SFScon18 - Lorenzo Nicoldi - The insecurity of the free & opensource software

•

0 likes•98 views

This document summarizes some assumptions and challenges around testing the security of open source versus closed source software. It discusses how automated testing through unit tests and fuzzing works in theory but can be limited in practice. Manual testing or "bug hunting" is also explored for both commercial and free open source software, noting it may be easier to find targets in closed source code. The document aims to start a discussion on how security is evaluated differently for open versus closed source programs.

Technology

The insecurity of the
free & opensource
software

DISCLAIMER
› I am not against free / opensource software
› While there are different kind of licensing, I will use:
 “Open source”, if the code is provided
 “Closed source”, if the code is not provided
 “Free”, if you don’t pay for it
 “Commercial”, if you pay for it
› For the purpose of this presentation, the licensing
is not important

ASSUMPTIONS
1) “The code is continuously evaluated, through unit tests and
automated fuzzers.”
2) “If the code is available, then multiple eyes, in the past,
have evaluated its security.”
3) “While looking for vulnerabilities, open source and
closed source software tools are the same.”

UNIT TESTING & FUZZING IN THEORY
A = 1
double(A)
Test_1(double(A) == 2) ?
}input
function
A = cat.jpg
double(A) }input
function
????

FUZZING & UNIT TESTING IN PRACTICE
Source: https://greyhathacking.wordpress.com/2013/04/04/exploiting-fuzzing/

SECURITY RESEARCH:
OPEN VS CLOSED
SOURCE
(LIVE)

What's hot

Testing And Drupal

Peter Arato

Unit Testing And Mocking

Joe Wilson

Unit testing (workshop)

Foyzul Karim

Android Automation Using Robotium

Mindfire Solutions

Inside Android Testing

Fernando Cejas

An Introduction to Unit Testing

Joe Tremblay

AspectMock

Bryce Embry

What's hot (7)

Testing And Drupal

Unit Testing And Mocking

Unit testing (workshop)

Android Automation Using Robotium

Inside Android Testing

An Introduction to Unit Testing

AspectMock

Similar to SFScon18 - Lorenzo Nicoldi - The insecurity of the free & opensource software

us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...

AliAlwesabi

Software testing

Abhishek Gautam

Dev fest2015androidunittestingbyoyewaleademolasao

Oyewale Ademola

Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter

Avi Sharma

Myths and Misperceptions of Open Source Security

Black Duck by Synopsys

5-Ways-to-Revolutionize-Your-Software-Testing

Mary Clemons

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive. Key Takeaways: -Great places in the user journey to inject security tests - Ways to augment existing test approaches to cover security concerns - Typical security tools that are free, cheap, and easy for software testers

Zen and the art of Security Testing

TEST Huddle

How penetration testing techniques can help you improve your qa skills

Marian Marinov

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

Anant Shrivastava

Why is software testing important

Infowind Technologies (IT) Pvt Ltd

Why is software testing important

Infowind Technologies (IT) Pvt Ltd

ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...

Agile Testing Alliance

nullcon 2011 - Fuzzing with Complexities

n|u - The Open Security Community

SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods

Splunk

Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle. But they fail to account for the testing of security-related issues. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities are uncovered but there is less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-site no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!

Improve Security through Continuous Testing

TechWell

Objects vs. Images: Choosing the Right GUI Test Tool Architecture

TechWell

This presentation was given by Ryan Berg, Sonatype CSO, at the All Things Open conference in Raleigh, NC. We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry-wide study on open source development and application security. Among the surprising results… - 1-in-3 organizations had or suspected an open source breach in the last 12 months - Only 16% of participants must prove they are not using components with known vulnerabilities - 64% don’t track changes in open source vulnerability data

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Sonatype

SECURITY TESTING is a type of Software Testing that uncovers vulnerabilities, threats, risks in a software application and prevents malicious attacks from intruders. The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system which might result in a loss of information, revenue, and repute at the hands of the employees or outsiders of the Organization.

Security Testing.pptx

osandadeshan

SplunkLive! Zurich 2018: Intro to Security Analytics Methods

Splunk

Similar to SFScon18 - Lorenzo Nicoldi - The insecurity of the free & opensource software (20)

us-19-Stone-Securing-The-System-A-Deep-Dive-Into-Reversing-Android-Preinstall...

