BOV19953

Industry Efforts To Make Open Source More Secure

Alan ClarkSUSE Director, Industry Initiatives

OpenStack Board Chair

Alan.Clark@suse.com

2

3

Numerous New Open Source Projects / Foundations

Over 1.1 million projects from over 8,500 sites *– 350 billion lines of code

– 2,400 unique software licenses

SUSE Linux Enterprise Server – More than 3188 software packages **

– Covering nearly all kinds of applications, tools and services)

* Source: Blackduck knowledge base** www.suse.com

4

A Viable Open Source Project?

The core basics: OSI-approved open source license, open governance, non-royalty bearing?

Is the project strategic to some segment of the industry?

Is it beneficial to the industry?

Is it a collaborative open source project or a front for a single company?

Is the project likely to achieve a state of self-funding?

Is the Liability manageable or significantly limited?

Is the project atmosphere inviting with minimal politics?

5

And Project Practices..

● Basic Documentation● Public version-controlled source repository that tracks

all changes● Process to submit bug reports with developer response● Website succinctly describes what the software does

and provides information on ● how to get the software

● how to send feedback (as bug reports or feature requests)

● how to contribute

6

Practices (2)

Human readable change log with unique version numbering for each release

Working build system that can automatically rebuild the software

General policy that when major new functionality is added, tests of that functionality SHOULD be added and run through an automated test suite

Project MUST enable some compiler warnings and/or use a separate "linter" tool to look for code quality errors or common simple mistakes

7

Open Source Software Security;A Complex Challenge

Software may implement security features– Authentication methods

– Encryption

– Intrusion prevention and detection

– Backup

May contain errors (both deliberate and accidental) affecting system security

– Design flaws

– Programming errors

– Backdoors

8

Open Source Viable Security Practices

Cryptographic protocols and algorithms used by default MUST be publicly published and reviewed by experts.

Cryptographic system/library MUST NOT implement its own cryptographic functions, but MUST instead call on software specifically designed for the purpose.

Process for reporting vulnerabilities

Patches up-to-date

Security analysis

Static source code analysis

9

What About Smaller Projects The World Really Depends Upon?

For example:● OpenSSL● NTPd● OpenSSH● GnuPG● Bash

Everyone uses them, but...

Many don't have the attributes of a robust project

Estimate over %50 of projects have less than 10 committers *

* Open Source By The Numbers, BlackDuck

10

openSSL

Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Over 7,000,000 websites use openSSL

>400,000 lines of complex code

“limited manpower, budget for general maintenance and improvement of OpenSSL” *

- https://www.openhub.net/p/openssl

* http://www.opensslfoundation.com/contributions.html

11

NTP

“NTP has worked so well for so long that few people think there's any problem.

Not all is well within the NTP open source project. The number of volunteer contributors ... has shrunk over its long lifespan, even as its importance has increased.

Its ongoing development and maintenance now rest mostly on the shoulders of Stenn, and that's why NTP faces a turning point. Stenn, who also works sporadically on his own consulting business, has given himself a deadline: Garner more financial support by April, "or look for regular work.”

- InformationWeek 3/11/2015

12

Problems Erupt

13

Open Source Community Responding

Core Infrastructure Initiative (CII)

Created by the Linux Foundation, providing

– Collective funding and support for open source developers

– Shore up the well known issues (such as shellshock)

– Proactive effort to identify projects at risk

– Badge Program

– Census Project

– Education

– Tooling

Resulting with:– More team members

– Refactored code

– Auditing

– Funded priorities

– Better usability

– Predictable releases

– Secure physical servers

14

Plus The Advantage Of Open Source

True strength of Open Source Software– Openness

– transparency

– traceability

– Open Source Software programmers take pride in their work.

– Open Source Software vendors cooperate

– Verifiable – No secrets

– Reproducible

– You decide – bug or feature

15

Rely On SUSE Linux For The EnterpriseSoftware Upgrades and Updates: Get the

latest version, regular updates and security fixes

Technical Support: Choose the #1 rated Linux support provider

Generous Lifecycle: Ten years of support, and extend services

– SUSE guarantees the support for packages that we deliver - even if the project does not anymore.

Reliability: SUSE products run seamlessly with your hardware and applications

Training: Implement and maintain SUSE with proven knowledge from the experts

SUSE is committed

– Delivering best effort security to its customers and to the Open Source community

– Promptly reacts to security incidents and deliver premium quality security updates

– Continuously improves the security-related functionality in SUSE products

– Continuously contributes to the rapidly growing maturity of Open Source Software

– Respects the Open Source Software security principles of openness, transparency and traceability

A persistent focus is what gives Open Source Software, Linux and SUSE such an excellent reputation.

16

Corporate HeadquartersMaxfeldstrasse 590409 NurembergGermany

+49 911 740 53 0 (Worldwide)www.suse.com

Join us on:www.opensuse.org

17

Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.