securifylabs & tiki @ countermeasure 2014
DESCRIPTION
This talk is co-presented with Tiki Wiki CMS Groupware to highlight the proactive steps the community took for application security.TRANSCRIPT
Open-source Security in the Era
of HeartbleedCountermeasure - October 2014
Nelson Ko Sherif Koussa
SecurifyLabs 2014 2
Nelson KoTiki Admin . Synergiq Solutions - CTO . M.Eng . M.A
!
• CTO Synergiq Solutions • Tiki Project Admin • Firefox Tiki Support at Mozilla • Open-source Customer Support Pioneer
Nelson KoCTO - Synergiq Solutions
" #
SecurifyLabs 2014 3
Sherif KoussaSoftware Secured . Securify Labs . OWASP Ottawa President . SANS . GIAC . GWAPT . GSSP-Java . GSSP-NET
!
• Developer . Hacker . Security Code Review Maven
• OWASP Ottawa Chapter Leader • WebGoat 5.0 Lead Developer • Static Code Analysis Evaluation Criteria
Lead (WASC) • Writing Secure Code Advocate. • Open-source Enthusiast
Sherif KoussaSecurifyLabs - CEO
" #
SecurifyLabs Inc - 2014 4
Agenda$
4 Tiki Wiki CMS Groupware
2 Comparison between 7 top projects
3 Emerging Security Models
1 Is Open Source More Secure?
5
Quality* Security* Cost*
*According to BlackDuck 2014 Future of Open-source Survey
6
7
Linus’ Law: “Given Enough Eye-Balls All
Bugs Are Shallow” Eric Raymond - The Cathedral and The Bazaar
8
% Bug Density (CVEs/LoC)
% Eye Density (Contributors/LoC)
9
SecurifyGraphsgraphs.securifylabs.com
OpenHubwww.openhub.net
LoC
How big the code base is
Activityactivity relative to other projects
Contributorsactive developers (aka eye-balls)
Max Risk
The highest CVSS score
CVEsNIST CVEs published in the last 3 years
Avg. Risk
SUM(CVSS)/# CVEs
SecurifyLabs 2014 10
OpenSSLToolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
1
2
2
SecurifyLabs 2014 11
BashBash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh)
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
1
1
SecurifyLabs 2014 12
WordpressThe world largest Content Management System
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
SecurifyLabs 2014 13
DrupalThe world second largest Content Management System
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
SecurifyLabs 2014 14
UbuntuUbuntu is a Debian-based Linux operating system
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
SecurifyLabs 2014 15
Apache HTTP ServerOpen-source HTTP server
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
SecurifyLabs 2014 16
mongoDBAn open-source document database, and the leading NoSQL database.
&
OpenHubwww.openhub.net
SecurifyGraphsgraphs.securifylabs.com
SecurifyLabs 2014 17
Comparisonhow do these projects stack together
|
0
450
900
1350
1800
openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash
LoC (1000)
0
30
60
90
120
openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash
Contributors
0
125
250
375
500
openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash
CVEs
0
0.4
0.8
1.2
1.6
openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash
Bug Density
0
0.075
0.15
0.225
0.3
openSSL mongoDb Wordpress Ubuntu Drupal Apache Bash
Eye Density
18
Emerging Security Models
(
SecurifyLabs 2014 19
Emerging Open-Source Security Models!
)Bug Bounty Programs
A bug bounty program is a deal offered by many website and software developers by
which individuals can receive recognition and compensation for reporting bugs
PHP . Perl . OpenSSL . Nginx . Apache Httpd . Ruby . Ruby on Rails . Python . Django
Crowdsourcing
SecurifyLabs 2014 20
Emerging Open-Source Security Models⋆
)Node.js Security
https://nodesecurity.io/
1. Audit every single module in npm 2. Provide advisories issues 3. Provide a public API + DB of audit results.
Community Audit
PHPBB
SecurifyLabs 2014 21
Emerging Open-Source Security Models⋆
)TrueCrypt
Indiegogo fundraiser racked up more than $46,000 -- with an original goal of $25,000 -- and another fundraiser on Fundfill added another $16,479
Crowdfunding
22
When Great Community Meets Security
Please Meet Tiki
(
SecurifyLabs 2014 23
About TikiThe Wiki/CMS with most features
+
About
Tiki is the Free/Libre/Open Source Web Application with the most built-in features. •Wikis (like Wikipedia) •Forums (like phpBB) •Blogs (like WordPress) •Articles (like Yahoo news) •Image Gallery (like Flickr)
Quick Facts
•Downloaded more than 1,000,000 times •2009 Google Summer of Code •Most Collaborative Project for the SourceForge.net Community
Choice Awards •SourceForge project of the month •Code is committed every 2 hours on average
SecurifyLabs 2014 24
About Tiki’s Security ControlsA security-focused community
,
Strong Access Control
Fine grained access and permission mechanism strictly applied for every feature.
-
Full Feature Control
All the features could be enabled or disabled by the administrator.
-
Strong Input Validation
A strong input validation filter that strictly scrubs user-input before being processed.
-
Dedicated Security Team
A volunteer-based security team
-
Meeting the Challenge of CyberSecurity in an Open-Source Community
Increasing security concerns-
Funding challenges-
Community buy-in for a more proactive approach-
Remediation Support-
SecurifyLabs 2014 26
Timeline.
Crowdfunding
July 2014
Remediation
October 2014
Assessment Started
August 2014
Retesting
November 2014
Audited Tiki
January 2015
SecurifyLabs Inc - 2014 27
SecurifyBASEextensive application security for open-source projects
/
1 2 3 4 5
Threat Modelling
identify threat surface
Static Code Analysis
proprietary and commercial static code analyzers
Manual Review
manual line-by-line review for certain modules
Confirmation
proof the high and critical vulnerabilities
Reporting
detailed description of the bug, location and impact
SecurifyLabs Inc - 2014 28
More eyeballs <> more security-
Closed Source Risk <> Open Source Risk-
Security conscious culture is more important-
Conclusion
0twittertwitter.com /nelsonko #
linkleidnhttp://ca.linkedin.com/pub/dir/Nelson/Ko1
Thank You
0twittertwitter.com/skoussa #
linkleidnhttp://ca.linkedin.com/pub/dir/sherif/koussa1