bov19953 industry efforts to make open source more secure · 2015-11-20 · bov19953 industry...
TRANSCRIPT
BOV19953
Industry Efforts To Make Open Source More Secure
Alan ClarkSUSE Director, Industry Initiatives
OpenStack Board Chair
2
3
Numerous New Open Source Projects / Foundations
Over 1.1 million projects from over 8,500 sites *– 350 billion lines of code
– 2,400 unique software licenses
SUSE Linux Enterprise Server – More than 3188 software packages **
– Covering nearly all kinds of applications, tools and services)
* Source: Blackduck knowledge base** www.suse.com
4
A Viable Open Source Project?
The core basics: OSI-approved open source license, open governance, non-royalty bearing?
Is the project strategic to some segment of the industry?
Is it beneficial to the industry?
Is it a collaborative open source project or a front for a single company?
Is the project likely to achieve a state of self-funding?
Is the Liability manageable or significantly limited?
Is the project atmosphere inviting with minimal politics?
5
And Project Practices..
● Basic Documentation● Public version-controlled source repository that tracks
all changes● Process to submit bug reports with developer response● Website succinctly describes what the software does
and provides information on ● how to get the software
● how to send feedback (as bug reports or feature requests)
● how to contribute
6
Practices (2)
Human readable change log with unique version numbering for each release
Working build system that can automatically rebuild the software
General policy that when major new functionality is added, tests of that functionality SHOULD be added and run through an automated test suite
Project MUST enable some compiler warnings and/or use a separate "linter" tool to look for code quality errors or common simple mistakes
7
Open Source Software Security;A Complex Challenge
Software may implement security features– Authentication methods
– Encryption
– Intrusion prevention and detection
– Backup
May contain errors (both deliberate and accidental) affecting system security
– Design flaws
– Programming errors
– Backdoors
8
Open Source Viable Security Practices
Cryptographic protocols and algorithms used by default MUST be publicly published and reviewed by experts.
Cryptographic system/library MUST NOT implement its own cryptographic functions, but MUST instead call on software specifically designed for the purpose.
Process for reporting vulnerabilities
Patches up-to-date
Security analysis
Static source code analysis
9
What About Smaller Projects The World Really Depends Upon?
For example:● OpenSSL● NTPd● OpenSSH● GnuPG● Bash
Everyone uses them, but...
Many don't have the attributes of a robust project
Estimate over %50 of projects have less than 10 committers *
* Open Source By The Numbers, BlackDuck
10
openSSL
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
Over 7,000,000 websites use openSSL
>400,000 lines of complex code
“limited manpower, budget for general maintenance and improvement of OpenSSL” *
- https://www.openhub.net/p/openssl
* http://www.opensslfoundation.com/contributions.html
11
NTP
“NTP has worked so well for so long that few people think there's any problem.
Not all is well within the NTP open source project. The number of volunteer contributors ... has shrunk over its long lifespan, even as its importance has increased.
Its ongoing development and maintenance now rest mostly on the shoulders of Stenn, and that's why NTP faces a turning point. Stenn, who also works sporadically on his own consulting business, has given himself a deadline: Garner more financial support by April, "or look for regular work.”
- InformationWeek 3/11/2015
12
Problems Erupt
13
Open Source Community Responding
Core Infrastructure Initiative (CII)
Created by the Linux Foundation, providing
– Collective funding and support for open source developers
– Shore up the well known issues (such as shellshock)
– Proactive effort to identify projects at risk
– Badge Program
– Census Project
– Education
– Tooling
Resulting with:– More team members
– Refactored code
– Auditing
– Funded priorities
– Better usability
– Predictable releases
– Secure physical servers
14
Plus The Advantage Of Open Source
True strength of Open Source Software– Openness
– transparency
– traceability
– Open Source Software programmers take pride in their work.
– Open Source Software vendors cooperate
– Verifiable – No secrets
– Reproducible
– You decide – bug or feature
15
Rely On SUSE Linux For The EnterpriseSoftware Upgrades and Updates: Get the
latest version, regular updates and security fixes
Technical Support: Choose the #1 rated Linux support provider
Generous Lifecycle: Ten years of support, and extend services
– SUSE guarantees the support for packages that we deliver - even if the project does not anymore.
Reliability: SUSE products run seamlessly with your hardware and applications
Training: Implement and maintain SUSE with proven knowledge from the experts
SUSE is committed
– Delivering best effort security to its customers and to the Open Source community
– Promptly reacts to security incidents and deliver premium quality security updates
– Continuously improves the security-related functionality in SUSE products
– Continuously contributes to the rapidly growing maturity of Open Source Software
– Respects the Open Source Software security principles of openness, transparency and traceability
A persistent focus is what gives Open Source Software, Linux and SUSE such an excellent reputation.
16
Corporate HeadquartersMaxfeldstrasse 590409 NurembergGermany
+49 911 740 53 0 (Worldwide)www.suse.com
Join us on:www.opensuse.org
17
Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.