SlideShare ist ein Scribd-Unternehmen logo

Open source-in-security-critical-environments

DESMOND YUEN
DESMOND YUEN

Open Source is here to stay in security critical environments and every place software is used Creating Applications these days is like making a sandwich

Software
1 von 49
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC James Zemlin OPEN SOURCE IN SECURITY-CRITICAL ENVIRONMENTS DEV-R14 Executive Director Linux Foundation @jzemlin
Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source is here to stay in security critical environments and every place software is used
Presenter’s Company Logo – replace or delete on master slide #RSAC Linux has grown into the most important open source project in the world 100% Supercomputer Market 62% Embedded Systems Market 90% Mainframe Customers 90% Public Cloud Workload Every market Linux has entered it eventually dominates 82% Smartphone Market Share 2nd To Windows in Enterprise #1 Internet Client
Presenter’s Company Logo – replace or delete on master slide #RSAC Linux Evolves Faster Than Ever 4,300 Contributors From 450 Organizations 10,000 Lines of Code Added Daily 2,000 Lines of Code Modified Daily 2,500 Lines of Code Removed Daily 8.5 Changes Per Hour
Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source Development is Accelerating 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
Presenter’s Company Logo – replace or delete on master slide #RSAC It’s actually open source software that’s eating the world. - Venturebeat 2015
Presenter’s Company Logo – replace or delete on master slide #RSAC Creating Applications these days is like making a sandwich
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich)
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code Use Open Source Libraries to Solve Problems
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Open Source Code (~20%) Write Custom Code Custom Code (~10%) Use Open Source Libraries to Solve Problems Open Source Code (~70%) Open Source Code = ~ 90%
Presenter’s Company Logo – replace or delete on master slide #RSAC So much code – so little time 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
Presenter’s Company Logo – replace or delete on master slide #RSAC Open source isn’t slowing down any time soon
Presenter’s Company Logo – replace or delete on master slide #RSAC All this abundance has created anxiety
Presenter’s Company Logo – replace or delete on master slide #RSAC The real question is which projects matter? Criticalityofsoftware Number of Open Source Projects
Presenter’s Company Logo – replace or delete on master slide #RSAC How do we make important projects sustainable? Successful Projects depend on members, developers, standards and infrastructure to develop products that the market will adopt. PROJECTS PROFITS PRODUCTS DEVELOPER COMMUNITY
#RSAC WHEN THIS CYCLE WORKS, IT WORKS WELL
Presenter’s Company Logo – replace or delete on master slide #RSAC ValueofofIndividualProject Number of Open Source Projects – Millions on Github Major Problem Collective Action Results - 2018 • How to accelerate cloud native computing: devops, containers, microservices • How to create a portability layer for cloud • 2015 Google created CNCF with The Linux Foundation • Project seeded with Kubernetes • CNCF founded with 28 members • Kubernetes de facto standard for container management • 179 members, including all major public clouds and enterprise software vendors • Home to 14 additional projects beyond Kubernetes • 49 Kubernetes certified vendors • Kubernetes surpasses OpenStack on Google trends
#RSAC SOMETIMES THE SYSTEM DOESN’T WORK
Presenter’s Company Logo – replace or delete on master slide #RSAC
Presenter’s Company Logo – replace or delete on master slide #RSAC Questions to ask What is the most important and security critical shared software in the world? Who is creating and maintaining that software? Why are the creating and maintaining that software? Is it secure, reliable, and healthy?
Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project Lists of Projects to Analyze Analysis Results Ranked By Risk Index Expert Selection from Highest-Risk Projects Most Concerning Projects Projects Popularity Project Data From Debian Project From openhub.net Project Recent CVE Vulnerability Counts Analysis Program
Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project 2 na ys s Pro ram sts o Proe ts to nay e Proe ts Pop ar ty Proe t ata rom e an Proe t rom open net Proe t e ent C nera ty Co nts nays s es ts an e y s n e pert ee t on rom est s Proe ts ost Con ern n Proe ts
Presenter’s Company Logo – replace or delete on master slide #RSAC Current Algorithm ▪ Project has website (1 if no) ▪ Written in C or C++ (2 if yes) ▪ CVE vulnerability reports: 3 points if 4+ , 2 points for 2-3, 1 point for 1. ▪ 12 month contributor count: 5 points for 0 contributors, 4 points for 1-3 contributors, 2 points if the number is unknown. ▪ Top 10% most popular Debian package: 1 if yes Exposure values: 2 points if directly exposed to the network (as server or client), 1 point if it is often used to process data provided by a network, and 1 point if it could be used for local privilege escalation. Application data only: Subtract 3 points if the Debian database reports that it is “Application Data” or “Standalone Data” (not an application)
Presenter’s Company Logo – replace or delete on master slide #RSAC Tremendous Systemic Risks to the Internet Still Unaddressed Binary Package Name Source Package Name (If Different) CII 2016 Census Risk Score ftp netkit-ftp 11 netcat-traditional netcat 11 tcpd tcp-wrappers 11 whois 11 at 10 libwrap0 tcp-wrappers 10 traceroute 10 xauth 10 bzip2 9 hostname 9 libacl1 acl 9 libaudit0 audit 9 libbz2-1.0 bzip2 9 libept1.4.12 libept 9 libreadline6 readline6 9 libtasn1-3 9 linux-base 9 telnet netkit-telnet 9 The Big Risk: Commonly used open source code and libraries are among the most at risk to cyber attacks or other potential threats that could bring down the global Internet. Source: CII 2016 Census
Presenter’s Company Logo – replace or delete on master slide #RSAC A little love goes a long way • Three new releases • 3889 commits • 481 GitHub users • Thousands of forks. • 1052 pull requests closed • 47 CVEs reported and handled 2014 - OpenSSL was maintained by two people and moribund 2016 – Recorded more activity than in the entire previous history of the project, including:
Presenter’s Company Logo – replace or delete on master slide #RSAC How to create secure code?
