7. AGENDA
● Security in open source projects
● Vulnerabilities in dependencies
● Detecting vulnerabilities in code base
● Improving security in open source
8. AGENDA
Functionality vs security
● Security is always a secondary concern
● Primary goal of software is to provide some
functionality or services
● Managing associated risks to software we
are developing is a derived/ secondary
concern
11. Coding Flaws
● flaws that can be understood looking at the program
itself.
○ confusing two program variables and errors in the
program logic
● problems in the interaction with the underlying platform
or other systems and services
○ buffer overflows in C(++) code
○ integer overflows in most programming languages
○ SQL injection, XSS, CSRF in web-applications
13. Buffer overflow
// A C program to demonstrate buffer overflow
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
// Reserve 5 byte of buffer plus the terminating NULL.
// should allocate 8 bytes = 2 double words,
// To overflow, need more than 8 bytes...
char buffer[5];
// copy the user input to mybuffer, without any
// bound checking a secure version is srtcpy_s()
strcpy(buffer, argv[1]);
printf("buffer content= %sn", buffer);
return 0;
}
15. Know your dependencies
● What open source components you are
using?
● What versions you are currently running, and
where?
● How these components can be updated,
where do you get the update, what do you
need to do to install them?
18. Third-party libraries
Reusable Components = Reusable Vulnerabilities
● Attackers are increasingly targeting popular
libraries and 3rd party components
● Up to 90% of the attack surface of an application
may be due to 3rd party code
57. Open Source Security
What can we do to improve the security of Open
Source Software?
● We can do all the same things as we do when
building commercial software
● The big difference is that we have to do it
collaboratively.
59. Open Source Security
OSS is not more or less secure, but it is different
• Typically there are many more people contributing
• Sometimes there is a culture of “code is more
important than specification”
• There may be less market pressure to put security
first
69. Secrets searching on github
○ Credentials(Cryptographic keys,
BBDD credentials, API tokens
(AWS), SSH keys)
○ Infrastructure(Services
configuration (DHCP, SMTP, etc),IPs
and internal URLs)
○ Code(Commits, History, Comments,
Dependencies, Vulnerabilities)
70. Secrets searching on github
● Private keys (id_rsa, id_dsa, *.pfx)
● History files (.bash_history and similar) - these often
have passwords which were mistyped
● Log files (/var/log/*) - again, they often have details
you might forget to look for in .htaccess, .htpasswd -
Apache directory specific configuration files
● web.config - IIS directory specific config file
● wp-config.php - Wordpress config
76. CONCLUSIONS
● Open source maintainers
○ Practice secure code review
○ Regularly audit your code base for
vulnerabilities
○ Define a process for communication of
responsible disclosures
77. CONCLUSIONS
● Open source developers
○ Follow responsible disclosure policies if you
are reporting a security vulnerability
○ Subscribe to the security communication
channels of your open source dependencies
78. CONCLUSIONS
● Security is a very important aspect of
software development.
● Measures can be taken to integrate it in
the Software Development Life Cycle.
● It is possible to effectively integrate
security into agile development as well