Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(opensource == secure)? Yes, if you audit it!

(opensource == secure)? Yes, if you audit it!

Paolo Perego

June 03, 2022
Tweet

More Decks by Paolo Perego

Other Decks in Technology

Transcript

  1. (open source == secure)?
    Yes, if you audit it!
    Tales in a life of a product security
    engineer
    Paolo Perego – [email protected]
    openSUSE Conference
    [email protected]
    oSC22 @openSUSE

    View Slide

  2. $ whoami
    Application security guy | OSCE | OSCP | | | Chaotic good drow ranger.
    🏒 👨‍👩‍👧‍👦
    Blogger @codiceinsicuro.
    Product security @ SUSE🦎
    I break other people code for living ( also help to find some fixes too ).
    Found me as @thesp0nge pretty everywhere

    View Slide

  3. Is open source code secure?

    View Slide

  4. If you answered ‘yes’ quickly...

    View Slide

  5. Which are the blockers?
    ● Lack of time auditing code for bugs
    ● Lack of security people interesting in
    actually reading and writing code
    ● Storytelling about offensive security is
    more attractive

    View Slide

  6. My daily routine

    View Slide

  7. Doing audits
    ● Evaluate package source code security posture
    – Static analysis
    – Dynamic analysis (try known attack patterns, fuzzing)
    ● Find bugs or spot improvements
    ● Trying to write exploit or even help maintainer suggesting
    patches
    ● Improve internal wiki with audit results
    ● Do responsible disclosure

    View Slide

  8. Doing audits
    ● CLI / daemons
    – Memory issues
    – Race conditions
    – Unsafe configuration (config files, env variables)
    – Overflow situations
    – Denial of service
    ● Web applications
    – Owasp Top 10
    – Logical flaws

    View Slide

  9. Maintaining packages
    ● Task as a maintainer are:
    – Taking care of new releases
    – Applying or backport patches Reactive
    team ask
    – Create new packages and push for release

    View Slide

  10. Make upstream a safer place
    ● 4 CVEs found (spacewalk and cobbler) and counting:
    • CVE-2021-40348
    • CVE-2021-45083
    • CVE-2021-45082
    • CVE-2021-45081
    • Hardening suggestions for Factory services

    View Slide

  11. Do responsible disclosure
    ● Cobbler report:
    https://seclists.org/oss-sec/2022/q1/146
    ● Spacewalk report:
    https://www.openwall.com/lists/oss-
    security/2021/10/28/4

    View Slide

  12. So, is open source secure?
    1) The code is there
    Security researchers must understand and write code if they want to review it
    2) Be responsible
    Help maintainers to fix their code and when they did it, then spread the word about your finding.
    Don’t run for twitter drama
    3) Invest your time
    Auditing a source code is a time consuming activity. However, it’s a valuable investment for your
    career development.
    4) So the answer is…
    The open source code is secure, if someone review it and help maintainers.
    Start today!

    View Slide

  13. Thanks
    For any question, please feel free to open an issue here:
    https://github.com/thesp0nge/oSC22/issues

    View Slide