Presenter’s Company Logo – replace or delete on master slide #RSAC We must secure the most critical open source software projects that power the world’s infrastructure, and to promote a culture of secure coding.
Presenter’s Company Logo – replace or delete on master slide #RSAC 100 Projects Granted CII Best Practice Badge Initiative launched in May 2016 to raise awareness of development processes and governance steps for better security outcomes The badge makes it easier for users of open source projects to see which projects take security seriously, it isn’t a “rubber stamp” process 1,000 projects registered for the badge
Presenter’s Company Logo – replace or delete on master slide #RSAC Education One of the largest causes of security vulnerabilities is developers being unaware of security best practices We need courses for open source developers for Security and Auditing Organizations like SAFECode provide curriculum and training but we need more
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to be able to pass information about software bill of materials across the tech value chain in a simple and reliable way. You can’t fix bugs for code you don’t event know you have.
Presenter’s Company Logo – replace or delete on master slide #RSAC Software Tracking: The Challenge 3rd party SW Outsource SW OSS Package OSS Package Your code Creating an accurate bill of materials and notices requires effort & research Software Bill of Materials (BOM) ? Companies combine Open Source Software with other software
Presenter’s Company Logo – replace or delete on master slide #RSAC Supplier 1 Supplier 2 Customers The effort is repeated at each step in the supply chain Software BOM: The Challenge
Presenter’s Company Logo – replace or delete on master slide #RSAC “Open Source”-scape Upstream Projects Useful “Collections” of Open Source Added-value Software Products
Presenter’s Company Logo – replace or delete on master slide #RSAC Software Package Data eXchange Open Standard: • A standard format for communicating the licenses and copyrights and identity associated with software packages Vision: • To help reduce redundant work in determining software BOM information and facilitate compliance Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations
Presenter’s Company Logo – replace or delete on master slide #RSAC Package Information SPDX v2.1 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships What makes up an SPDX Document? Other Licensing InformationSnippet Information
Presenter’s Company Logo – replace or delete on master slide #RSAC Emerging “Between Organization” Trust Models Software Parts Ledger - utilizes Blockchain to manage open source across the supply chain. Utililzes Hyperledger Sawtooth Platform & SPDX based BOM to conform to OpenChain best practices. See: https://github.com/Wind-River/sparts Accepted 2018/3 into Hyperledger Labs - https://github.com/hyperledger-labs/hyperledger- labs.github.io/blob/master/labs/SParts.md ClearlyDefined - Announced 2018/3 - calls for participation in currating the metadata to summarize projects. See ClearlyDefined.io for more information.
Presenter’s Company Logo – replace or delete on master slide #RSAC Sharing software bill of materials is critical part of security process OpenChain builds trust in open source by making sharing of software BOM simpler and more consistent Adobe, Arm, Cisco, Harmen, Hitachi, HPE, GitHub, Qualcomm, Siemens, Toyota, Wind River and Western Digital
Presenter’s Company Logo – replace or delete on master slide #RSAC Learn how open source software flows
Presenter’s Company Logo – replace or delete on master slide #RSAC Get a process in place
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in tools that test upstream code
Presenter’s Company Logo – replace or delete on master slide #RSAC Frama-C False-Positive-Free Checking Frama-C is a highly respected static checker When used with test cases and modified Unix standard functions, it is able to detect bugs without false positives Proposal is to modify several standard Unix functions to support false- positive-free operation on OpenSSL In addition, the proposal is to use the American Fuzzy Lop fuzzer to automatically generate test cases from which Frama-C can detect bugs
Presenter’s Company Logo – replace or delete on master slide #RSAC Fuzzing https://fuzzing-project.org/ is Hanno Böck’s project Uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source projects Discovered numerous GnuPG bugs in Feb 2015 He and others have found numerous bugs in many projects: http://lcamtuf.coredump.cx/afl/#bugs His main activity is to convert the fuzzer output into reproducible test cases and file bugs for them He is also doing great work training new developers to become expert fuzzers CII is also reaching out to fuzzing toolkit authors
Presenter’s Company Logo – replace or delete on master slide #RSAC Reproducible Builds Debian and Fedora rely on package maintainers to compile source code from the upstream authors Because the resulting binaries depend on machine configuration (like timestamps and file ordering), these binaries are not reproducible That makes it impossible to independently verify that the binaries have not been tampered with Binary reproducibility should become an expected attribute of free software distros
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in audit of upstream open source code for critical shared infrastructure
Presenter’s Company Logo – replace or delete on master slide #RSAC Auditing Auditing: Many critical open source projects do not have resources to audit Auditing finds critical bugs that won’t be found any other way Auditing is expensive, time consuming and only finds a subset of the bugs so it can’t be the only tool OpenSSL audit underway
Presenter’s Company Logo – replace or delete on master slide #RSAC How to get involved?
Presenter’s Company Logo – replace or delete on master slide #RSACFollow up material • See Linux Foundation-sponsored Institute for Defense Analysis (IDA report, "Open Source Software Projects Needing Security Investments” • Some of the projects we're most concerned about (because they are ubiquitously deployed and could result in Heartbleed-style vulnerabilities) include compression libraries (bzip2, gzip, unzip, zlib) and format libraries (libjpeg, libpng, and expat) • Unlike before Heartbleed, there is actually a group focused on these issues. Two major programs we’re undertaking with IDA: • CII is not only reactively looking for broken projects (i.e., fighting fires) through our Census Project • We are also developing the building codes (in terms of security best practices) to avoid fires in the future