Software testing

Dev fest2015androidunittestingbyoyewaleademolasao

Squashing bugs: Introduction to Bug Bounties ISSA Dehradun Chapter

Myths and Misperceptions of Open Source Security

5-Ways-to-Revolutionize-Your-Software-Testing

Software Security Assurance for DevOps

Zen and the art of Security Testing

How penetration testing techniques can help you improve your qa skills

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities

Why is software testing important

ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...

nullcon 2011 - Fuzzing with Complexities

SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods

Improve Security through Continuous Testing

Objects vs. Images: Choosing the Right GUI Test Tool Architecture

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?

Security Testing.pptx

SplunkLive! Zurich 2018: Intro to Security Analytics Methods

More from South Tyrol Free Software Conference

The complexity of agricultural droughts requires a consistent, reliable, and systematic method for monitoring and reporting. Amongst the various indices used to monitor this phenomenon, the soil moisture anomaly has been proven to be a more reliable predictor. However, the datasets required for computing this index are often large and computationally demanding. To address this challenge, we have developed SMODEX, a Python package that enables scalable, fast, and open-source standard-compliant computation and visualization of soil moisture anomalies. SMODEX simplifies the computation and visualization of time-series for soil moisture and soil moisture anomalies from high-dimensional climate datasets. It allows for quick and easy parallelization of the computation on a daily, weekly, and monthly timescale. Additionally, SMODEX implements a straightforward workflow for automating the use of FAIR (Findable, Accessible, Interoperable, and Reusable) principles in producing and sharing outputs by leveraging the open source STAC API. The package is extendible and provides information on how to contribute to the project, test suites, test coverage, and a use case for the South Tyrol region, all provided in the package repository. In the future, additional agricultural drought indices and indicators would be included to serve to even larger community of researchers, policy makers, and individual users.

SFSCON23 - Rufai Omowunmi Balogun - SMODEX – a Python package for understandi...

South Tyrol Free Software Conference

The Open Hardware PowerPC Notebook designed around GNU/Linux will be showed at NOI Techpark. We had presented here its motherboard design in 2018. We will updates regarding last developments for u-boot AMD video drivers, re-design of heat pipes, and CE test certification process. We will give future availability milestones of this notebook and details regarding the GNU/Linux distributions or other OS that could runs on it.

SFSCON23 - Roberto Innocenti - From the design to reality is here the Communi...

South Tyrol Free Software Conference

Tracking aeroplanes in real time with Open Source Software is possible. Aircrafts must continuously send their current flight parameters to air traffic controllers on the ground and to other aircrafts. This generates a lot of data, especially when planes are being tracked by multiple sensors. The Open Data Hub on the other hand offers a great backbone for data storing and processing, where the correct datasets have to be identified and filtered. After all transformation on the data is done, it will be exposed via API to be further used by a web application. Bringing together sensor generated data, the Open Data Hub and custom web applications, is a showcase on how the Open Data Hub can be used as a service: OaaS.

SFSCON23 - Martin Rabanser - Real-time aeroplane tracking and the Open Data Hub

South Tyrol Free Software Conference

The transition from Web 2.0 to Web 3.0 has fueled the need for a secure and decentralized cloud storage solution for digital assets. Web 2.0 was characterized by centralized platforms where user data was under the control of companies. In contrast, Web 3.0 aims to empower individuals and foster a decentralized web that supports and benefits the Free Software and Open Data Communities. Blockchain technologies facilitate seamless collaboration and interoperability among diverse stakeholders in the Free Software and Open Data communities. Developers can establish open and transparent ecosystems where data can be shared, verified, and integrated across multiple platforms. Beez, with its own blockchain infrastructure, offers a secure and transparent platform for digital asset exchanges, bolstering transaction integrity and trust. By distributing data across a network of nodes, Beez ensures security and mitigates the risk of single points of failure. Users retain control over their data, safeguard their privacy, and can take advantage of the incentive mechanisms offered by blockchain networks. During our presentation, we will explore the role of AI within Beez's ecosystem, facilitating accelerated data processing, correlation, and intelligent automation. AI unlocks valuable insights from blockchain data, and we will touch upon the use of Inductive Logic Programming (ILP) to enhance programming performance. The integration of Blockchain and AI technologies holds great potential for advancing the safety and efficiency of the Open Data ecosystem. By combining decentralized data storage, trust-building mechanisms, and intelligent data processing, Beez is paving the way for a more secure, transparent, and user-centric digital landscape.

SFSCON23 - Marianna d'Atri Enrico Zanardo - How can Blockchain technologies i...

