how secure is open source code? - notpinkcon...#1.1 secure code guidelines do not trust input...
TRANSCRIPT
![Page 1: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/1.jpg)
How secure is Open Source code?
Maria Emilia Torino
@emi_torino
![Page 2: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/2.jpg)
![Page 3: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/3.jpg)
So… it is not secure???
![Page 4: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/4.jpg)
![Page 5: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/5.jpg)
How secure isOpen Source code?
![Page 6: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/6.jpg)
https://ubuntu.com/security
“@Canonical Security is at
the heart of Ubuntu”
![Page 7: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/7.jpg)
“The UK Government puts Ubuntu in first place for security”
https://ubuntu.com/blog/ubuntu-scores-highest-in-uk-gov-security-assessment
![Page 8: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/8.jpg)
What is Canonical/Ubuntu doing to lead open source security?
![Page 9: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/9.jpg)
#1 Secure out of the box
Threat modeling
Automated code
inspection
Secure code
guidelinesSecurity Testing
Security code
reviews
![Page 10: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/10.jpg)
#1.1 Secure Code Guidelines
Do not trust input
Sanitize output
Do not reinvent the wheel
Minimize the attack surface
Design for least privilege
Apply defense in depth
Do not rely on security by obscurity
Do not ignore compiler / toolchain warning messages
Fail securely
Encrypt network communications
Test security
Learn from mistakes
https://wiki.ubuntu.com/SecurityTeam/FAQ#Design
![Page 11: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/11.jpg)
#1.2 Threat Modeling - STRIDE
S
I
T
R
E
D
Spoofing
Tampering
Repudiation
Elevation of privileges
Denial Of Service
Information disclosure
Authentication
Integrity
Non repudiability
Confidentiality
Availability
Authorization
https://en.wikipedia.org/wiki/STRIDE_(security)
![Page 12: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/12.jpg)
#2 Secure by process
Fix
&
valid
atio
n
Triage
Publish
https://cve.mitre.org/https://usn.ubuntu.com/
![Page 13: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/13.jpg)
#3
#3 Certified compliance
Federal Information Processing Standard (FIPS) 140-2 Level 1
Common Criteria EAL2 (ISO/IEC IS 15408)
Security Technical Implementation Guide (STIG) Center for Internet Security (CIS) benchmark
https://ubuntu.com/blog/canonicals-security-certifications
![Page 14: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/14.jpg)
#4 Communication & Collaboration
#ubuntu-hardened on Freenode IRC
https://ubuntusecuritypodcast.org/
@ubuntu_sec on Twitter
![Page 15: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/15.jpg)
There is no secret sauce, but...
A culture of Security first
A dedicated team seen as a partner
A set of processes in place
A set of tools supporting processes
A great team of smart and experienced people
A supporting structure for helping everybody to grow
![Page 16: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/16.jpg)
https://wiki.ubuntu.com/SecurityTeam/GettingInvolved
https://ubuntu.com/community
https://canonical.com/careers
Get Involved!
![Page 17: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/17.jpg)
Thank you. Questions?
![Page 18: How secure is Open Source code? - NotPinkCon...#1.1 Secure Code Guidelines Do not trust input Sanitize output Do not reinvent the wheel Minimize the attack surface Design for least](https://reader033.vdocument.in/reader033/viewer/2022050415/5f8be94542fa49512915a42e/html5/thumbnails/18.jpg)
https://www.theguardian.com/technology/2014/apr/08/heartbleed-bug-puts-encryption-at-risk-for-hundreds-of-thousands-of-servershttps://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html https://www.zdnet.com/article/critical-linux-security-hole-found/https://www.techradar.com/news/ransomware-mutations-double-in-2019https://www.techradar.com/news/whatsapp-hack-are-our-messages-ever-truly-privatehttps://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/https://www.zdnet.com/article/samsung-connected-home-fridge-becomes-weapon-in-mitm-attacks/https://www.scmagazineuk.com/active-directory-attack-enable-malicious-domain-controller-set/article/1473339https://inhomelandsecurity.com/hackers-stole-over-4-billion-from-crypto-crimes-in-2019-so-far-up-from-1-7-billion-in-all-of-2018/https://fortune.com/longform/sony-hack-part-1/https://securityaffairs.co/wordpress/62782/hacking/dragonfly-2-0-campaigns.htmlhttps://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/https://healthitsecurity.com/news/intel-processor-vulnerability-poses-hacking-risk-users-advised-to-patchhttps://atmanco.com/blog/hiring/recruitment-questions-to-ask-when-hiring/
Images references