Empfohlen

Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
 
Open Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceOpen Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceAll Things Open
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieVMware Tanzu
 
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogicRakuten Group, Inc.
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Roberto Pérez Alcolea
 
Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Verhaert Masters in Innovation
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...VMware Tanzu
 
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Bert Hajee
 

Empfohlen

Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionYu-Lun Chen
 
Open Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceOpen Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceAll Things Open
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieVMware Tanzu
 
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogicRakuten Group, Inc.
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Roberto Pérez Alcolea
 
Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Verhaert Masters in Innovation
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...VMware Tanzu
 
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Bert Hajee
 
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Daniel Oh
 
How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal ProjectAll Things Open
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CVNaresh Kumar
 
Mastering DevOps With Oracle
Mastering DevOps With OracleMastering DevOps With Oracle
Mastering DevOps With OracleKelly Goetsch
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Microservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureMicroservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureKelly Goetsch
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift Origin
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
 
DevOps on Oracle Cloud
DevOps on Oracle CloudDevOps on Oracle Cloud
DevOps on Oracle CloudMee Nam Lee
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...mfrancis
 
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyThe Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyRandy Bias
 
Resume-Fred
Resume-FredResume-Fred
Resume-FredFred Bofahredin
 
Facilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentFacilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentKurt Andersen
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...Getting value from IoT, Integration and Data Analytics
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationEric D. Schabell
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure Getting value from IoT, Integration and Data Analytics
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveWalid Shaari
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationMark Rendell
 

Weitere ähnliche Inhalte

Was ist angesagt?

Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Daniel Oh
 
How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal ProjectAll Things Open
 
Mastering DevOps With Oracle
Mastering DevOps With OracleMastering DevOps With Oracle
Mastering DevOps With OracleKelly Goetsch
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
 
Microservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureMicroservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureKelly Goetsch
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift Origin
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsAndrew Storms
 
DevOps on Oracle Cloud
DevOps on Oracle CloudDevOps on Oracle Cloud
DevOps on Oracle CloudMee Nam Lee
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...mfrancis
 
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyThe Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyRandy Bias
 
Facilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentFacilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentKurt Andersen
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationEric D. Schabell
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperGene Gotimer
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoGene Gotimer
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveWalid Shaari
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012Matt Tesauro
 

Was ist angesagt? (20)

Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
 
How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal Project
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CV
 
Mastering DevOps With Oracle
Mastering DevOps With OracleMastering DevOps With Oracle
Mastering DevOps With Oracle
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
Microservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureMicroservices + Oracle: A Bright Future
Microservices + Oracle: A Bright Future
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
 
DevOps on Oracle Cloud
DevOps on Oracle CloudDevOps on Oracle Cloud
DevOps on Oracle Cloud
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
 
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyThe Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
 
Resume-Fred
Resume-FredResume-Fred
Resume-Fred
 
Facilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentFacilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital Environment
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformation
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Ähnlich wie Open source-in-security-critical-environments

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationMark Rendell
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...PROIDEA
 
What's new in the latest source{d} releases!
What's new in the latest source{d} releases!What's new in the latest source{d} releases!
What's new in the latest source{d} releases!source{d}
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitMarco Ferrigno
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps ParadigmNaLUG
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...Siva Rama Krishna Chunduru
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace
 
Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates Liran Levy
 
Yohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business AgilityYohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business AgilityAgile Impact Conference
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source softwarePriyanka Aash
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSEric Smalling
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Bryce Kunz
 
Simplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing HadoopSimplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing HadoopPrecisely
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_launderingFoutse Khomh
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 

Ähnlich wie Open source-in-security-critical-environments (20)

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an Application
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
 
What's new in the latest source{d} releases!
What's new in the latest source{d} releases!What's new in the latest source{d} releases!
What's new in the latest source{d} releases!
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
 
Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates
 
Yohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business AgilityYohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business Agility
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
Simplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing HadoopSimplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing Hadoop
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 

Mehr von DESMOND YUEN

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdfDESMOND YUEN
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New BigDESMOND YUEN
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefDESMOND YUEN
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsDESMOND YUEN
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security ReportDESMOND YUEN
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...DESMOND YUEN
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreDESMOND YUEN
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...DESMOND YUEN
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESPUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESDESMOND YUEN
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEDESMOND YUEN
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelDESMOND YUEN
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloomDESMOND YUEN
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyDESMOND YUEN
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographicsDESMOND YUEN
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...DESMOND YUEN
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI TodayDESMOND YUEN
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksDESMOND YUEN
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...DESMOND YUEN
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."DESMOND YUEN
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...DESMOND YUEN
 

Mehr von DESMOND YUEN (20)

2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf2022-AI-Index-Report_Master.pdf
2022-AI-Index-Report_Master.pdf
 
Small Is the New Big
Small Is the New BigSmall Is the New Big
Small Is the New Big
 
Intel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product BriefIntel® Blockscale™ ASIC Product Brief
Intel® Blockscale™ ASIC Product Brief
 
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable ProcessorsCryptography Processing with 3rd Gen Intel Xeon Scalable Processors
Cryptography Processing with 3rd Gen Intel Xeon Scalable Processors
 
Intel 2021 Product Security Report
Intel 2021 Product Security ReportIntel 2021 Product Security Report
Intel 2021 Product Security Report
 
How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...How can regulation keep up as transformation races ahead? 2022 Global regulat...
How can regulation keep up as transformation races ahead? 2022 Global regulat...
 
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, MoreNASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
NASA Spinoffs Help Fight Coronavirus, Clean Pollution, Grow Food, More
 
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
A Survey on Security and Privacy Issues in Edge Computing-Assisted Internet o...
 
