SlideShare a Scribd company logo

Barcamp: Open Source and Security

Download as ODP, PDF
Joshua L. Davis
Joshua L. Davis

This was the five minute pitch that David and group pulled together at the WG2 barcamp. This will be a start for a community developed document to help field questions about oss and security within the military.

Technology
1 of 20
Open Source Software (OSS) and Security MIL-OSS Dr. David A. Wheeler & Jim Barkley August 5, 2010 This presentation contains the views of the author and does not indicate endorsement by IDA or MITRE, the U.S. government, or the U.S. Department of Defense.
OSS & Security ,[object Object]
“Proprietary is always more secure” ,[object Object],[object Object]
Some specific OSS programs are more secure than their competitors ,[object Object]
OSS has many advantages for security (1) ,[object Object]
Fortify’s “Java Open Review Project”
Linux “sparse”
OSS has many advantages for security (2) ,[object Object]
Vincent Rijmen (AES): “forces people to write more clear code & adhere to standards”
Whitfield Diffie: “it’s simply unrealistic to depend on secrecy for security” ,[object Object]
Some OSS security statistics ,[object Object]
IE 21x more likely to get spyware than Firefox [U of Wash.]
Faster response: Firefox 37 days, Windows 134.5 days
Browser “unsafe” days in 2004: 98% Internet Explorer, 15% Mozilla/Firefox (half of Firefox’s MacOS-only)
Windows websites more vulnerable in practice 17% (GNU/Linux) 66% (Windows) Defaced 66.75% (Apache) 24.81% (IIS) Deployed websites (by name) 29.6% (GNU/Linux) 49.6% (Windows) Deployed Systems OSS Proprietary Category
DoD cyber security requires OSS “ One unexpected result was the degree to which Security depends on FOSS. Banning FOSS would ,[object Object]
... limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks.
... remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks .” - Use of Free and Open Source Software in the US Dept. of Defense (MITRE, sponsored by DISA), Jan. 2, 2003
Why hiding source doesn’t help security ,[object Object]
Source code can be regenerated by disassemblers & decompilers sufficiently to search for vulnerabilities

Recommended

DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)
Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
Joshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
Joshua L. Davis
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure?
SYNAQ
 
optics
opticsoptics
optics
University of Delhi
 
Closed systems, open systems
Closed systems, open systemsClosed systems, open systems
Closed systems, open systems
robin fay
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
securityxploded
 
OSS Licensing (Public)
OSS Licensing (Public)OSS Licensing (Public)
OSS Licensing (Public)
Marcus A. Streips
 

Recommended

DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)DISA's Open Source Corporate Management Information System (OSCMIS)
DISA's Open Source Corporate Management Information System (OSCMIS)
Joshua L. Davis
 
The Open Source Movement
The Open Source MovementThe Open Source Movement
The Open Source Movement
Joshua L. Davis
 
Mil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC ConventionMil-OSS @ 47th Annual AOC Convention
Mil-OSS @ 47th Annual AOC Convention
Joshua L. Davis
 
Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure? Open vs Closed - Which is more secure?
Open vs Closed - Which is more secure?
SYNAQ
 
optics
opticsoptics
optics
University of Delhi
 
Closed systems, open systems
Closed systems, open systemsClosed systems, open systems
Closed systems, open systems
robin fay
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
securityxploded
 
OSS Licensing (Public)
OSS Licensing (Public)OSS Licensing (Public)
OSS Licensing (Public)
Marcus A. Streips
 
Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
Michael Boelen
 
Improving the FreeBSD security advisory process
Improving the FreeBSD security advisory processImproving the FreeBSD security advisory process
Improving the FreeBSD security advisory process
APNIC
 
Teachers intro to free libre open source software rev
Teachers intro to free libre open source software revTeachers intro to free libre open source software rev
Teachers intro to free libre open source software rev
Dr. Samuel Coleman
 
Typo3 website hacked
Typo3 website hackedTypo3 website hacked
Typo3 website hacked
Marcus Krause
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
Brent Muir
 
Computer viruses - A daily harm
Computer viruses - A daily harmComputer viruses - A daily harm
Computer viruses - A daily harm
Anubhav125
 
Rootkit
RootkitRootkit
Rootkit
tech2click
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
Joshua L. Davis
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
AlienVault
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011
warezjoe
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05
webuploader
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Mobile security
Mobile securityMobile security
Mobile security
Stefaan
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
Jorge Orchilles
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
William Chipman
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
Protecode
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
Javier González
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
losalamos
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
Shane Coughlan
 

More Related Content

What's hot

What's hot (8)

