SlideShare a Scribd company logo

Open Source in Security-Critical Environments

Priyanka Aash
Priyanka Aash

As growth and impact of open source in security-critical environments is on the rise, trends in open-source communities are making them more attentive to security issues and best practices. This session will cover best practices for using open-source code in business-critical environments. It will provide practical suggestions, with a focus on DevOps professionals and management. Learning Objectives: 1: Understand the security impact of using 80–90% open-source code in modern apps. 2: Learn about best practices for helping make open-source code more secure. 3: Gain actionable info about open-source security applied to edge, network, cloud. (Source: RSA Conference USA 2018)

Technology
1 of 49
Download to read offline
SESSION ID: #RSAC James Zemlin OPEN SOURCE IN SECURITY-CRITICAL ENVIRONMENTS DEV-R14 Executive Director Linux Foundation @jzemlin
Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source is here to stay in security critical environments and every place software is used
Presenter’s Company Logo – replace or delete on master slide #RSAC Linux has grown into the most important open source project in the world 100% Supercomputer Market 62% Embedded Systems Market 90% Mainframe Customers 90% Public Cloud Workload Every market Linux has entered it eventually dominates 82% Smartphone Market Share 2nd To Windows in Enterprise #1 Internet Client
Presenter’s Company Logo – replace or delete on master slide #RSAC Linux Evolves Faster Than Ever 4,300 Contributors From 450 Organizations 10,000 Lines of Code Added Daily 2,000 Lines of Code Modified Daily 2,500 Lines of Code Removed Daily 8.5 Changes Per Hour
Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source Development is Accelerating 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
Presenter’s Company Logo – replace or delete on master slide #RSAC It’s actually open source software that’s eating the world. - Venturebeat 2015
Presenter’s Company Logo – replace or delete on master slide #RSAC Creating Applications these days is like making a sandwich
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich)
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code Use Open Source Libraries to Solve Problems
Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Open Source Code (~20%) Write Custom Code Custom Code (~10%) Use Open Source Libraries to Solve Problems Open Source Code (~70%) Open Source Code = ~ 90%
Presenter’s Company Logo – replace or delete on master slide #RSAC So much code – so little time 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
Presenter’s Company Logo – replace or delete on master slide #RSAC Open source isn’t slowing down any time soon
Presenter’s Company Logo – replace or delete on master slide #RSAC All this abundance has created anxiety
Presenter’s Company Logo – replace or delete on master slide #RSAC The real question is which projects matter? Criticalityofsoftware Number of Open Source Projects
Presenter’s Company Logo – replace or delete on master slide #RSAC How do we make important projects sustainable? Successful Projects depend on members, developers, standards and infrastructure to develop products that the market will adopt. PROJECTS PROFITS PRODUCTS DEVELOPER COMMUNITY
#RSAC WHEN THIS CYCLE WORKS, IT WORKS WELL
Presenter’s Company Logo – replace or delete on master slide #RSAC ValueofofIndividualProject Number of Open Source Projects – Millions on Github Major Problem Collective Action Results - 2018 • How to accelerate cloud native computing: devops, containers, microservices • How to create a portability layer for cloud • 2015 Google created CNCF with The Linux Foundation • Project seeded with Kubernetes • CNCF founded with 28 members • Kubernetes de facto standard for container management • 179 members, including all major public clouds and enterprise software vendors • Home to 14 additional projects beyond Kubernetes • 49 Kubernetes certified vendors • Kubernetes surpasses OpenStack on Google trends
#RSAC SOMETIMES THE SYSTEM DOESN’T WORK
Presenter’s Company Logo – replace or delete on master slide #RSAC
Presenter’s Company Logo – replace or delete on master slide #RSAC Questions to ask What is the most important and security critical shared software in the world? Who is creating and maintaining that software? Why are the creating and maintaining that software? Is it secure, reliable, and healthy?
Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project Lists of Projects to Analyze Analysis Results Ranked By Risk Index Expert Selection from Highest-Risk Projects Most Concerning Projects Projects Popularity Project Data From Debian Project From openhub.net Project Recent CVE Vulnerability Counts Analysis Program
Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project 2 na ys s Pro ram sts o Proe ts to nay e Proe ts Pop ar ty Proe t ata rom e an Proe t rom open net Proe t e ent C nera ty Co nts nays s es ts an e y s n e pert ee t on rom est s Proe ts ost Con ern n Proe ts
Presenter’s Company Logo – replace or delete on master slide #RSAC Current Algorithm ▪ Project has website (1 if no) ▪ Written in C or C++ (2 if yes) ▪ CVE vulnerability reports: 3 points if 4+ , 2 points for 2-3, 1 point for 1. ▪ 12 month contributor count: 5 points for 0 contributors, 4 points for 1-3 contributors, 2 points if the number is unknown. ▪ Top 10% most popular Debian package: 1 if yes Exposure values: 2 points if directly exposed to the network (as server or client), 1 point if it is often used to process data provided by a network, and 1 point if it could be used for local privilege escalation. Application data only: Subtract 3 points if the Debian database reports that it is “Application Data” or “Standalone Data” (not an application)
Presenter’s Company Logo – replace or delete on master slide #RSAC Tremendous Systemic Risks to the Internet Still Unaddressed Binary Package Name Source Package Name (If Different) CII 2016 Census Risk Score ftp netkit-ftp 11 netcat-traditional netcat 11 tcpd tcp-wrappers 11 whois 11 at 10 libwrap0 tcp-wrappers 10 traceroute 10 xauth 10 bzip2 9 hostname 9 libacl1 acl 9 libaudit0 audit 9 libbz2-1.0 bzip2 9 libept1.4.12 libept 9 libreadline6 readline6 9 libtasn1-3 9 linux-base 9 telnet netkit-telnet 9 The Big Risk: Commonly used open source code and libraries are among the most at risk to cyber attacks or other potential threats that could bring down the global Internet. Source: CII 2016 Census
Presenter’s Company Logo – replace or delete on master slide #RSAC A little love goes a long way • Three new releases • 3889 commits • 481 GitHub users • Thousands of forks. • 1052 pull requests closed • 47 CVEs reported and handled 2014 - OpenSSL was maintained by two people and moribund 2016 – Recorded more activity than in the entire previous history of the project, including:
Presenter’s Company Logo – replace or delete on master slide #RSAC How to create secure code?
Presenter’s Company Logo – replace or delete on master slide #RSAC We must secure the most critical open source software projects that power the world’s infrastructure, and to promote a culture of secure coding.
Presenter’s Company Logo – replace or delete on master slide #RSAC 100 Projects Granted CII Best Practice Badge Initiative launched in May 2016 to raise awareness of development processes and governance steps for better security outcomes The badge makes it easier for users of open source projects to see which projects take security seriously, it isn’t a “rubber stamp” process 1,000 projects registered for the badge
Presenter’s Company Logo – replace or delete on master slide #RSAC Education One of the largest causes of security vulnerabilities is developers being unaware of security best practices We need courses for open source developers for Security and Auditing Organizations like SAFECode provide curriculum and training but we need more
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to be able to pass information about software bill of materials across the tech value chain in a simple and reliable way. You can’t fix bugs for code you don’t event know you have.
Presenter’s Company Logo – replace or delete on master slide #RSAC Software Tracking: The Challenge 3rd party SW Outsource SW OSS Package OSS Package Your code Creating an accurate bill of materials and notices requires effort & research Software Bill of Materials (BOM) ? Companies combine Open Source Software with other software
Presenter’s Company Logo – replace or delete on master slide #RSAC Supplier 1 Supplier 2 Customers The effort is repeated at each step in the supply chain Software BOM: The Challenge
Presenter’s Company Logo – replace or delete on master slide #RSAC “Open Source”-scape Upstream Projects Useful “Collections” of Open Source Added-value Software Products
Presenter’s Company Logo – replace or delete on master slide #RSAC Software Package Data eXchange Open Standard: • A standard format for communicating the licenses and copyrights and identity associated with software packages Vision: • To help reduce redundant work in determining software BOM information and facilitate compliance Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations
Presenter’s Company Logo – replace or delete on master slide #RSAC Package Information SPDX v2.1 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships What makes up an SPDX Document? Other Licensing InformationSnippet Information
Presenter’s Company Logo – replace or delete on master slide #RSAC Emerging “Between Organization” Trust Models Software Parts Ledger - utilizes Blockchain to manage open source across the supply chain. Utililzes Hyperledger Sawtooth Platform & SPDX based BOM to conform to OpenChain best practices. See: https://github.com/Wind-River/sparts Accepted 2018/3 into Hyperledger Labs - https://github.com/hyperledger-labs/hyperledger- labs.github.io/blob/master/labs/SParts.md ClearlyDefined - Announced 2018/3 - calls for participation in currating the metadata to summarize projects. See ClearlyDefined.io for more information.
Presenter’s Company Logo – replace or delete on master slide #RSAC Sharing software bill of materials is critical part of security process OpenChain builds trust in open source by making sharing of software BOM simpler and more consistent Adobe, Arm, Cisco, Harmen, Hitachi, HPE, GitHub, Qualcomm, Siemens, Toyota, Wind River and Western Digital
Presenter’s Company Logo – replace or delete on master slide #RSAC Learn how open source software flows
Presenter’s Company Logo – replace or delete on master slide #RSAC Get a process in place
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in tools that test upstream code
Presenter’s Company Logo – replace or delete on master slide #RSAC Frama-C False-Positive-Free Checking Frama-C is a highly respected static checker When used with test cases and modified Unix standard functions, it is able to detect bugs without false positives Proposal is to modify several standard Unix functions to support false- positive-free operation on OpenSSL In addition, the proposal is to use the American Fuzzy Lop fuzzer to automatically generate test cases from which Frama-C can detect bugs
Presenter’s Company Logo – replace or delete on master slide #RSAC Fuzzing https://fuzzing-project.org/ is Hanno Böck’s project Uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source projects Discovered numerous GnuPG bugs in Feb 2015 He and others have found numerous bugs in many projects: http://lcamtuf.coredump.cx/afl/#bugs His main activity is to convert the fuzzer output into reproducible test cases and file bugs for them He is also doing great work training new developers to become expert fuzzers CII is also reaching out to fuzzing toolkit authors
Presenter’s Company Logo – replace or delete on master slide #RSAC Reproducible Builds Debian and Fedora rely on package maintainers to compile source code from the upstream authors Because the resulting binaries depend on machine configuration (like timestamps and file ordering), these binaries are not reproducible That makes it impossible to independently verify that the binaries have not been tampered with Binary reproducibility should become an expected attribute of free software distros
Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in audit of upstream open source code for critical shared infrastructure
Presenter’s Company Logo – replace or delete on master slide #RSAC Auditing Auditing: Many critical open source projects do not have resources to audit Auditing finds critical bugs that won’t be found any other way Auditing is expensive, time consuming and only finds a subset of the bugs so it can’t be the only tool OpenSSL audit underway
Presenter’s Company Logo – replace or delete on master slide #RSAC How to get involved?
Presenter’s Company Logo – replace or delete on master slide #RSACFollow up material • See Linux Foundation-sponsored Institute for Defense Analysis (IDA report, "Open Source Software Projects Needing Security Investments” • Some of the projects we're most concerned about (because they are ubiquitously deployed and could result in Heartbleed-style vulnerabilities) include compression libraries (bzip2, gzip, unzip, zlib) and format libraries (libjpeg, libpng, and expat) • Unlike before Heartbleed, there is actually a group focused on these issues. Two major programs we’re undertaking with IDA: • CII is not only reactively looking for broken projects (i.e., fighting fires) through our Census Project • We are also developing the building codes (in terms of security best practices) to avoid fires in the future