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIESPUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
PUTTING PEOPLE FIRST: ITS IS SMART COMMUNITIES AND CITIES
 
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPEBUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
BUILDING AN OPEN RAN ECOSYSTEM FOR EUROPE
 
An Introduction to Semiconductors and Intel
An Introduction to Semiconductors and IntelAn Introduction to Semiconductors and Intel
An Introduction to Semiconductors and Intel
 
Changing demographics and economic growth bloom
Changing demographics and economic growth bloomChanging demographics and economic growth bloom
Changing demographics and economic growth bloom
 
Intel’s Impacts on the US Economy
Intel’s Impacts on the US EconomyIntel’s Impacts on the US Economy
Intel’s Impacts on the US Economy
 
2021 private networks infographics
2021 private networks infographics2021 private networks infographics
2021 private networks infographics
 
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
Transforming the Modern City with the Intel-based 5G Smart City Road Side Uni...
 
Accelerate Your AI Today
Accelerate Your AI TodayAccelerate Your AI Today
Accelerate Your AI Today
 
Increasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery NetworksIncreasing Throughput per Node for Content Delivery Networks
Increasing Throughput per Node for Content Delivery Networks
 
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
3rd Generation Intel® Xeon® Scalable Processor - Achieving 1 Tbps IPsec with ...
 
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm.""Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
"Life and Learning After One-Hundred Years: Trust Is The Coin Of The Realm."
 
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
Telefónica views on the design, architecture, and technology of 4G/5G Open RA...
 

Kürzlich hochgeladen

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durbanmasabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburgmasabamasaba
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionOnePlan Solutions
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Hararemasabamasaba
 

Kürzlich hochgeladen (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
%in Lydenburg+277-882-255-28 abortion pills for sale in Lydenburg
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 

