1 / 33

Security Aspects of Open Source Software

Sander Temme <Sander.Temme@thalesesec.com>. Security Aspects of Open Source Software. Thales Core Businesses. Aerospace. Defense. 30%. 40%. Security. 68,000 employees € 12.7 B annual revenues Presence in 50 countries. 30%. Thales ISS Solutions. Identity management.

celine
Download Presentation

Security Aspects of Open Source Software

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sander Temme <Sander.Temme@thalesesec.com> Security Aspects of Open Source Software

  2. Thales Core Businesses Aerospace Defense 30% 40% Security • 68,000 employees • €12.7 B annual revenues • Presence in 50 countries 30%

  3. Thales ISS Solutions Identity management Payments security Data encryption Network encryption Storage security

  4. Your Presenter • Member, Apache Software Foundation • Contributor, Apache HTTP Server • Sales Engineer & Consultant • Open Source Integration Expert

  5. Agenda • Open Source Software • Security Process • Security Implications • Development Model

  6. Three Questions • How does open source respond when security problems occur? • How does the open source development process affect software quality? • Is open source software more susceptible to security problems?

  7. About Open Source • Closed Source • Microsoft, Adobe, Oracle, Symantec, Check Point, … • Open Source • Apache, Debian, FreeBSD, Mozilla, Python, FSF, … • Hybrid • Red Hat, Springsource, Sun, Apple, SugarCRM, … • Inclusion • Oracle, IBM, Apple, Sun, Cisco, NetApp, …

  8. Open Source Is Not… • Freeware • Trialware • Shareware • Abandonware (hopefully) • Public Domain

  9. Where is Open Source Used • Server side • Operating Systems • Application Stack • Web Facing • In the line of fire

  10. Defacements in 2007

  11. Open Source Myths • Given enough eyeballs, all bugs are shallow

  12. Open Source Myths • Given enough eyeballs, all bugs are shallow • Open Source is Communist!

  13. Open Source Myths • Given enough eyeballs, all bugs are shallow • Open Source is Communist! • Bad guys have the code, too!

  14. Open Source Myths • Given enough eyeballs, all bugs are shallow • Open Source is Communist! • Bad guys have the code, too! • Open Source is more secure than Closed Source

  15. Open Source Software Security Case Study: Apache

  16. Example: Apache • #1 Web Server • Non-profit Foundation • Contributors • Sun, IBM, Novell, Springsource, Red Hat, Google • Many individual contributors • http://httpd.apache.org • Many packagers http://people.apache.org/~coar/mlists.html

  17. Apache is Secure • Very few vulnerabilities reported • No critical vulnerabilities in 2.2.x • Upgrade to any new release • announce@httpd.apache.org • Default installation locked down • But it doesn’t do a whole lot • http://httpd.apache.org/security/vulnerabilities-oval.xml

  18. Apache Security Process • Report security problems to security@apache.org • Real vulnerabilities are assigned CVE number • Vulnerabilities are classified, fixed • New httpd version released http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/impact_levels.html announce@apache.org

  19. Security Implications • Developed by programmers • Provenance? • Liabilities? • Support?

  20. Developed by Programmers • Not security experts • Get it running

  21. Database Privileges Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass'; Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password"; Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password'; Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES Gallery 2:mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;

  22. Provenance • Source Integrity • Intellectual Property • Apache: • Digital signatures • Committer License Agreement • Patent Grant

  23. Liabilities • Open Source • No warranty • Closed Source • No warranty

  24. Support • Often community based • You can be part of it • Visible to the world • Don’t post confidential information! • Support contracts available • From third party companies

  25. Open Development

  26. Open Development • Mailing lists • Source code changes • Releases • Bus Factor

  27. Mailing Lists • All communication by e-mail • Several lists • announce@<project>.apache.org • users@<project>.apache.org • dev@<project>.apache.org • cvs@<project>.apache.org

  28. Code Changes: Transparency • Source history available • Every modification posted • Instant code review • Etiquette

  29. Bus Factor • Development Community • Project Survival • Closed Source Equivalent • Vendor out of business • Product end-of-life

  30. Tips • Get on announce mailinglist • Check out community • Get involved

  31. Conclusion • Open Source responds proactively to security issues • Open Development encourages clean and secure code • Security Issues are universal and not specific to Open or Closed Source Software

  32. Questions?

More Related