Recommended

Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event Inspection
Yu-Lun Chen
 
Open Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceOpen Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and Compliance
All Things Open
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
Rakuten Group, Inc.
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)
Verhaert Masters in Innovation
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Bert Hajee
 

Recommended

Using the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event InspectionUsing the SDACK Architecture on Security Event Inspection
Using the SDACK Architecture on Security Event Inspection
Yu-Lun Chen
 
Open Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and ComplianceOpen Source Licensing: Types, Strategies and Compliance
Open Source Licensing: Types, Strategies and Compliance
All Things Open
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
[Rakuten TechConf2014] [C-5] Ichiba Architecture on ExaLogic
Rakuten Group, Inc.
 
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Leveraging Gradle @ Netflix (Madrid GUG Feb 2, 2021)
Roberto Pérez Alcolea
 
Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)Open source technology, freeware drone (by Joris Krüse)
Open source technology, freeware drone (by Joris Krüse)
Verhaert Masters in Innovation
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Using puppet to leverage DevOps in Large Enterprise Oracle Environments
Bert Hajee
 
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Daniel Oh
 
How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal Project
All Things Open
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CV
Naresh Kumar
 
Mastering DevOps With Oracle
Mastering DevOps With OracleMastering DevOps With Oracle
Mastering DevOps With Oracle
Kelly Goetsch
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
Microservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureMicroservices + Oracle: A Bright Future
Microservices + Oracle: A Bright Future
Kelly Goetsch
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift Origin
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
Andrew Storms
 
DevOps on Oracle Cloud
DevOps on Oracle CloudDevOps on Oracle Cloud
DevOps on Oracle Cloud
Mee Nam Lee
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
mfrancis
 
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyThe Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
Randy Bias
 
Resume-Fred
Resume-FredResume-Fred
Resume-Fred
Fred Bofahredin
 
Facilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentFacilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital Environment
Kurt Andersen
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
Getting value from IoT, Integration and Data Analytics
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformation
Eric D. Schabell
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
Getting value from IoT, Integration and Data Analytics
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
Matt Tesauro
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an Application
Mark Rendell
 

More Related Content

What's hot

How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal Project
All Things Open
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
mfrancis
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformation
Eric D. Schabell
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
Gene Gotimer
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
Walid Shaari
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
Matt Tesauro
 

What's hot (20)

Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
Red Hhat Summit 2017 : Love Containers, Love Devops, Love Openshift, Where's ...
 
How to Open Source an Internal Project
How to Open Source an Internal ProjectHow to Open Source an Internal Project
How to Open Source an Internal Project
 
Nareshkumar_CV
Nareshkumar_CVNareshkumar_CV
Nareshkumar_CV
 
Mastering DevOps With Oracle
Mastering DevOps With OracleMastering DevOps With Oracle
Mastering DevOps With Oracle
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
Microservices + Oracle: A Bright Future
Microservices + Oracle: A Bright FutureMicroservices + Oracle: A Bright Future
Microservices + Oracle: A Bright Future
 
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
OpenShift PaaS Anywhere (Infrastructure.Next Ghent 2014-02-24) Diane Mueller
 
How Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOpsHow Security can be the Next Force Multiplier in DevOps
How Security can be the Next Force Multiplier in DevOps
 
DevOps on Oracle Cloud
DevOps on Oracle CloudDevOps on Oracle Cloud
DevOps on Oracle Cloud
 
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
Town Hall - Business Implications of Open Source OSGi Implementations - BJ Ha...
 
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic MeritocracyThe Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
The Lie of a Benevolent Dictator; the Truth of a Working Democratic Meritocracy
 
Resume-Fred
Resume-FredResume-Fred
Resume-Fred
 
Facilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital EnvironmentFacilitating DevOps Execution in an All Digital Environment
Facilitating DevOps Execution in an All Digital Environment
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 2: Custom Application ...
 
Red Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformationRed Hat OpenShift - a foundation for successful digital transformation
Red Hat OpenShift - a foundation for successful digital transformation
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
AMIS Oracle OpenWorld en Code One Review 2018 - Pillar 1: Cloud Infrastructure
 
Web Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to GoWeb Application Security Testing: Kali Linux Is the Way to Go
Web Application Security Testing: Kali Linux Is the Way to Go
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
 
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
DevOps, CI, APIs, Oh My! - Texas Linux Fest 2012
 

Similar to Open Source in Security-Critical Environments

Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace
 
Simplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing HadoopSimplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing Hadoop
Precisely
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
Foutse Khomh
 

Similar to Open Source in Security-Critical Environments (20)

Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an Application
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
Containers, Serverless, Polyglot Development World, And Others…10 trends resh...
 
What's new in the latest source{d} releases!
What's new in the latest source{d} releases!What's new in the latest source{d} releases!
What's new in the latest source{d} releases!
 
Dev{sec}ops
Dev{sec}opsDev{sec}ops
Dev{sec}ops
 
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkitThe DevOps paradigm - the evolution of IT professionals and opensource toolkit
The DevOps paradigm - the evolution of IT professionals and opensource toolkit
 
The DevOps Paradigm
The DevOps ParadigmThe DevOps Paradigm
The DevOps Paradigm
 
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
DevOps For Everyone: Bringing DevOps Success to Every App and Every Role in y...
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
Rackspace::Solve NYC - Solving for Rapid Customer Growth and Scale Through De...
 
Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates Intro to DevOps 4 undergraduates
Intro to DevOps 4 undergraduates
 
Yohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business AgilityYohanes Widi Sono - Modern Development for Business Agility
Yohanes Widi Sono - Modern Development for Business Agility
 
Collaborative security : Securing open source software
Collaborative security : Securing open source softwareCollaborative security : Securing open source software
Collaborative security : Securing open source software
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017Orchestration Ownage - RSAC 2017
Orchestration Ownage - RSAC 2017
 
Simplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing HadoopSimplifying and Future-Proofing Hadoop
Simplifying and Future-Proofing Hadoop
 
SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with Agile
 
Stack overflow code_laundering
Stack overflow code_launderingStack overflow code_laundering
Stack overflow code_laundering
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Open Source in Security-Critical Environments

  • 1. SESSION ID: #RSAC James Zemlin OPEN SOURCE IN SECURITY-CRITICAL ENVIRONMENTS DEV-R14 Executive Director Linux Foundation @jzemlin
  • 2. Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source is here to stay in security critical environments and every place software is used
  • 3. Presenter’s Company Logo – replace or delete on master slide #RSAC Linux has grown into the most important open source project in the world 100% Supercomputer Market 62% Embedded Systems Market 90% Mainframe Customers 90% Public Cloud Workload Every market Linux has entered it eventually dominates 82% Smartphone Market Share 2nd To Windows in Enterprise #1 Internet Client
  • 4. Presenter’s Company Logo – replace or delete on master slide #RSAC Linux Evolves Faster Than Ever 4,300 Contributors From 450 Organizations 10,000 Lines of Code Added Daily 2,000 Lines of Code Modified Daily 2,500 Lines of Code Removed Daily 8.5 Changes Per Hour
  • 5. Presenter’s Company Logo – replace or delete on master slide #RSAC Open Source Development is Accelerating 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
  • 6. Presenter’s Company Logo – replace or delete on master slide #RSAC It’s actually open source software that’s eating the world. - Venturebeat 2015
  • 7. Presenter’s Company Logo – replace or delete on master slide #RSAC Creating Applications these days is like making a sandwich
  • 8. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich)
  • 9. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework
  • 10. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code
  • 11. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Write Custom Code Use Open Source Libraries to Solve Problems
  • 12. Presenter’s Company Logo – replace or delete on master slide #RSAC Code Club (Sandwich) Choose a Framework Open Source Code (~20%) Write Custom Code Custom Code (~10%) Use Open Source Libraries to Solve Problems Open Source Code (~70%) Open Source Code = ~ 90%
  • 13. Presenter’s Company Logo – replace or delete on master slide #RSAC So much code – so little time 23M+ Open Source Developers 78M+ Repositories on Github 41B+ Lines of Code 1,100 New Projects a Day 10,000+ New Versions per day Sources: Sourceclear, Sonatype, Github
  • 14. Presenter’s Company Logo – replace or delete on master slide #RSAC Open source isn’t slowing down any time soon
  • 15. Presenter’s Company Logo – replace or delete on master slide #RSAC All this abundance has created anxiety
  • 16. Presenter’s Company Logo – replace or delete on master slide #RSAC The real question is which projects matter? Criticalityofsoftware Number of Open Source Projects
  • 17. Presenter’s Company Logo – replace or delete on master slide #RSAC How do we make important projects sustainable? Successful Projects depend on members, developers, standards and infrastructure to develop products that the market will adopt. PROJECTS PROFITS PRODUCTS DEVELOPER COMMUNITY
  • 18. #RSAC WHEN THIS CYCLE WORKS, IT WORKS WELL
  • 19. Presenter’s Company Logo – replace or delete on master slide #RSAC ValueofofIndividualProject Number of Open Source Projects – Millions on Github Major Problem Collective Action Results - 2018 • How to accelerate cloud native computing: devops, containers, microservices • How to create a portability layer for cloud • 2015 Google created CNCF with The Linux Foundation • Project seeded with Kubernetes • CNCF founded with 28 members • Kubernetes de facto standard for container management • 179 members, including all major public clouds and enterprise software vendors • Home to 14 additional projects beyond Kubernetes • 49 Kubernetes certified vendors • Kubernetes surpasses OpenStack on Google trends
  • 20. #RSAC SOMETIMES THE SYSTEM DOESN’T WORK
  • 21. Presenter’s Company Logo – replace or delete on master slide #RSAC
