/issues