South Tyrol Free Software Conference

We are becoming more and more dependent on the Internet for our work, education, communication, personal relations and entertainment. Our digital devices conquered an unprecedented level of importance in our life. However, we are facing a loss of control over our smartphones, tablets and other devices for internet connection. It's time to resolve monopolies and re-establish democratic control over the technology we most depend upon. This talk will present the challenges end-users are facing to get more control over their devices and how Free Software is key for a consumer re-empowerement. The talk will present real-life examples of policy demands against gatekeepers on digital markets, such as the struggle for Router Freedom in the last years and how Device Neutrality can serve as an important instrument for pushing forward end-user-oriented digital policies.

SFSCON23 - Lucas Lasota - The Future of Connectivity, Open Internet and Human...

South Tyrol Free Software Conference

MOSH and MOAH are the abbreviation of two groups of chemical compounds found in mineral oils. “MOSH” stands for Mineral Oil Saturated Hydrocarbons. MOAH stands for Mineral Oil Aromatic Hydrocarbons. Both of them are under European deeply evaluation because there are two food contaminants. According to the current state of scientific knowledge, there is no sufficient toxicological evidence to prove a health risk to humans from saturated mineral oil fractions (MOSH). Meanwhile, MOAH are suspected to be carcinogenic (especially PAH-like compounds with 3-7 ring systems), therefore their levels in food should be reduced according to the ALARA-principle (as low as reasonably achievable). Gruppo FOS with CNR ( MOSH and MOAH are the abbreviation of two groups of chemical compounds found in mineral oils. “MOSH” stands for Mineral Oil Saturated Hydrocarbons. MOAH stands for Mineral Oil Aromatic Hydrocarbons. Both of them are under European deeply evaluation because there are two food contaminants. According to the current state of scientific knowledge, there is no sufficient toxicological evidence to prove a health risk to humans from saturated mineral oil fractions (MOSH). Meanwhile, MOAH are suspected to be carcinogenic (especially PAH-like compounds with 3-7 ring systems), therefore their levels in food should be reduced according to the ALARA-principle (as low as reasonably achievable). Gruppo FOS with CNR (Consiglio Nazionale delle Ricerche), Santagata 1907 and Enginius are searching the system for finding and trace their presence in the virgin and extra virgin olive oils by using open fingerprints methods, open hardware and open source blockchain and AI technologies.

SFSCON23 - Giovanni Giannotta - Intelligent Decision Support System for trace...

South Tyrol Free Software Conference

Up-to date measurements of surface meteorological variables are essential to monitor weather conditions, their spatio-temporal variability and the potential effects on a wide range of sectors and applications. Moreover, when included in continuous records of long historical observations spanning several decades, they become essential for assessing long-term climate variability and change locally and on a regional level. Automated pipelines capable of retrieving and processing near-real time meteorological data satisfy the primary prerequisites towards the development and advancement of effective and operational climate services. With a public and operational near real-time monitoring web platform in mind, we present automated pipelines to collect and process up-to-date daily temperature and precipitation records for Trentino South Tyrol (Italy) and surrounding areas, and to derive their spatially interpolated fields at sub-km scale. Our pipelines are composed by multiple steps including data download, sanity checks, reconstruction of missing daily records, integration into the historical archive, spatial interpolation and publication onto online FAIR catalogues as (openEO) “datacubes”. The different APIs, data formats and structure across the various data sources, and the need to merge the data onto harmonized meteorological layers, make this a typical case of the so-called Extract, Transform and Load (ETL) pipelines, and, in order to follow the principles of data reproducibility and Open Science, we embraced open-source automated workflow management through GitLab’s Continuous Integration / Continuous Development (CI/CD) capabilities. CI/CD workflows greatly help the management of the relatively complex graphs of tasks required for our climate application, ensuring seamless orchestration with thorough flow monitoring, application logs, transactions rollbacks, and exception handling in general. Native pipeline-oriented software development also fosters a clean separation of roles among the tasks, and a more modular architecture. This effectively reduces barriers to collaborative development and paves the way for robust operational climate services for researchers and decision makers in the face of the changing climate.

SFSCON23 - Elena Maines - Embracing CI/CD workflows for building ETL pipelines

South Tyrol Free Software Conference

The Open Science movement aims to increase the transparency, reproducibility and inclusiveness of academic research. One of its central goals is therefore to make research outputs broadly available, e.g., manuscripts (Open Access) or research data (Open Data). While software/code created in the course of scientific research is a key artifact of scientific research that is clear distinct from the latter two, it has until recently not received the same attention as manuscripts or data, although it follows its own set of paradigms. In this talk I will present an overview on how the core concepts of Free Software and the FAIR (findable, accessible, interoperable, reuseable) Principles intersect, what this means for managing code as research output and recent initiatives on the European level that will provide support for these issues.