  • 22. Presenter’s Company Logo – replace or delete on master slide #RSAC Questions to ask What is the most important and security critical shared software in the world? Who is creating and maintaining that software? Why are the creating and maintaining that software? Is it secure, reliable, and healthy?
  • 23. Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project Lists of Projects to Analyze Analysis Results Ranked By Risk Index Expert Selection from Highest-Risk Projects Most Concerning Projects Projects Popularity Project Data From Debian Project From openhub.net Project Recent CVE Vulnerability Counts Analysis Program
  • 24. Presenter’s Company Logo – replace or delete on master slide #RSAC Core Infrastructure Initiative Census Project 2 na ys s Pro ram sts o Proe ts to nay e Proe ts Pop ar ty Proe t ata rom e an Proe t rom open net Proe t e ent C nera ty Co nts nays s es ts an e y s n e pert ee t on rom est s Proe ts ost Con ern n Proe ts
  • 25. Presenter’s Company Logo – replace or delete on master slide #RSAC Current Algorithm ▪ Project has website (1 if no) ▪ Written in C or C++ (2 if yes) ▪ CVE vulnerability reports: 3 points if 4+ , 2 points for 2-3, 1 point for 1. ▪ 12 month contributor count: 5 points for 0 contributors, 4 points for 1-3 contributors, 2 points if the number is unknown. ▪ Top 10% most popular Debian package: 1 if yes Exposure values: 2 points if directly exposed to the network (as server or client), 1 point if it is often used to process data provided by a network, and 1 point if it could be used for local privilege escalation. Application data only: Subtract 3 points if the Debian database reports that it is “Application Data” or “Standalone Data” (not an application)
  • 26. Presenter’s Company Logo – replace or delete on master slide #RSAC Tremendous Systemic Risks to the Internet Still Unaddressed Binary Package Name Source Package Name (If Different) CII 2016 Census Risk Score ftp netkit-ftp 11 netcat-traditional netcat 11 tcpd tcp-wrappers 11 whois 11 at 10 libwrap0 tcp-wrappers 10 traceroute 10 xauth 10 bzip2 9 hostname 9 libacl1 acl 9 libaudit0 audit 9 libbz2-1.0 bzip2 9 libept1.4.12 libept 9 libreadline6 readline6 9 libtasn1-3 9 linux-base 9 telnet netkit-telnet 9 The Big Risk: Commonly used open source code and libraries are among the most at risk to cyber attacks or other potential threats that could bring down the global Internet. Source: CII 2016 Census
  • 27. Presenter’s Company Logo – replace or delete on master slide #RSAC A little love goes a long way • Three new releases • 3889 commits • 481 GitHub users • Thousands of forks. • 1052 pull requests closed • 47 CVEs reported and handled 2014 - OpenSSL was maintained by two people and moribund 2016 – Recorded more activity than in the entire previous history of the project, including:
  • 28. Presenter’s Company Logo – replace or delete on master slide #RSAC How to create secure code?
  • 29. Presenter’s Company Logo – replace or delete on master slide #RSAC We must secure the most critical open source software projects that power the world’s infrastructure, and to promote a culture of secure coding.
  • 30. Presenter’s Company Logo – replace or delete on master slide #RSAC 100 Projects Granted CII Best Practice Badge Initiative launched in May 2016 to raise awareness of development processes and governance steps for better security outcomes The badge makes it easier for users of open source projects to see which projects take security seriously, it isn’t a “rubber stamp” process 1,000 projects registered for the badge
  • 31. Presenter’s Company Logo – replace or delete on master slide #RSAC Education One of the largest causes of security vulnerabilities is developers being unaware of security best practices We need courses for open source developers for Security and Auditing Organizations like SAFECode provide curriculum and training but we need more
  • 32. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to be able to pass information about software bill of materials across the tech value chain in a simple and reliable way. You can’t fix bugs for code you don’t event know you have.
  • 33. Presenter’s Company Logo – replace or delete on master slide #RSAC Software Tracking: The Challenge 3rd party SW Outsource SW OSS Package OSS Package Your code Creating an accurate bill of materials and notices requires effort & research Software Bill of Materials (BOM) ? Companies combine Open Source Software with other software
  • 34. Presenter’s Company Logo – replace or delete on master slide #RSAC Supplier 1 Supplier 2 Customers The effort is repeated at each step in the supply chain Software BOM: The Challenge
  • 35. Presenter’s Company Logo – replace or delete on master slide #RSAC “Open Source”-scape Upstream Projects Useful “Collections” of Open Source Added-value Software Products