Open source-in-security-critical-environments

  • 1. SESSION ID: #RSAC James Zemlin OPEN SOURCE IN SECURITY-CRITICAL ENVIRONMENTS DEV-R14 Executive Director Linux Foundation @jzemlin
  • 2. Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source is here to stay in security critical environments and every place software is used
  • 3. Presenter’s Company Logo – replace or delete on master slide #RSAC Linux has grown into the most important open source project in the world 100% Supercomputer Market 62% Embedded Systems Market 90% Mainframe Customers 90% Public Cloud Workload Every market Linux has entered it eventually dominates 82% Smartphone Market Share 2nd To Windows in Enterprise #1 Internet Client
  • 4. Presenter’s Company Logo – replace or delete on master slide #RSAC Linux Evolves Faster Than Ever 4,300 Contributors From 450 Organizations 10,000 Lines of Code Added Daily 2,000 Lines of Code Modified Daily 2,500 Lines of Code Removed Daily 8.5 Changes Per Hour
  • 5. Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source Development is Accelerating 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
  • 6. Presenter’s Company Logo – replace or delete on master slide #RSAC It’s actually open source software that’s eating the world. - Venturebeat 2015
  • 7. Presenter’s Company Logo – replace or delete on master slide #RSAC Creating Applications these days is like making a sandwich
  • 8. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich)
  • 9. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework
  • 10. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code
  • 11. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code Use Open Source Libraries to Solve Problems
  • 12. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Open Source Code (~20%) Write Custom Code Custom Code (~10%) Use Open Source Libraries to Solve Problems Open Source Code (~70%) Open Source Code = ~ 90%
  • 13. Presenter’s Company Logo – replace or delete on master slide #RSAC So much code – so little time 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
  • 14. Presenter’s Company Logo – replace or delete on master slide #RSAC Open source isn’t slowing down any time soon
  • 15. Presenter’s Company Logo – replace or delete on master slide #RSAC All this abundance has created anxiety
  • 16. Presenter’s Company Logo – replace or delete on master slide #RSAC The real question is which projects matter? Criticalityofsoftware Number of Open Source Projects
  • 17. Presenter’s Company Logo – replace or delete on master slide #RSAC How do we make important projects sustainable? Successful Projects depend on members, developers, standards and infrastructure to develop products that the market will adopt. PROJECTS PROFITS PRODUCTS DEVELOPER COMMUNITY
  • 18. #RSAC WHEN THIS CYCLE WORKS, IT WORKS WELL
  • 19. Presenter’s Company Logo – replace or delete on master slide #RSAC ValueofofIndividualProject Number of Open Source Projects – Millions on Github Major Problem Collective Action Results - 2018 • How to accelerate cloud native computing: devops, containers, microservices • How to create a portability layer for cloud • 2015 Google created CNCF with The Linux Foundation • Project seeded with Kubernetes • CNCF founded with 28 members • Kubernetes de facto standard for container management • 179 members, including all major public clouds and enterprise software vendors • Home to 14 additional projects beyond Kubernetes • 49 Kubernetes certified vendors • Kubernetes surpasses OpenStack on Google trends
  • 20. #RSAC SOMETIMES THE SYSTEM DOESN’T WORK
  • 21. Presenter’s Company Logo – replace or delete on master slide #RSAC
  • 22. Presenter’s Company Logo – replace or delete on master slide #RSAC Questions to ask What is the most important and security critical shared software in the world? Who is creating and maintaining that software? Why are the creating and maintaining that software? Is it secure, reliable, and healthy?
  • 23. Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project Lists of Projects to Analyze Analysis Results Ranked By Risk Index Expert Selection from Highest-Risk Projects Most Concerning Projects Projects Popularity Project Data From Debian Project From openhub.net Project Recent CVE Vulnerability Counts Analysis Program
  • 24. Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project 2 na ys s Pro ram sts o Proe ts to nay e Proe ts Pop ar ty Proe t ata rom e an Proe t rom open net Proe t e ent C nera ty Co nts nays s es ts an e y s n e pert ee t on rom est s Proe ts ost Con ern n Proe ts
  • 25. Presenter’s Company Logo – replace or delete on master slide #RSAC Current Algorithm ▪ Project has website (1 if no) ▪ Written in C or C++ (2 if yes) ▪ CVE vulnerability reports: 3 points if 4+ , 2 points for 2-3, 1 point for 1. ▪ 12 month contributor count: 5 points for 0 contributors, 4 points for 1-3 contributors, 2 points if the number is unknown. ▪ Top 10% most popular Debian package: 1 if yes Exposure values: 2 points if directly exposed to the network (as server or client), 1 point if it is often used to process data provided by a network, and 1 point if it could be used for local privilege escalation. Application data only: Subtract 3 points if the Debian database reports that it is “Application Data” or “Standalone Data” (not an application)
  • 26. Presenter’s Company Logo – replace or delete on master slide #RSAC Tremendous Systemic Risks to the Internet Still Unaddressed Binary Package Name Source Package Name (If Different) CII 2016 Census Risk Score ftp netkit-ftp 11 netcat-traditional netcat 11 tcpd tcp-wrappers 11 whois 11 at 10 libwrap0 tcp-wrappers 10 traceroute 10 xauth 10 bzip2 9 hostname 9 libacl1 acl 9 libaudit0 audit 9 libbz2-1.0 bzip2 9 libept1.4.12 libept 9 libreadline6 readline6 9 libtasn1-3 9 linux-base 9 telnet netkit-telnet 9 The Big Risk: Commonly used open source code and libraries are among the most at risk to cyber attacks or other potential threats that could bring down the global Internet. Source: CII 2016 Census
  • 27. Presenter’s Company Logo – replace or delete on master slide #RSAC A little love goes a long way • Three new releases • 3889 commits • 481 GitHub users • Thousands of forks. • 1052 pull requests closed • 47 CVEs reported and handled 2014 - OpenSSL was maintained by two people and moribund 2016 – Recorded more activity than in the entire previous history of the project, including:
  • 28. Presenter’s Company Logo – replace or delete on master slide #RSAC How to create secure code?
  • 29. Presenter’s Company Logo – replace or delete on master slide #RSAC We must secure the most critical open source software projects that power the world’s infrastructure, and to promote a culture of secure coding.