SFSCON23 - Christian Busse - Free Software and Open Science

South Tyrol Free Software Conference

Software freedom can be defined in many ways but in legal terms it is squarely defined by a set of approved FSF and OSI software licenses. Yet everyone realizes that beyond these licenses the goal of software freedom and digital sovereignty cannot be achieved without the ability to master and create hardware components and systems - and beyond that, to rely on open digital infrastructure (servers, datacenters, and resources) . This talk will present the challenges around these topics and what we, collectively in Europe already do and can do to ensure our independence and our freedoms.

SFSCON23 - Charles H. Schulz - Why open digital infrastructure matters

South Tyrol Free Software Conference

EDP-portal is the access point to the Environmental Data Platform of Eurac Research since 2021 to achieve FAIRness of our datasets. It allows to publish data and metadata and provides APIs and web services for data access. In the last 2 years the EDP improved the findability and accessibility of the data collected throughout the curation of metadata that was improved with the DOI registration for datasets. The result is a higher metadata quality where the final user can easily find how to properly cite datasets with a persistent identifier. The portal itself and main data repositories are registered in FAIR-sharing portal with their own DOI. The SW components of the EDP are totally based on open source projects.

SFSCON23 - Andrea Vianello - Achieving FAIRness with EDP-portal

South Tyrol Free Software Conference

This lightning talk will explore the transformative potential of integrating Internet of Things (IoT) and Artificial Intelligence (AI) in Mass Customization (MC). There is a significant collective impact of these technologies on businesses, enabling the delivery of personalized products and exceptional customer experiences. Besides giving an overview of MC and the potential ways of integrating IoT and AI, the focus will be on the process of real-time data collection and facilitation of the customization process by IoT on one hand, and on the role of AI in data analysis and generation of personalized recommendations on the other hand. By presenting real-world case studies to demonstrate the practical implementation of IoT and AI in providing customized products and seamless customer experiences, attendees will gain insights into the future of customization and learn actionable strategies to effectively leverage IoT and AI.

SFSCON23 - Thomas Aichner - How IoT and AI are revolutionizing Mass Customiza...

South Tyrol Free Software Conference

SFSCON23 - Stefan Mutschlechner - Smart Werke Meran

South Tyrol Free Software Conference

As open source software becomes the foundation to build digital products, to run the backbones of ICT infrastructure and to ensure digital sovereignty and cyber resilience, both the technology as well as the communities that develop it inevitably move into the focus of regulators. The European Union is advancing a number of policy initiatives that regulate liability, cyber security, data handling and AI applications in digital products, among others. This is a challenge for the still quite decentralised and globally operating open source community. How could the open source community participate in legislative processes, and what may be the potential impacts of the upcoming regulation on the open source development process and community dynamics?

SFSCON23 - Mirko Boehm - European regulators cast their eyes on maturing OSS ...

South Tyrol Free Software Conference

SFSCON23 - Marco Pavanelli - Monitoring the fleet of Sasa with free software

South Tyrol Free Software Conference

AICS is the Italian Agency for Development Cooperation that started operating in 2016 with the ambition of aligning Italy with the main European and international partners in the commitment to development. KNOWAGE Labs are developing for AICS a platform that is probably unique in the world and will allow both the Agency and the public to access all the major indicators on the UN Sustainable Development Goals provided by international sources (World Bank, WTO, ILO..) and easily compare them. The solution will allow analysis to start from 3 different touch points: the infographic of SDG goals, the advanced search criteria, and the virtual assistant. Then, a customized dashboard will be provided to the user, allowing to further expand the analysis by interacting with charts, maps, tables, etc. This talk will show the state of art of the solution, highlighting objectives and expected results of the project, but also the new developments of KNOWAGE related to AI.

SFSCON23 - Marco Cortella - KNOWAGE and AICS for 2030 agenda SDG goals monito...

South Tyrol Free Software Conference

Interoperability is a core element of the ongoing digitalisation of Europe. With the Interoperable Europe Act, the EU is aiming to create a dedicated legal framework for interoperability and to enhance cross-border digital public services across the European Union. This talk will give an overview of the state of play of this proposed regulation in the ongoing EU legislative process, some of its flaws, and the important role that Free Software and its community can play in it.

