Upgrade to Pro — share decks privately, control downloads, hide ads and more …

(opensource == secure)? Yes, if you audit it!

Avatar for Paolo Perego Paolo Perego
June 03, 2022
Technology
270
0

(opensource == secure)? Yes, if you audit it!

Avatar for Paolo Perego

Paolo Perego

June 03, 2022

More Decks by Paolo Perego

See All by Paolo Perego
What does "make open source ecosystem secure one audit at time" mean? (version 2.0)
Avatar for Paolo Perego thesp0nge
0
55
Vulnerability assessment and secure coding in Web Applications
Avatar for Paolo Perego thesp0nge
0
590
Cosa c'è che non va? - Viaggio verso il Nirvana del SSDLC
Avatar for Paolo Perego thesp0nge
0
120
Put yourself in the appsec pipeline
Avatar for Paolo Perego thesp0nge
0
220
Your web application seen from the hell's kitchen
Avatar for Paolo Perego thesp0nge
1
230
La sicurezza ai tempi dell'ASAP
Avatar for Paolo Perego thesp0nge
0
160
Io faccio application security e tu?
Avatar for Paolo Perego thesp0nge
1
140
Solid as Diamond: use ruby on a web application penetration test (for www.fdtict.it)
Avatar for Paolo Perego thesp0nge
4
660
Solid as Diamond: using ruby in a web application penetration test
Avatar for Paolo Perego thesp0nge
1
970

Other Decks in Technology

See All in Technology
Amazon Bedrock AgentCore ワークショップ JAWS UG TOHOKU / amazon-bedrock-agentcore-workshop-jawsug-tohoku-2026
Avatar for geeawa gawa
9
750
チームで進めるAI駆動アジャイル×ウォーターフォール
Avatar for 熊井悠 kumaiu
0
150
作って終わりにしない タイミーのセマンティックレイヤー育成の現在地
Avatar for chanyou0311 chanyou0311
4
2.2k
Snowflakeと仲良くなる第一歩
Avatar for あべ coco_se
4
430
MCP Appsを作ってみよう
Avatar for iwamot iwamot
PRO
4
560
Building applications in the Gemini API family.
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
3.1k
Djangoユーザが知っ得なPostgreSQL機能 - 設計の選択肢を増やす / Djang-use-PostgreSQL
Avatar for soudai sone soudai
PRO
1
230
Dario Amodi『Policy on the AI Exponential』を理解する
Avatar for 長津孝輔 nagatsu
0
230
2026TECHFRESH畢業分享會 - Lightning Talk - E起 See See : 電商推薦讀心術? 數據說了算
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
870
2026.06.13_AI時代に事業会社が「SIer出身エンジニア」を求める理由 / Why Businesses Seek Engineers with a System Integrator Background in the AI ​​Era
Avatar for jumpei_ikegami jumtech
0
1.1k
DevOps Agentで始めるAWS運用 〜フロンティアエージェントが変える運用の現場〜
Avatar for nyankotaro nyankotaro
1
390
連合学習と機密コンピューティング
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
110

Featured

See All Featured
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
380
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
810
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
1
410
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
330
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
63k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.2k
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
570
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
1.2k
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
2
570
HDC tutorial
Avatar for Michiel Stock michielstock
2
700
Ruling the World: When Life Gets Gamed
Avatar for Sebastian Deterding codingconduct
0
250
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.7k

Transcript

  1. (open source == secure)? Yes, if you audit it! Tales

    in a life of a product security engineer Paolo Perego – [email protected] openSUSE Conference [email protected] oSC22 @openSUSE

  2. $ whoami Application security guy | OSCE | OSCP |

    | | Chaotic good drow ranger. 🏒 👨‍👩‍👧‍👦 Blogger @codiceinsicuro. Product security @ SUSE🦎 I break other people code for living ( also help to find some fixes too ). Found me as @thesp0nge pretty everywhere

  3. Is open source code secure?

  4. If you answered ‘yes’ quickly...

  5. Which are the blockers? • Lack of time auditing code

    for bugs • Lack of security people interesting in actually reading and writing code • Storytelling about offensive security is more attractive

  6. My daily routine

  7. Doing audits • Evaluate package source code security posture –

    Static analysis – Dynamic analysis (try known attack patterns, fuzzing) • Find bugs or spot improvements • Trying to write exploit or even help maintainer suggesting patches • Improve internal wiki with audit results • Do responsible disclosure

  8. Doing audits • CLI / daemons – Memory issues –

    Race conditions – Unsafe configuration (config files, env variables) – Overflow situations – Denial of service • Web applications – Owasp Top 10 – Logical flaws

  9. Maintaining packages • Task as a maintainer are: – Taking

    care of new releases – Applying or backport patches Reactive team ask – Create new packages and push for release

  10. Make upstream a safer place • 4 CVEs found (spacewalk

    and cobbler) and counting: • CVE-2021-40348 • CVE-2021-45083 • CVE-2021-45082 • CVE-2021-45081 • Hardening suggestions for Factory services

  11. Do responsible disclosure • Cobbler report: https://seclists.org/oss-sec/2022/q1/146 • Spacewalk report:

    https://www.openwall.com/lists/oss- security/2021/10/28/4

  12. So, is open source secure? 1) The code is there

    Security researchers must understand and write code if they want to review it 2) Be responsible Help maintainers to fix their code and when they did it, then spread the word about your finding. Don’t run for twitter drama 3) Invest your time Auditing a source code is a time consuming activity. However, it’s a valuable investment for your career development. 4) So the answer is… The open source code is secure, if someone review it and help maintainers. Start today!

  13. Thanks For any question, please feel free to open an

    issue here: https://github.com/thesp0nge/oSC22/issues