Open Source Security – a vendor's
perspective
Matthew Wilkes
Who am I
Zope/Plone since 2004
Plone security team leader
Former FWT member
2013 board member
sprints, conferences, etc
Py...
Concepts
Vulnerability report
User emails security@plone.org
"Doctor, it hurts when I raise my arm like
this…"
Vulnerability
Security team confirms
Find the original cause
Find variants of the same bug
Severity
Is this bug an emergency?
Who knows how to exploit it so far?
What damage can an attacker cause?
Workaround
Develop a hotfix
Test on supported versions
Release hotfix
Fix
Apply changes from the hotfix to core
Create new releases for packages
Workflow
Workflow
1. Receive notification
2. Add to issue tracker and reply
3. Confirm bug exists
4. Find related problems
5. Reque...
Workflow
7. Test on supported versions
8. Release hotfix
9. Provide notes to oss-security
10. Receive allocated CVE
11. Up...
on CVEs
The MITRE Corporation
CVE
“ CVE's common identifiers enable data
exchange between security products and provide a
baseline...
Steve Christey, MITRE
CVE
‘ In reality, all of the large vulnerability databases
may have missed published vulnerabilities...
National Vulnerability Database
CVE
‘ Summary for CVE-2011-0720: Unspecified
vulnerability in Plone 2.5 through 4.0, allow...
Not all equal
Can MERGE under certain circumstances
Have to fight for more
Many vulns never have one assigned
Why use CVE?
We're expected to
Lets us influence what people say about us
You can google the number
CVSSv2
What is CVSSv2?
A systematic way of assigning severity
Three sections: Base, Temporal,
Environmental
Our job to provide Ba...
Comparing CVSSv2s
Sometimes vendors release temporal scores
not base
Very few vendors publish the vectors
Vendors often di...
CVSSv2 for companies
Temporal scores let us scale scores over the
lifecycle of the bug
Environmental scores let you weight...
Why use CVSSv2?
Lets us influence what people say about us
Easier to form policies about what things are
urgent
We can mak...
CWE
What is CWE?
OWASP Top-10 2010
A5 Cross-Site-Request Forgery
SANS Top-25 2013 Rank #12
OWASP Top-10 2013
A8 Cross-Site-Req...
Problems with CWE
940 CWEs currently listed
Very granular
Granularity
CWE-759: Use of a One-Way Hash without
a Salt
CWE-916: Use of Password Hash With
Insufficient Computational Ef...
Why use CWE?
Lets us influence what people say about us
We can make stats
Databases
Databases
Manually maintained
Pull public information and tabulate
Some companies have write access
Almost all vendors do ...
Latest Plone update
NVD: November 2011
OSVDB: June 2010
CVE Details: November 2011
Statistics
Statistics
CVE-2013-4196
No gain information?
‘ Multiple information exposure flaws were
found in the way object manager implementati...
CVE-2012-5505
No gain information?
‘ On some content types an anonymous view
lookup returns a private data structure, whic...
Fix it!
Kurt Seifried, RedHat
Collaborative
databases?
‘ Sadly it probably won't work, most projects
barely care about security, e...
Open Source Vulnerability Database
Collaborative
databases?
‘ Use of the OSVDB, and/or API in a commercial
atmosphere requ...
Kurt Seifried, RedHat
SPOF
‘ Remember this is supposed to be basically a
small side part of my job at Red Hat and I someti...
Recommendations
1. A wiki type vulnerability database
2. Freely available vulnerability ids
3. Direct editing access for v...
Recommendations
1. Extend CVSSv2 for webapps
2. Allow the public to tag CWE
3. Decouple vulnerability instances and causes
Questions?
Upcoming SlideShare
Loading in …5
×

Open Source Security – A vendor's perspective

937 views

Published on


This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
937
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Open Source Security – A vendor's perspective

