(in)security in open source
TRANSCRIPT
![Page 1: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/1.jpg)
(In)security in Open Source
Even great approaches to software can have challenges.
The question is how we address them.
![Page 2: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/2.jpg)
Open Source is Massive
Open Source is everywhere
in embedded, mobile and
enterprise computing.
According to the leading
survey of Open Source
market adoption, 43% of
companies find it more
competitive than
alternatives, 43% find it
easier to deploy and 58%
find it has the greatest
ability to scale.
It exists in every sector and
adoption is growing
Reference: Black Duck 2015 Future of Open Source Survey
![Page 3: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/3.jpg)
78%78% of surveyed companies run on Open Source and less than
3% do not use Open Source in any way.
Reference: Black Duck 2015 Future of Open Source Survey
![Page 4: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/4.jpg)
89%89% of surveyed companies said that Open Source impacts the
speed of innovation and improves time to market for new
products.
Reference: Black Duck 2015 Future of Open Source Survey
![Page 5: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/5.jpg)
What’s the catch?
![Page 6: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/6.jpg)
Open Source and Security
There have been significant vulnerabilities discovered in widely
used open source components.
Each was present in applications tested using static and dynamic
tools for years without being detected.
They were disclosed by security researchers conducting manual
code reviews.
![Page 7: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/7.jpg)
This Matters
![Page 8: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/8.jpg)
This Matters
“Through 2020, security and quality defects
publicly attributed to OSS projects will increase
significantly, driven by a growing presence within
high-profile, mission-critical and mainstream IT
workloads.”
Gartner, Road Map for Open-Source Success: Understanding Quality and Security, Mark Driver, 3 March 2014.
![Page 9: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/9.jpg)
This Matters
The DROWN attack left more than 11 million
websites using OpenSSL at risk.
http://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html
![Page 10: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/10.jpg)
This Matters
IoT breaches expose infrastructure like the recent
hack of a bus arrival information screens in Korea
to display pornography.
http://m.chosun.com/svc/article.html?sname=news&contid=2016042601303
![Page 11: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/11.jpg)
Open Source Security is a big deal
![Page 12: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/12.jpg)
What Do We Do?
There are a lot of process documentation and tooling options
available for Open Source licensing compliance.
We are only starting to see the emergence of similar process
documentation and tooling for Open Source security.
Actually, most companies do not use any yet.
![Page 13: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/13.jpg)
67%67% of surveyed companies said that they do not monitor Open
Source Code for security vulnerabilities
Reference: Black Duck 2015 Future of Open Source Survey
![Page 14: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/14.jpg)
The Community Evolves
This is obviously not an area that can remain neglected for long.
New connected segments that substantially depend on Open
Source like IoT and Smart Infrastructure mean that we cannot
ignore security any longer.
![Page 15: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/15.jpg)
The Community Adapts
The global Open Source community has dealt with improving
processes and tooling before.
The basic approach is to identify the core problems, decide what
needs documenting (processes) and what can be automated
(tooling), and then collaborating to create deliverables.
![Page 16: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/16.jpg)
Improved Security in Open Source is Coming
Projects like the Core Infrastructure Initiative at Linux
Foundation have emerged to both explain key processes and
coordinate funding to address security issues.
Vendors and projects around the world are gradually building
tooling to help with Open Source security analysis and
monitoring.
![Page 17: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/17.jpg)
Will 2017 be different?
![Page 18: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/18.jpg)
Maturity Will Bring Increased Choice
In Open Source license compliance we have a lot of choices
around process documentation or automated tooling.
There is generic process material from FOSS Bazaar, specific
package description material from SPDX, or supply chain
management material from Open Chain. For automated tooling
there are products like the Binary Analysis Tool, Black Duck
Protex or Protocode and community projects like FOSSology.
The same will type of choice will apply to Open Source security.
![Page 19: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/19.jpg)
Improved Security in Open Source is Coming
You can expect the emergence of best practices for generic Open
Source security, specific material to address development
problems, and other material to assist with supply chain
challenges.
On the tooling side you can expect the emergence of a range of
solutions to support requirements. We have already seen the
beginning of this from both security vendors and companies that
traditionally focused on license compliance issues.
![Page 20: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/20.jpg)
Security
Open Source is no safer or
more dangerous than any
other type of software if
used without good
processes and best practices.
However, if good processes
and best practices are
applied, Open Source has
the potential to be more
secure than anything else.
is what you make of it
![Page 21: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/21.jpg)
Open Source has some security challenges
![Page 22: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/22.jpg)
It is still as secure as proprietary software
![Page 23: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/23.jpg)
But it can be substantially better as more best practices emerge
![Page 24: (In)security in Open Source](https://reader033.vdocument.in/reader033/viewer/2022052606/5871c3091a28ab55058b70c9/html5/thumbnails/24.jpg)
You can be part of the solution