SlideShare a Scribd company logo

Barcamp: Open Source and Security

Download as ODP, PDF
Joshua L. Davis
Joshua L. Davis

This was the five minute pitch that David and group pulled together at the WG2 barcamp. This will be a start for a community developed document to help field questions about oss and security within the military.

Technology
1 of 20
Open Source Software (OSS) and Security MIL-OSS Dr. David A. Wheeler & Jim Barkley August 5, 2010 This presentation contains the views of the author and does not indicate endorsement by IDA or MITRE, the U.S. government, or the U.S. Department of Defense.
OSS & Security ,[object Object]
“Proprietary is always more secure” ,[object Object],[object Object]
Some specific OSS programs are more secure than their competitors ,[object Object]
OSS has many advantages for security (1) ,[object Object]
Fortify’s “Java Open Review Project”
Linux “sparse”
OSS has many advantages for security (2) ,[object Object]
Vincent Rijmen (AES): “forces people to write more clear code & adhere to standards”
Whitfield Diffie: “it’s simply unrealistic to depend on secrecy for security” ,[object Object]
Some OSS security statistics ,[object Object]
IE 21x more likely to get spyware than Firefox [U of Wash.]
Faster response: Firefox 37 days, Windows 134.5 days
Browser “unsafe” days in 2004: 98% Internet Explorer, 15% Mozilla/Firefox (half of Firefox’s MacOS-only)
Windows websites more vulnerable in practice 17% (GNU/Linux) 66% (Windows) Defaced 66.75% (Apache) 24.81% (IIS) Deployed websites (by name) 29.6% (GNU/Linux) 49.6% (Windows) Deployed Systems OSS Proprietary Category
DoD cyber security requires OSS “ One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would ,[object Object]
... limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks.
... remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks .” - Use of Free and Open Source Software in the US Dept. of Defense (MITRE, sponsored by DISA), Jan. 2, 2003
Why hiding source doesn’t help security ,[object Object]
Source code can be regenerated by disassemblers & decompilers sufficiently to search for vulnerabilities

Recommended

DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source MovementJoshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionJoshua L. Davis
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? SYNAQ
 
optics
opticsoptics
opticsUniversity of Delhi
 
Closed systems, open systems
Closed systems, open systemsClosed systems, open systems
Closed systems, open systemsrobin fay
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attacksecurityxploded
 
OSS Licensing (Public)
OSS Licensing (Public)OSS Licensing (Public)
OSS Licensing (Public)Marcus A. Streips
 

Recommended

DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source MovementJoshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionJoshua L. Davis
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? SYNAQ
 
optics
opticsoptics
opticsUniversity of Delhi
 
Closed systems, open systems
Closed systems, open systemsClosed systems, open systems
Closed systems, open systemsrobin fay
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attacksecurityxploded
 
OSS Licensing (Public)
OSS Licensing (Public)OSS Licensing (Public)
OSS Licensing (Public)Marcus A. Streips
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux MalwareMichael Boelen
 
Improving the FreeBSD security advisory process
Improving the FreeBSD security advisory processImproving the FreeBSD security advisory process
Improving the FreeBSD security advisory processAPNIC
 
Teachers intro to free libre open source software rev
Teachers intro to free libre open source software revTeachers intro to free libre open source software rev
Teachers intro to free libre open source software revDr. Samuel Coleman
 
Typo3 website hacked
Typo3 website hackedTypo3 website hacked
Typo3 website hackedMarcus Krause
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Computer viruses - A daily harm
Computer viruses - A daily harmComputer viruses - A daily harm
Computer viruses - A daily harmAnubhav125
 
Rootkit
RootkitRootkit
Rootkittech2click
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011warezjoe
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05webuploader
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecurityWilliam Chipman
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesJavier González
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelledlosalamos
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 