  1. 1. Open Source Security – a vendor's perspective Matthew Wilkes
  2. 2. Who am I Zope/Plone since 2004 Plone security team leader Former FWT member 2013 board member sprints, conferences, etc Python security at The Code Distillery
  3. 3. Concepts
  4. 4. Vulnerability report User emails security@plone.org "Doctor, it hurts when I raise my arm like this…"
  5. 5. Vulnerability Security team confirms Find the original cause Find variants of the same bug
  6. 6. Severity Is this bug an emergency? Who knows how to exploit it so far? What damage can an attacker cause?
  7. 7. Workaround Develop a hotfix Test on supported versions Release hotfix
  8. 8. Fix Apply changes from the hotfix to core Create new releases for packages
  9. 9. Workflow
  10. 10. Workflow 1. Receive notification 2. Add to issue tracker and reply 3. Confirm bug exists 4. Find related problems 5. Request CVE 6. Write hotfix
  11. 11. Workflow 7. Test on supported versions 8. Release hotfix 9. Provide notes to oss-security 10. Receive allocated CVE 11. Update plone.org with CVE ids 12. Vulnerability shows on NVD
  12. 12. on CVEs
  13. 13. The MITRE Corporation CVE “ CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.
  14. 14. Steve Christey, MITRE CVE ‘ In reality, all of the large vulnerability databases may have missed published vulnerabilities in the product …. We routinely see this.
  15. 15. National Vulnerability Database CVE ‘ Summary for CVE-2011-0720: Unspecified vulnerability in Plone 2.5 through 4.0, allows remote attackers to obtain administrative access.
  16. 16. Not all equal Can MERGE under certain circumstances Have to fight for more Many vulns never have one assigned
  17. 17. Why use CVE? We're expected to Lets us influence what people say about us You can google the number
  18. 18. CVSSv2
  19. 19. What is CVSSv2? A systematic way of assigning severity Three sections: Base, Temporal, Environmental Our job to provide Base scores Users can apply the Temporal and Environmental scores
  20. 20. Comparing CVSSv2s Sometimes vendors release temporal scores not base Very few vendors publish the vectors Vendors often disagree with researchers Not all options always apply
  21. 21. CVSSv2 for companies Temporal scores let us scale scores over the lifecycle of the bug Environmental scores let you weight scores according to your business goals
  22. 22. Why use CVSSv2? Lets us influence what people say about us Easier to form policies about what things are urgent We can make stats!
  23. 23. CWE
  24. 24. What is CWE? OWASP Top-10 2010 A5 Cross-Site-Request Forgery SANS Top-25 2013 Rank #12 OWASP Top-10 2013 A8 Cross-Site-Request Forgery CWE-352: Cross-Site Request Forgery (CSRF)
  25. 25. Problems with CWE 940 CWEs currently listed Very granular
  26. 26. Granularity CWE-759: Use of a One-Way Hash without a Salt CWE-916: Use of Password Hash With Insufficient Computational Effort
  27. 27. Why use CWE? Lets us influence what people say about us We can make stats
  28. 28. Databases
  29. 29. Databases Manually maintained Pull public information and tabulate Some companies have write access Almost all vendors do not
  30. 30. Latest Plone update NVD: November 2011 OSVDB: June 2010 CVE Details: November 2011
  31. 31. Statistics
  32. 32. Statistics
  33. 33. CVE-2013-4196 No gain information? ‘ Multiple information exposure flaws were found in the way object manager implementation of Plone, a user friendly and powerful content management system, protected access to its internal methods.
  34. 34. CVE-2012-5505 No gain information? ‘ On some content types an anonymous view lookup returns a private data structure, which under certain circumstances may be used to read out confidential data.
  35. 35. Fix it!
  36. 36. Kurt Seifried, RedHat Collaborative databases? ‘ Sadly it probably won't work, most projects barely care about security, even fewer care about doing advisories correctly.
  37. 37. Open Source Vulnerability Database Collaborative databases? ‘ Use of the OSVDB, and/or API in a commercial atmosphere requires a license from OSF or a commercial partner of our designation. Failure to obtain a license for such use will result in account termination and legal action as necessary.
  38. 38. Kurt Seifried, RedHat SPOF ‘ Remember this is supposed to be basically a small side part of my job at Red Hat and I sometimes get slammed and grumpy =)
  39. 39. Recommendations 1. A wiki type vulnerability database 2. Freely available vulnerability ids 3. Direct editing access for vendors 4. Open data
  40. 40. Recommendations 1. Extend CVSSv2 for webapps 2. Allow the public to tag CWE 3. Decouple vulnerability instances and causes
  41. 41. Questions?

×