Dealing with Linux Malware
Dealing with Linux MalwareDealing with Linux Malware
Dealing with Linux Malware
 
Improving the FreeBSD security advisory process
Improving the FreeBSD security advisory processImproving the FreeBSD security advisory process
Improving the FreeBSD security advisory process
 
Teachers intro to free libre open source software rev
Teachers intro to free libre open source software revTeachers intro to free libre open source software rev
Teachers intro to free libre open source software rev
 
Typo3 website hacked
Typo3 website hackedTypo3 website hacked
Typo3 website hacked
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Computer viruses - A daily harm
Computer viruses - A daily harmComputer viruses - A daily harm
Computer viruses - A daily harm
 
Rootkit
RootkitRootkit
Rootkit
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 

Similar to Barcamp: Open Source and Security

Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
Achim D. Brucker
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
Chema Alonso
 

Similar to Barcamp: Open Source and Security (20)

Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber AttacksThe Lazy Attacker: Defending Against Broad-based Cyber Attacks
The Lazy Attacker: Defending Against Broad-based Cyber Attacks
 
Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011Microcontroller mayhem - ECTF & USSS 2011
Microcontroller mayhem - ECTF & USSS 2011
 
BPotter-L1-05
BPotter-L1-05BPotter-L1-05
BPotter-L1-05
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Mobile security
Mobile securityMobile security
Mobile security
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Reduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security VulnerabilitiesReduce the Risk of Open Source Security Vulnerabilities
Reduce the Risk of Open Source Security Vulnerabilities
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
 
Astaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths DispelledAstaro Orange Paper Oss Myths Dispelled
Astaro Orange Paper Oss Myths Dispelled
 
Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...Using Third Party Components for Building an Application Might be More Danger...
Using Third Party Components for Building an Application Might be More Danger...
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Lunix xx
Lunix xxLunix xx
Lunix xx
 

More from Joshua L. Davis

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
Joshua L. Davis
 

More from Joshua L. Davis (20)

Innovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source SolutionsInnovation Through “Trusted” Open Source Solutions
Innovation Through “Trusted” Open Source Solutions
 
The Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging ThreatsThe Next Generation Open IDS Engine Suricata and Emerging Threats
The Next Generation Open IDS Engine Suricata and Emerging Threats
 
Ignite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with RubyIgnite: Hackin' Excel with Ruby
Ignite: Hackin' Excel with Ruby
 
Ignite: YSANAOYOA
Ignite: YSANAOYOAIgnite: YSANAOYOA
Ignite: YSANAOYOA
 
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & AgileIgnite: Improving Performance on Federal Contracts Using Scrum & Agile
Ignite: Improving Performance on Federal Contracts Using Scrum & Agile
 
Ignite: Devops - Why Should You Care
Ignite: Devops - Why Should You CareIgnite: Devops - Why Should You Care
Ignite: Devops - Why Should You Care
 
Using the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting EnvironmentUsing the Joomla CMI in the Army Hosting Environment
Using the Joomla CMI in the Army Hosting Environment
 
Senior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social TechnologiesSenior Leaders Adapting to Social Technologies
Senior Leaders Adapting to Social Technologies
 
SOSCOE Overview
SOSCOE OverviewSOSCOE Overview
SOSCOE Overview
 
milSuite
milSuitemilSuite
milSuite
 
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD EnterprisesImportance of WS-Addressing and WS-Reliability in DoD Enterprises
Importance of WS-Addressing and WS-Reliability in DoD Enterprises
 
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSSOZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
OZONE & OWF: A Community-wide GOTS initiative and its transition to GOSS
 
Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"Title TBD: "18 hundred seconds"
Title TBD: "18 hundred seconds"
 
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major PlayerReaching It's Potential: How to Make Government-Developed OSS A Major Player
Reaching It's Potential: How to Make Government-Developed OSS A Major Player
 
Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)
 
USIP Open Simulation Platform
USIP Open Simulation PlatformUSIP Open Simulation Platform
USIP Open Simulation Platform
 
OSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/ICOSSIM and OMAR in the DoD/IC
OSSIM and OMAR in the DoD/IC
 
CONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military HealthCONNECT: An Open Source Platform for Promoting Military Health
CONNECT: An Open Source Platform for Promoting Military Health
 
The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0The Enterprise Guide to Drupal for Gov 2.0
The Enterprise Guide to Drupal for Gov 2.0
 
CompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuiteCompanyCommand & PlatoonLeader Forums and MilSuite
CompanyCommand & PlatoonLeader Forums and MilSuite
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Barcamp: Open Source and Security