  • 30. Presenter’s Company Logo – replace or delete on master slide #RSAC 100 Projects Granted CII Best Practice Badge Initiative launched in May 2016 to raise awareness of development processes and governance steps for better security outcomes The badge makes it easier for users of open source projects to see which projects take security seriously, it isn’t a “rubber stamp” process 1,000 projects registered for the badge
  • 31. Presenter’s Company Logo – replace or delete on master slide #RSAC Education One of the largest causes of security vulnerabilities is developers being unaware of security best practices We need courses for open source developers for Security and Auditing Organizations like SAFECode provide curriculum and training but we need more
  • 32. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to be able to pass information about software bill of materials across the tech value chain in a simple and reliable way. You can’t fix bugs for code you don’t event know you have.
  • 33. Presenter’s Company Logo – replace or delete on master slide #RSAC Software Tracking: The Challenge 3rd party SW Outsource SW OSS Package OSS Package Your code Creating an accurate bill of materials and notices requires effort & research Software Bill of Materials (BOM) ? Companies combine Open Source Software with other software
  • 34. Presenter’s Company Logo – replace or delete on master slide #RSAC Supplier 1 Supplier 2 Customers The effort is repeated at each step in the supply chain Software BOM: The Challenge
  • 35. Presenter’s Company Logo – replace or delete on master slide #RSAC “Open Source”-scape Upstream Projects Useful “Collections” of Open Source Added-value Software Products
  • 36. Presenter’s Company Logo – replace or delete on master slide #RSAC Software Package Data eXchange Open Standard: • A standard format for communicating the licenses and copyrights and identity associated with software packages Vision: • To help reduce redundant work in determining software BOM information and facilitate compliance Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations
  • 37. Presenter’s Company Logo – replace or delete on master slide #RSAC Package Information SPDX v2.1 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships What makes up an SPDX Document? Other Licensing InformationSnippet Information
  • 38. Presenter’s Company Logo – replace or delete on master slide #RSAC Emerging “Between Organization” Trust Models Software Parts Ledger - utilizes Blockchain to manage open source across the supply chain. Utililzes Hyperledger Sawtooth Platform & SPDX based BOM to conform to OpenChain best practices. See: https://github.com/Wind-River/sparts Accepted 2018/3 into Hyperledger Labs - https://github.com/hyperledger-labs/hyperledger- labs.github.io/blob/master/labs/SParts.md ClearlyDefined - Announced 2018/3 - calls for participation in currating the metadata to summarize projects. See ClearlyDefined.io for more information.
  • 39. Presenter’s Company Logo – replace or delete on master slide #RSAC Sharing software bill of materials is critical part of security process OpenChain builds trust in open source by making sharing of software BOM simpler and more consistent Adobe, Arm, Cisco, Harmen, Hitachi, HPE, GitHub, Qualcomm, Siemens, Toyota, Wind River and Western Digital
  • 40. Presenter’s Company Logo – replace or delete on master slide #RSAC Learn how open source software flows
  • 41. Presenter’s Company Logo – replace or delete on master slide #RSAC Get a process in place
  • 42. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in tools that test upstream code
  • 43. Presenter’s Company Logo – replace or delete on master slide #RSAC Frama-C False-Positive-Free Checking Frama-C is a highly respected static checker When used with test cases and modified Unix standard functions, it is able to detect bugs without false positives Proposal is to modify several standard Unix functions to support false- positive-free operation on OpenSSL In addition, the proposal is to use the American Fuzzy Lop fuzzer to automatically generate test cases from which Frama-C can detect bugs
  • 44. Presenter’s Company Logo – replace or delete on master slide #RSAC Fuzzing https://fuzzing-project.org/ is Hanno Böck’s project Uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source projects Discovered numerous GnuPG bugs in Feb 2015 He and others have found numerous bugs in many projects: http://lcamtuf.coredump.cx/afl/#bugs His main activity is to convert the fuzzer output into reproducible test cases and file bugs for them He is also doing great work training new developers to become expert fuzzers CII is also reaching out to fuzzing toolkit authors
  • 45. Presenter’s Company Logo – replace or delete on master slide #RSAC Reproducible Builds Debian and Fedora rely on package maintainers to compile source code from the upstream authors Because the resulting binaries depend on machine configuration (like timestamps and file ordering), these binaries are not reproducible That makes it impossible to independently verify that the binaries have not been tampered with Binary reproducibility should become an expected attribute of free software distros
  • 46. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in audit of upstream open source code for critical shared infrastructure
  • 47. Presenter’s Company Logo – replace or delete on master slide #RSAC Auditing Auditing: Many critical open source projects do not have resources to audit Auditing finds critical bugs that won’t be found any other way Auditing is expensive, time consuming and only finds a subset of the bugs so it can’t be the only tool OpenSSL audit underway
  • 48. Presenter’s Company Logo – replace or delete on master slide #RSAC How to get involved?
  • 49. Presenter’s Company Logo – replace or delete on master slide #RSACFollow up material • See Linux Foundation-sponsored Institute for Defense Analysis (IDA report, "Open Source Software Projects Needing Security Investments” • Some of the projects we're most concerned about (because they are ubiquitously deployed and could result in Heartbleed-style vulnerabilities) include compression libraries (bzip2, gzip, unzip, zlib) and format libraries (libjpeg, libpng, and expat) • Unlike before Heartbleed, there is actually a group focused on these issues. Two major programs we’re undertaking with IDA: • CII is not only reactively looking for broken projects (i.e., fighting fires) through our Census Project • We are also developing the building codes (in terms of security best practices) to avoid fires in the future