More Related Content

What's hot

Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux MalwareMichael Boelen
 
Improving the FreeBSD security advisory process
Improving the FreeBSD security advisory processImproving the FreeBSD security advisory process
Improving the FreeBSD security advisory processAPNIC
 
Teachers intro to free libre open source software rev
Teachers intro to free libre open source software revTeachers intro to free libre open source software rev
Teachers intro to free libre open source software revDr. Samuel Coleman
 
Typo3 website hacked
Typo3 website hackedTypo3 website hacked
Typo3 website hackedMarcus Krause
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Computer viruses - A daily harm
Computer viruses - A daily harmComputer viruses - A daily harm
Computer viruses - A daily harmAnubhav125
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 

What's hot (8)

Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
 
Improving the FreeBSD security advisory process
Improving the FreeBSD security advisory processImproving the FreeBSD security advisory process
Improving the FreeBSD security advisory process
 
Teachers intro to free libre open source software rev
Teachers intro to free libre open source software revTeachers intro to free libre open source software rev
Teachers intro to free libre open source software rev
 
Typo3 website hacked
Typo3 website hackedTypo3 website hacked
Typo3 website hacked
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Computer viruses - A daily harm
Computer viruses - A daily harmComputer viruses - A daily harm
Computer viruses - A daily harm
 
Rootkit
RootkitRootkit
Rootkit
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 

Similar to Barcamp: Open Source and Security

Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksAlienVault
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011warezjoe
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesProtecode
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesJavier González
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelledlosalamos
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 

Similar to Barcamp: Open Source and Security (20)

Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Mobile security
Mobile securityMobile security
Mobile security
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Lunix xx
Lunix xxLunix xx
Lunix xx
 

More from Joshua L. Davis

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsJoshua L. Davis
 
The Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsThe Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsJoshua L. Davis
 
Ignite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyIgnite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyJoshua L. Davis
 
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileIgnite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileJoshua L. Davis
 
Ignite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareIgnite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareJoshua L. Davis
 
Using the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentUsing the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentJoshua L. Davis
 
Senior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesSenior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesJoshua L. Davis
 
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesJoshua L. Davis
 
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSOZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSJoshua L. Davis
 
Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Joshua L. Davis
 
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerReaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerJoshua L. Davis
 
Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Joshua L. Davis
 
USIP Open Simulation Platform
USIP Open Simulation PlatformUSIP Open Simulation Platform
USIP Open Simulation PlatformJoshua L. Davis
 
OSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/ICOSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/ICJoshua L. Davis
 
CONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military HealthCONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military HealthJoshua L. Davis
 
The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0Joshua L. Davis
 
CompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuiteCompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuiteJoshua L. Davis
 

More from Joshua L. Davis (20)

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
 
The Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsThe Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging Threats
 
Ignite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyIgnite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with Ruby
 
Ignite: YSANAOYOA
Ignite: YSANAOYOAIgnite: YSANAOYOA
Ignite: YSANAOYOA
 
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileIgnite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
 
Ignite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareIgnite: Devops - Why Should You Care
Ignite: Devops - Why Should You Care
 
Using the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentUsing the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting Environment
 
Senior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesSenior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social Technologies
 
SOSCOE Overview
SOSCOE OverviewSOSCOE Overview
SOSCOE Overview
 
milSuite
milSuitemilSuite
milSuite
 
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
 
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSOZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
 
Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"
 
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerReaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
 
Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)
 
USIP Open Simulation Platform
USIP Open Simulation PlatformUSIP Open Simulation Platform
USIP Open Simulation Platform
 
OSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/ICOSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/IC
 
CONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military HealthCONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military Health
 
The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0
 
CompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuiteCompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuite
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Barcamp: Open Source and Security

