eu-fossa 2 · 2019-10-28 · fix already known bugs hackathons bug bounty programs communication...
TRANSCRIPT
![Page 1: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/1.jpg)
EU-FOSSA 2Free and Open Source Software Auditing
ApacheCon Europe | Berlin | 23 October 2019
Marek Przybyszewski and Saranjit Arora
![Page 2: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/2.jpg)
Agenda
• OSS at the EC
• EU-FOSSA (2015-2016)
• EU-FOSSA 2 (2017-2019)
• What next?
10/24/2
019
2
![Page 3: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/3.jpg)
![Page 4: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/4.jpg)
Open Source
helps the EU
![Page 5: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/5.jpg)
The EU-FOSSA journey
€ 2.6M
EU-FOSSA 2
(2017-2019)
EU-FOSSA
(2015-2016)
INITIATIVEPILOT
PROJECT
PREPARATORY
ACTION
STANDING EU
ACTIVITY
![Page 6: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/6.jpg)
Pilot project – EU-FOSSA 1
FOSS
Methodology
FOSS
Inventory
Community
engagement
Public
survey
Code
reviews
![Page 7: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/7.jpg)
1 3 / 0 8 / 2 0 1 9 – 0 8
Establishing our most critical FOSS
![Page 8: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/8.jpg)
• Positive reaction (EU, public, FOSS communities)
• Code reviews
– Apache HTTP server core - no findings
• Only find bugs?
• Little communication/community engagement
• Methodology works
1 3 / 0 8 / 2 0 1 9 – 0 8
Lessons from the EU-FOSSA pilot
Public survey results
FOSS Security is really important!
![Page 9: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/9.jpg)
EU-FOSSA 2 Key Objectives
More EU
institutions
Use
innovative
ways
Existing
issues
Spread
awareness
Engage
wider and
deeper
![Page 10: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/10.jpg)
EU-FOSSA 2
ActivitiesPublic
surveys &
interviews
OSS studies
Fix already
known
bugs
HackathonsBug bounty
programs
Communication
campaign
![Page 11: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/11.jpg)
Bug bounties
Critical bug hidden
for 20 years in PuTTy
found and fixed
• First time in European institutions
• Primary security audit method
• Critical FOSS used in participating institutions
• 15 programmes launched (6 still running)
• 20% bonus for fixing the bug found
• 7-zip
• Apache Kafka
• Apache Tomcat
• Drupal
• DSS
• FileZilla
• Flux TL
• Glibc
• KeePass
• Midpoint
• Notepad++
• PHP
Symfony
• PuTTY
• VLC
• WSO2
Tomcat Bug Bounty is open until 30 November
![Page 12: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/12.jpg)
Bug bounty results (so far)
• Bugs reported
• Bugs accepted
• Bugs high or critical
• Total Bounties paid
606
213
70
€200k
VLC 3.0.7 fixes 33 security
issues, one of which is a
high-severity flaw in an MPEG
decoder software library
Please note, figures are not final
![Page 13: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/13.jpg)
15
142
Bug Bounty
# SUBMISSIONS
# HACKERS
# VALID VULNERABILITIES
0
![Page 14: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/14.jpg)
13
88
Bug Bounty
# SUBMISSIONS
# HACKERS
# VALID VULNERABILITIES
3
![Page 15: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/15.jpg)
Three Hackathons
Watch the videos
Symfony
Apache
1 3 / 0 8 / 2 0 1 9 – 1 0
![Page 16: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/16.jpg)
![Page 17: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/17.jpg)
Drupal patch automation
The vast majority of external European Commission websites run on Drupal
We commissioned a project to:
• Fix known critical vulnerabilities
• Automate patch updates
![Page 18: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/18.jpg)
Listening to smaller communities
We are in the process of connecting with many small/micro communities
![Page 19: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/19.jpg)
Other studies
• IPR and IT support requirements
• State of Open Source Worldwide
• Open source trends
• Best practice usage by Public
Administrations and key Private
companies
• Key internal/external stakeholders
Updated OSS Strategy
![Page 20: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/20.jpg)
Inventory - most critical open source software we use
0.000000
0.100000
0.200000
0.300000
0.400000
0.500000
0.600000
0.700000
Top 20: Work Stations and App-V
![Page 21: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/21.jpg)
Inventory - most critical open source software we use
Top 20: Server-side
0.000000
0.100000
0.200000
0.300000
0.400000
0.500000
0.600000
0.700000
0.800000
0.900000
![Page 22: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/22.jpg)
Communication Strategy
GENERAL
PUBLIC
DEVELOPERS
CONTENT
UNIVERSITIES
FOSS EVENT
SOCIAL MEDIA
WEBSITE
COMMUNITIES
FOSS EVENT
AMA’s
CONFERENCES
Public surveysDeveloper engagement Outreach campaign
![Page 23: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/23.jpg)
• Brand refresh - new logo and visual identity
• Website
• Goodies
• Coordination of comms efforts on:
• Hackathons
• Bug bounties
• Internal / external promotion
Brand touchpoints
![Page 24: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/24.jpg)
Media interest
• Overwhelming coverage by media,
both technical and generalist
publications
• Over 135 news articles published on
EU-FOSSA 2 in the past 8 months
• Content with the most successful
performance on DIGIT’s Twitter
account
So the EU protected almost
everybody from that one
The Register
19.03.2019
![Page 25: EU-FOSSA 2 · 2019-10-28 · Fix already known bugs Hackathons Bug bounty programs Communication campaign. Bug bounties Critical bug hidden for 20 years in PuTTy found and fixed •](https://reader034.vdocument.in/reader034/viewer/2022042201/5ea1cc576545b717e1056e35/html5/thumbnails/25.jpg)
Next steps
• Highly successful and visible
• Hackathons internal projects
• Project continuation being discussed
• Open source strategy being updated
• Open source use is increasing across
European institutions