  • 36. Presenter’s Company Logo – replace or delete on master slide #RSAC Software Package Data eXchange Open Standard: • A standard format for communicating the licenses and copyrights and identity associated with software packages Vision: • To help reduce redundant work in determining software BOM information and facilitate compliance Guiding principles: • Human and machine readable • Focus on capturing facts; avoid interpretations
  • 37. Presenter’s Company Logo – replace or delete on master slide #RSAC Package Information SPDX v2.1 Document contains: Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships What makes up an SPDX Document? Other Licensing InformationSnippet Information
  • 38. Presenter’s Company Logo – replace or delete on master slide #RSAC Emerging “Between Organization” Trust Models Software Parts Ledger - utilizes Blockchain to manage open source across the supply chain. Utililzes Hyperledger Sawtooth Platform & SPDX based BOM to conform to OpenChain best practices. See: https://github.com/Wind-River/sparts Accepted 2018/3 into Hyperledger Labs - https://github.com/hyperledger-labs/hyperledger- labs.github.io/blob/master/labs/SParts.md ClearlyDefined - Announced 2018/3 - calls for participation in currating the metadata to summarize projects. See ClearlyDefined.io for more information.
  • 39. Presenter’s Company Logo – replace or delete on master slide #RSAC Sharing software bill of materials is critical part of security process OpenChain builds trust in open source by making sharing of software BOM simpler and more consistent Adobe, Arm, Cisco, Harmen, Hitachi, HPE, GitHub, Qualcomm, Siemens, Toyota, Wind River and Western Digital
  • 40. Presenter’s Company Logo – replace or delete on master slide #RSAC Learn how open source software flows
  • 41. Presenter’s Company Logo – replace or delete on master slide #RSAC Get a process in place
  • 42. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in tools that test upstream code
  • 43. Presenter’s Company Logo – replace or delete on master slide #RSAC Frama-C False-Positive-Free Checking Frama-C is a highly respected static checker When used with test cases and modified Unix standard functions, it is able to detect bugs without false positives Proposal is to modify several standard Unix functions to support false- positive-free operation on OpenSSL In addition, the proposal is to use the American Fuzzy Lop fuzzer to automatically generate test cases from which Frama-C can detect bugs
  • 44. Presenter’s Company Logo – replace or delete on master slide #RSAC Fuzzing https://fuzzing-project.org/ is Hanno Böck’s project Uses zzuf, Address Sanitizer and american fuzzy lop to find bugs in open source projects Discovered numerous GnuPG bugs in Feb 2015 He and others have found numerous bugs in many projects: http://lcamtuf.coredump.cx/afl/#bugs His main activity is to convert the fuzzer output into reproducible test cases and file bugs for them He is also doing great work training new developers to become expert fuzzers CII is also reaching out to fuzzing toolkit authors
  • 45. Presenter’s Company Logo – replace or delete on master slide #RSAC Reproducible Builds Debian and Fedora rely on package maintainers to compile source code from the upstream authors Because the resulting binaries depend on machine configuration (like timestamps and file ordering), these binaries are not reproducible That makes it impossible to independently verify that the binaries have not been tampered with Binary reproducibility should become an expected attribute of free software distros
  • 46. Presenter’s Company Logo – replace or delete on master slide #RSAC We need to invest in audit of upstream open source code for critical shared infrastructure
  • 47. Presenter’s Company Logo – replace or delete on master slide #RSAC Auditing Auditing: Many critical open source projects do not have resources to audit Auditing finds critical bugs that won’t be found any other way Auditing is expensive, time consuming and only finds a subset of the bugs so it can’t be the only tool OpenSSL audit underway
  • 48. Presenter’s Company Logo – replace or delete on master slide #RSAC How to get involved?
  • 49. Presenter’s Company Logo – replace or delete on master slide #RSACFollow up material • See Linux Foundation-sponsored Institute for Defense Analysis (IDA report, "Open Source Software Projects Needing Security Investments” • Some of the projects we're most concerned about (because they are ubiquitously deployed and could result in Heartbleed-style vulnerabilities) include compression libraries (bzip2, gzip, unzip, zlib) and format libraries (libjpeg, libpng, and expat) • Unlike before Heartbleed, there is actually a group focused on these issues. Two major programs we’re undertaking with IDA: • CII is not only reactively looking for broken projects (i.e., fighting fires) through our Census Project • We are also developing the building codes (in terms of security best practices) to avoid fires in the future