  • 1. Open Source Software (OSS) and Security MIL-OSS Dr. David A. Wheeler & Jim Barkley August 5, 2010 This presentation contains the views of the author and does not indicate endorsement by IDA or MITRE, the U.S. government, or the U.S. Department of Defense.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6. Fortify’s “Java Open Review Project”
  • 8.
  • 9. Vincent Rijmen (AES): “forces people to write more clear code & adhere to standards”
  • 10.
  • 11.
  • 12. IE 21x more likely to get spyware than Firefox [U of Wash.]
  • 13. Faster response: Firefox 37 days, Windows 134.5 days
  • 14. Browser “unsafe” days in 2004: 98% Internet Explorer, 15% Mozilla/Firefox (half of Firefox’s MacOS-only)
  • 15. Windows websites more vulnerable in practice 17% (GNU/Linux) 66% (Windows) Defaced 66.75% (Apache) 24.81% (IIS) Deployed websites (by name) 29.6% (GNU/Linux) 49.6% (Windows) Deployed Systems OSS Proprietary Category
  • 16.
  • 17. ... limit DoD access to—and overall expertise in—the use of powerful FOSS analysis and detection applications that hostile groups could use to help stage cyberattacks.
  • 18. ... remove the demonstrated ability of FOSS applications to be updated rapidly in response to new types of cyberattack . Taken together, these factors imply that banning FOSS would have immediate, broad, and strongly negative impacts on the ability of many sensitive and security-focused DoD groups to defend against cyberattacks .” - Use of Free and Open Source Software in the US Dept. of Defense (MITRE, sponsored by DISA), Jan. 2, 2003
  • 19.
  • 20. Source code can be regenerated by disassemblers & decompilers sufficiently to search for vulnerabilities
  • 21.
  • 22. Hiding source doesn’t appreciably inhibit attacks
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. Market rush often impairs proprietary quality
  • 33.
  • 34.
  • 35.
  • 36.
  • 37. Trick is to get result into user supply chain
  • 38. In OSS, requires subverting/misleading the trusted developers or trusted repository/distribution…
  • 39. and no one noticing the public malsource later
  • 40.
  • 41.
  • 42. Consider supplier as you would proprietary software
  • 43. Risk larger for small OSS projects
  • 44.
  • 45.
  • 46. Hidden for 7 years in proprietary product
  • 47. Found after release as OSS in 5 months
  • 48. Unclear if malicious, but has its form
  • 49. Acronyms (1) BSD: Berkeley Software Distribution COTS: Commercial Off-the-Shelf (either proprietary or OSS) DFARS: Defense Federal Acquisition Regulation Supplement DISR: DoD Information Technology Standards and Profile Registry DoD: Department of Defense DoDD: DoD Directive DoDI: DoD Instruction EULA: End-User License Agreement FAR: Federal Acquisition Regulation OSS: Free-libre / Open Source Software FSF: Free Software Foundation (fsf.org) GNU: GNU’s not Unix GOTS: Government Off-The-Shelf (see COTS) GPL: GNU General Public License HP: Hewlett-Packard Corporation IPR: Intellectual Property Rights; use “Intellectual Rights” instead IT: Information Technology LGPL: GNU Lesser General Public License
  • 50. Acronyms (2) MIT: Massachusetts Institute of Technology MPL: Mozilla Public License NDI: Non-developmental item (see COTS) OMB: Office of Management & Budget OSDL: Open Source Development Labs OSI: Open Source Initiative (opensource.org) OSJTF: Open Systems Joint Task Force OSS: Open Source Software PD: Public Domain PM: Program Manager RFP: Request for Proposal RH: Red Hat, Inc. ROI: Return on Investment STIG: Security Technical Implementation Guide TCO: Total Cost of Ownership U.S.: United States USC: U.S. Code V&V: Verification & Validation Trademarks belong to the trademark holder.
  • 51.
  • 52. “ Use of Free and Open Source Software in the US Dept. of Defense” (MITRE, sponsored by DISA)
  • 53. President's Information Technology Advisory Committee (PITAC) -- Panel on Open Source Software for High End Computing, October 2000
  • 54. “ Open Source Software (OSS) in the DoD,” DoD memo signed by John P. Stenbit (DoD CIO), May 28, 2003
  • 55. Center of Open Source and Government (EgovOS) http://www.egovos.org/
  • 57. Open Source and Industry Alliance http://www.osaia.org
  • 58. Open Source Initiative http://www.opensource.org
  • 59. Free Software Foundation http://www.fsf.org
  • 61.