Download - Open Source Security
![Page 2: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/2.jpg)
Your Presenter
Member, Apache Software Foundation
Contributor, Apache HTTP Server
Sales Engineer & Consultant
Open Source Integration Expert
![Page 3: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/3.jpg)
Agenda
Open Source Software
Security Process
Security Implications
Development Model
![Page 4: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/4.jpg)
Three Questions
How does open source respond when security problems occur?
How does the open source development process affect software quality?
Is open source software more susceptible to security problems?
![Page 5: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/5.jpg)
Open Source Software
![Page 6: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/6.jpg)
About Open Source Closed Source
Microsoft, Adobe, Oracle, Symantec, Check Point, …
Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …
Hybrid Red Hat, Hippo, Apple, SugarCRM, …
Inclusion Oracle, IBM, Apple, Autodesk, Cisco, NetApp, …
![Page 7: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/7.jpg)
Open Source Is Not…
Freeware
Trialware
Shareware
Abandonware (hopefully)
Public Domain
![Page 8: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/8.jpg)
Who Develops Open Source
Users
Consultants
Vendors
Hobbyists
![Page 9: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/9.jpg)
Why Develop Open Source
Resume
User to contributor
Work
![Page 10: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/10.jpg)
Where is Open Source Used
Server side
Operating Systems
Application Stack
Web Facing In the line of fire
![Page 11: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/11.jpg)
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
![Page 12: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/12.jpg)
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
![Page 13: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/13.jpg)
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
Bad guys have the code, too!
![Page 14: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/14.jpg)
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
Bad guys have the code, too!
Open Source is more secure than Closed Source
![Page 15: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/15.jpg)
28%
26%19%
11%
4%
4%2%
6%
Attack GoalsDefacement/Planting Malware
Information Leakage/Stealing Sensitive Data
Disinformation
Monetary Loss
Downtime
Link Spam
Phishing
Other
Source: The Web Hacking Incidents Database, 2009 Report
![Page 16: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/16.jpg)
19%
11%
11%
10%10%
8%
8%
5%
5%
3% 10%
Attack VectorsSQL Injection
Unknown
Insufficient Authentication
Content Spoofing
Insufficient Anti-Automation (DoS/Brute Force)
Configuration/Admin Error
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
DNS Hijacking
Worm
Other
Source: The Web Hacking Incidents Database, 2009 Report
![Page 17: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/17.jpg)
Exploits of a Mom
http://xkcd.com/327/
![Page 18: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/18.jpg)
Case Study
Apache HTTP Server Security
![Page 19: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/19.jpg)
The httpd Project #1 Web Server
Non-profit Foundation
Contributors Oracle, IBM, Novell, VMWare, Red Hat, Google Many individual contributors
http://httpd.apache.org
Many packagers and distributors
http://people.apache.org/~coar/mlists.html
![Page 20: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/20.jpg)
Apache Security
Very few vulnerabilities reported
No critical vulnerabilities in 2.2.x
Upgrade to any new release [email protected]
Default installation locked down But it doesn’t do a whole lot
http://httpd.apache.org/security/vulnerabilities-oval.xmlhttp://www.apache.org/security/
![Page 21: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/21.jpg)
Apache Security Process
Report security problems to [email protected]
Real vulnerabilities are assigned CVE number
Vulnerabilities are classified, fixed
New httpd version released
http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/[email protected]://www.apache.org/security/committers.html
![Page 22: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/22.jpg)
ImplicationsSecurity Implications of Open
Source Software
![Page 23: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/23.jpg)
Application
App Server
Operating System
Network
![Page 24: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/24.jpg)
Security Implications
Developed by programmers
Provenance?
Warranty?
Support?
![Page 25: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/25.jpg)
Developed by Programmers
Not security experts
Get it running
![Page 26: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/26.jpg)
Database Privileges
Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";
Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';
Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES
Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;
Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
![Page 27: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/27.jpg)
Getting it Right: Bugzilla
Install script Creates database Executed as root
Application privileges Limited Only as needed
This is not always practical
GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
![Page 28: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/28.jpg)
Provenance
Source Integrity
Intellectual Property
Apache: Digital signatures Committer License Agreement Patent Grant
http://www.apache.org/licenses/icla.txthttp://www.apache.org/licenses/cla-corporate.txt
![Page 29: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/29.jpg)
Warranty
Open Source No warranty
Closed Source No warranty
![Page 30: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/30.jpg)
Support
Often community based You can be part of it
Visible to the world Don’t post confidential information!
Support contracts available From third party companies
![Page 31: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/31.jpg)
Development Model
Open Development At Apache
![Page 32: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/32.jpg)
Open Development
Mailing lists
Source code changes
Releases
Bus Factor
![Page 33: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/33.jpg)
Mailing Lists
All communication by e-mail
Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org
![Page 34: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/34.jpg)
Code Changes: Transparency
Source history available
Every modification posted
Instant code review
Etiquette
![Page 35: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/35.jpg)
Bus Factor
Development Community
Project Survival
Closed Source Equivalent Vendor out of business Product end-of-life
![Page 36: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/36.jpg)
Tips for Open Source Users
Get on announce mailinglist
Investigate community
Get involved
![Page 37: Open Source Security](https://reader036.vdocument.in/reader036/viewer/2022081412/54517010af795982318b8b54/html5/thumbnails/37.jpg)
Conclusion
Open Source responds proactively to security issues
Open Development encourages clean and secure code
Security Issues are universal and not specific to Open or Closed Source Software