securifylabs & tiki @ countermeasure 2014

Open-source Security in the Era

of HeartbleedCountermeasure - October 2014

Nelson Ko Sherif Koussa

SecurifyLabs 2014 2

Nelson KoTiki Admin . Synergiq Solutions - CTO . M.Eng . M.A

!

• CTO Synergiq Solutions • Tiki Project Admin • Firefox Tiki Support at Mozilla • Open-source Customer Support Pioneer

Nelson KoCTO - Synergiq Solutions

" #

SecurifyLabs 2014 3

Sherif KoussaSoftware Secured . Securify Labs . OWASP Ottawa President . SANS . GIAC . GWAPT . GSSP-Java . GSSP-NET

!

• Developer . Hacker . Security Code Review Maven

• OWASP Ottawa Chapter Leader • WebGoat 5.0 Lead Developer • Static Code Analysis Evaluation Criteria

Lead (WASC) • Writing Secure Code Advocate. • Open-source Enthusiast

Sherif KoussaSecurifyLabs - CEO

" #

SecurifyLabs Inc - 2014 4

Agenda$

4 Tiki Wiki CMS Groupware

2 Comparison between 7 top projects

3 Emerging Security Models

1 Is Open Source More Secure?

5

Quality* Security* Cost*

*According to BlackDuck 2014 Future of Open-source Survey

7

Linus’ Law: “Given Enough Eye-Balls All

Bugs Are Shallow” Eric Raymond - The Cathedral and The Bazaar

8

% Bug Density (CVEs/LoC)

% Eye Density (Contributors/LoC)

9

SecurifyGraphsgraphs.securifylabs.com

OpenHubwww.openhub.net

LoC

How big the code base is

Activityactivity relative to other projects

Contributorsactive developers (aka eye-balls)

Max Risk

The highest CVSS score

CVEsNIST CVEs published in the last 3 years

Avg. Risk

SUM(CVSS)/# CVEs

SecurifyLabs 2014 10

OpenSSLToolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols

&



1

2

2


BashBash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh)

&



1

1


WordpressThe world largest Content Management System

&




DrupalThe world second largest Content Management System

&




UbuntuUbuntu is a Debian-based Linux operating system

&




Apache HTTP ServerOpen-source HTTP server

&




mongoDBAn open-source document database, and the leading NoSQL database.

&




Comparisonhow do these projects stack together

|

0

450

900

1350

1800

openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash

LoC (1000)

0

30

60

90

120


Contributors

0

125

250

375

500


CVEs

0

0.4

0.8

1.2

1.6


Bug Density

0

0.075

0.15

0.225

0.3


Eye Density

18

Emerging Security Models

(


Emerging Open-Source Security Models!

)Bug Bounty Programs

A bug bounty program is a deal offered by many website and software developers by

which individuals can receive recognition and compensation for reporting bugs

PHP . Perl . OpenSSL . Nginx . Apache Httpd . Ruby . Ruby on Rails . Python . Django

Crowdsourcing


Emerging Open-Source Security Models⋆

)Node.js Security

https://nodesecurity.io/

1. Audit every single module in npm 2. Provide advisories issues 3. Provide a public API + DB of audit results.

Community Audit

PHPBB

https://nodesecurity.io/


Emerging Open-Source Security Models⋆

)TrueCrypt

Indiegogo fundraiser racked up more than $46,000 -- with an original goal of $25,000 -- and another fundraiser on Fundfill added another $16,479

Crowdfunding

22

When Great Community Meets Security

Please Meet Tiki

(


About TikiThe Wiki/CMS with most features

+

About

Tiki is the Free/Libre/Open Source Web Application with the most built-in features. •Wikis (like Wikipedia) •Forums (like phpBB) •Blogs (like WordPress) •Articles (like Yahoo news) •Image Gallery (like Flickr)

Quick Facts

•Downloaded more than 1,000,000 times •2009 Google Summer of Code •Most Collaborative Project for the SourceForge.net Community

Choice Awards •SourceForge project of the month •Code is committed every 2 hours on average


About Tiki’s Security ControlsA security-focused community

,

Strong Access Control

Fine grained access and permission mechanism strictly applied for every feature.

-

Full Feature Control

All the features could be enabled or disabled by the administrator.

-

Strong Input Validation

A strong input validation filter that strictly scrubs user-input before being processed.

-

Dedicated Security Team

A volunteer-based security team

-

Meeting the Challenge of CyberSecurity in an Open-Source Community

Increasing security concerns-

Funding challenges-

Community buy-in for a more proactive approach-

Remediation Support-


Timeline.

Crowdfunding

July 2014

Remediation

October 2014

Assessment Started

August 2014

Retesting

November 2014

Audited Tiki

January 2015


SecurifyBASEextensive application security for open-source projects

/

1 2 3 4 5

Threat Modelling

identify threat surface

Static Code Analysis

proprietary and commercial static code analyzers

Manual Review

manual line-by-line review for certain modules

Confirmation

proof the high and critical vulnerabilities

Reporting

detailed description of the bug, location and impact


More eyeballs <> more security-

Closed Source Risk <> Open Source Risk-

Security conscious culture is more important-

Conclusion

0twittertwitter.com /nelsonko #

linkleidnhttp://ca.linkedin.com/pub/dir/Nelson/Ko1

[email protected]

Thank You

0twittertwitter.com/skoussa #

linkleidnhttp://ca.linkedin.com/pub/dir/sherif/koussa1

[email protected]

http://ca.linkedin.com/pub/dir/Nelson/Ko

mailto:[email protected]?subject=

http://twitter.com/skoussa

http://ca.linkedin.com/pub/dir/sherif/koussa

mailto:[email protected]

securifylabs & tiki @ countermeasure 2014

Technology