Vector Search -An Introduction in Oracle Database 23ai.pptx
Open source and Security
1. Open Source Software and Security
Is it possible to have both?
Michael Hidalgo
@michael_hidalgo
2. Disclaimer
W h a t d o w e d o ?
• This disclaimer informs attenders that the views, thoughts, and opinions
expressed in this presentation belong solely to the author, and not necessarily to
the author’s employer, organization, committee or other group or individual.
• I have abused the word Open Source.
3. What’s Open Source Software?
W h a t d o w e d o ?
Computer software with its source code made available with a license in which the copyright
holder provides the rights to study, change, and distribute the software to anyone and for any
purpose - Wikipedia
Source: https://en.wikipedia.org/wiki/Open-source_software
4. Open Source is about Collaboration!
W h a t d o w e d o
• People meet together
• Better ideas come out more people.
• Fast rate of bug fixing, features
development
5. Exponential Growth of OSS
W h y d o w e d o i t
Source: Black Duck Management Webinar
6. Doing great things for Love.
W h y d o w e d o i t
“.. The coordinating tools we have now –mailing list, Usenet, web blogs, wikis – those
tools turn love into a renewable building material. In the middle of the 90’s most
software was commercially manufactured but only visible means of support was love
plus mailing list… Perl, Apache, Linux.
.. Linux gets rebuild every night by people whose principal goal is allow it to exist the next
morning. This means that the ability to aggregate non financial motivations to get people
together outside of the profitable model have receive a huge competitive advantage…
… In the past we would do little things for love but great things required money, now
you can do big things for love.” -Clay Shirk on Love, Internet Style1
Source: https://www.youtube.com/watch?v=Xe1TZaElTAs
23. Is OSS insecure?
W h y d o w e d o i t ?
Source: https://www.schneier.com/blog/archives/2011/06/open-source_sof.html
24. Disappointing headlines
H o w w e d o i t
Source: https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/
25. Disappointing headlines
H o w w e d o i t
Source: http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
26. Repository Driven Development
H o w d o w e d o i t ?
NPM
Maven Central
NuGet
Node Package Manager
NuGet is the package manager for .NET
Maven central repository
32. H o w w e d o i t
And don’t forget about risk!
33. Usage of insecure libraries
H o w w e d o i t
Source: https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries/
34. H o w w e d o i t
Attacks on Open Source Software
35. H o w w e d o i t
Components with Unknown Vulnerabilities
36. Finding a Balance
W h y d o w e d o i t ?
Is it possible to have a relationship
between Open Source and Security if
we adopt a posture of security as a first
class citizen in our organization.
This means raising the bar and our
standards following best practices.
37. W h y d o w e d o i t ?
The OWASP Top 10
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
38. W h y d o w e d o i t ?
Always check your dependencies
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
• OWASP Dependency Check
• Snyk
• Node Security Project
39. W h y d o w e d o i t ?
Maintaining third party components
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
• Keep track of Security Vulnerabilities
• Monitoring and Updating
• Unused components
• TCP reaching end of life of support
40. H o w w e d o i t
Open Source code Lifecycle
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
41. S e c u r i t y R i s k
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
42. W h y d o w e d o i t ?
Final Thoughts
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
• Open Source not always means insecurity.
• Contribute as much as possible to the Open Source
community
• Do informed decisions before using an open source
component or software use some criteria items such as:
• Security issues reported.
• Frequency of bug fixes.
• Activity and Testing
• Patch often