  • 1. Open Source Software (OSS) and Security MIL-OSS Dr. David A. Wheeler & Jim Barkley August 5, 2010 This presentation contains the views of the author and does not indicate endorsement by IDA or MITRE, the U.S. government, or the U.S. Department of Defense.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Fortify’s “Java Open Review Project”
  • 8.
  • 9. Vincent Rijmen (AES): “forces people to write more clear code & adhere to standards”
  • 10.
  • 11.
  • 12. IE 21x more likely to get spyware than Firefox [U of Wash.]
  • 13. Faster response: Firefox 37 days, Windows 134.5 days
  • 14. Browser “unsafe” days in 2004: 98% Internet Explorer, 15% Mozilla/Firefox (half of Firefox’s MacOS-only)
  • 15. Windows websites more vulnerable in practice 17% (GNU/Linux) 66% (Windows) Defaced 66.75% (Apache) 24.81% (IIS) Deployed websites (by name) 29.6% (GNU/Linux) 49.6% (Windows) Deployed Systems OSS Proprietary Category
  • 16.
  • 17. ... limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks.
  • 18. ... remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks .” - Use of Free and Open Source Software in the US Dept. of Defense (MITRE, sponsored by DISA), Jan. 2, 2003
  • 19.
  • 20. Source code can be regenerated by disassemblers & decompilers sufficiently to search for vulnerabilities
  • 21.
  • 22. Hiding source doesn’t appreciably inhibit attacks
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. Market rush often impairs proprietary quality
  • 33.
  • 34.
  • 35.
  • 36.
  • 37. Trick is to get result into user supply chain
  • 38. In OSS, requires subverting/misleading the trusted developers or trusted repository/distribution…
  • 39. and no one noticing the public malsource later
  • 40.
  • 41.
  • 42. Consider supplier as you would proprietary software
  • 43. Risk larger for small OSS projects
  • 44.
  • 45.
  • 46. Hidden for 7 years in proprietary product
  • 47. Found after release as OSS in 5 months
  • 48. Unclear if malicious, but has its form
  • 49. Acronyms (1) BSD: Berkeley Software Distribution COTS: Commercial Off-the-Shelf (either proprietary or OSS) DFARS: Defense Federal Acquisition Regulation Supplement DISR: DoD Information Technology Standards and Profile Registry DoD: Department of Defense DoDD: DoD Directive DoDI: DoD Instruction EULA: End-User License Agreement FAR: Federal Acquisition Regulation OSS: Free-libre / Open Source Software FSF: Free Software Foundation (fsf.org) GNU: GNU’s not Unix GOTS: Government Off-The-Shelf (see COTS) GPL: GNU General Public License HP: Hewlett-Packard Corporation IPR: Intellectual Property Rights; use “Intellectual Rights” instead IT: Information Technology LGPL: GNU Lesser General Public License
  • 50. Acronyms (2) MIT: Massachusetts Institute of Technology MPL: Mozilla Public License NDI: Non-developmental item (see COTS) OMB: Office of Management & Budget OSDL: Open Source Development Labs OSI: Open Source Initiative (opensource.org) OSJTF: Open Systems Joint Task Force OSS: Open Source Software PD: Public Domain PM: Program Manager RFP: Request for Proposal RH: Red Hat, Inc. ROI: Return on Investment STIG: Security Technical Implementation Guide TCO: Total Cost of Ownership U.S.: United States USC: U.S. Code V&V: Verification & Validation Trademarks belong to the trademark holder.
  • 51.
  • 52. “ Use of Free and Open Source Software in the US Dept. of Defense” (MITRE, sponsored by DISA)
  • 53. President's Information Technology Advisory Committee (PITAC) -- Panel on Open Source Software for High End Computing, October 2000
  • 54. “ Open Source Software (OSS) in the DoD,” DoD memo signed by John P. Stenbit (DoD CIO), May 28, 2003
  • 55. Center of Open Source and Government (EgovOS) http://www.egovos.org/
  • 57. Open Source and Industry Alliance http://www.osaia.org
  • 58. Open Source Initiative http://www.opensource.org
  • 59. Free Software Foundation http://www.fsf.org
  • 61.