SFSCON23 - Lina Ceballos - Interoperable Europe Act - A real game changer

South Tyrol Free Software Conference

How to sharpen the demand for public code across Europe and monitor progress with TEDective For six years, the Free Software Foundation Europe has been calling with a broad alliance for publicly funded software to be published as Free Software. This initiative has become a great success: Our demand "Public Money? Public Code!" has found its way into government strategy papers, party programs, as well as coalition treaties, and is being discussed in public administrations across Europe. At the same time, we see less progress than expected and vendor lock ins remain a crucial issue. Digital sovereignty is redefined bypassing Free Software. There is openwashing in publicly funded companies, and government projects in favour of Free Software remain empty words. Public statistics on the procurement of Free Software are largely unavailable. It is therefore no longer enough to promote the idea of "Public Money? Public Code!". We as the Free Software community should be even more vigilant than before – continuing to praise small steps in the right direction, but pointing out and criticising omissions and lack of implementation. We should become more like watchdogs. In the talk we will look at some examples of lack of implementation of Free Software policies. We will discuss how we, as civil society, can identify such shortcomings and how to deal with them. We will present our initiative TEDective – a free-software solution that makes European public procurement data explorable for non-experts, aiming to provide you with a powerful tool to keep an eye on real progress towards "Public Money? Public Code!" across Europe.

SFSCON23 - Johannes Näder Linus Sehn - Let’s monitor implementation of Free S...

South Tyrol Free Software Conference

The Internet today forms the backbone of the digitisation of our society and economy. As connectivity increases, the boundaries between the real and digital world get increasingly blurred. However, there has been an erosion of trust in the Internet following revelations about the exploitation of personal data, large-scale cybersecurity and data breaches, and growing awareness of the proliferation and impacts of online disinformation. What can be done to improve the Internet as a platform for future generations? What initiatives are currently in place to build key technological blocks of an Internet that supports human-centric values, such as privacy, security, and inclusion, while reflecting the values and norms all citizens should enjoy in Europe? This talk will explore why the current state of the internet must be re-imagined and re-engineered in order to support healthy societies, the existing European Commission initiative to work towards doing so, and the role of Free Software in accomplishing these goals.

SFSCON23 - Gabriel Ku Wei Bin - Why Do We Need A Next Generation Internet

South Tyrol Free Software Conference

2023 saw the launch, after a long and well-structured revision and development process, all based on a fruitful collaboration between several departments of the Autonomous Province of Bolzano, most of the township in South Tyrol, Informatica Alto Adige (SIAG - Technical partner) and the Consortium of Municipalities of the Province of Bolzano, of the new version of the integrated geographic data management system IGis Maps. In use for years in South Tyrol, has in the Consortium one of its most enthusiastic contributors and supporters. The very first version was released about eight years ago and its implementation was based on the idea of creating a multi-purpose GIS management system that could support different types of users, that was highly customizable, and, above all, that could be widely shared among the various management entities, both public and private, present within our territory. After years of use and ad-hoc developments, we can finally present the new version of the IGis Maps system, which incorporates all the technical and technological improvements we realized the system needed. It was not just a major update together with new functionalities combined inside the previous software structure, but a true re-engineering that led, among other things, to a new and more efficient user interface, a major advancement regarding the internal security, an optimization and improvement of the entire editing section as well as an optimization of the section regarding the automatic geo-processes. A mobile version is currently under development to better support any field activities, for which a very powerful option will be included, the possibility of creating special work sessions in off-line mode so as to be able to operate even in areas without a proper cellular line network coverage. Other very important peculiarities concern that the system is developed using a totally free software code and infrastructure, that a detailed documentation has been produced to ensure sustainability to any further future evolution, even in case of technical partner turnover, and finally, that by taking advantage of the high standards and levels of security access can be guaranteed to any type of user. From professional users, through dedicated access and qualifications or, using the ordinary SPID, to the private citizen. We will show examples of how different types of users and stakeholders now permanently use the system for the management of a variety of tasks related to their activities, and how it was possible to customize IGis Maps to create visualization and data management contexts that best meet their needs. We will also present a related project concerning the updating and the correction of the new technical basal cartography, built upon the new Basic Core specification, achieved through the automatic conversion implemented by the SIAG team starting from the previous National Core cartography. With the new IGis Maps it was possible to create an a

SFSCON23 - Edoardo Scepi - The Brand-New Version of IGis Maps

South Tyrol Free Software Conference

KNOWAGE is the open source analytics and business intelligence suite made in Italy. KNOWAGE aims to provide company and organizations with analytical capabilities to exploit data to increase their efficiency and sustainability. Also thanks to the open source community support, the suite is constantly evolving combining the reliability of the most popular business intelligence solutions with the security and the transparency guaranteed by open source. This talk will show the last year advancements and new features towards a more mobile, accessible and user-friendly product, focusing on the newly rewritten dashboarding tool.

SFSCON23 - Davide Vernassa - Empowering Insights Unveiling the latest innova...

South Tyrol Free Software Conference

More from South Tyrol Free Software Conference (20)