SlideShare a Scribd company logo

Open source and Security

Universidad Cenfotec
Universidad Cenfotec

Open Source Software and Security Is it possible to have both?

Technology
1 of 43
Download to read offline
Open Source Software and Security Is it possible to have both? Michael Hidalgo @michael_hidalgo
Disclaimer W h a t d o w e d o ? • This disclaimer informs attenders that the views, thoughts, and opinions expressed in this presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual. • I have abused the word Open Source.
What’s Open Source Software? W h a t d o w e d o ? Computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose - Wikipedia Source: https://en.wikipedia.org/wiki/Open-source_software
Open Source is about Collaboration! W h a t d o w e d o • People meet together • Better ideas come out more people. • Fast rate of bug fixing, features development
Exponential Growth of OSS W h y d o w e d o i t Source: Black Duck Management Webinar
Doing great things for Love. W h y d o w e d o i t “.. The coordinating tools we have now –mailing list, Usenet, web blogs, wikis – those tools turn love into a renewable building material. In the middle of the 90’s most software was commercially manufactured but only visible means of support was love plus mailing list… Perl, Apache, Linux. .. Linux gets rebuild every night by people whose principal goal is allow it to exist the next morning. This means that the ability to aggregate non financial motivations to get people together outside of the profitable model have receive a huge competitive advantage… … In the past we would do little things for love but great things required money, now you can do big things for love.” -Clay Shirk on Love, Internet Style1 Source: https://www.youtube.com/watch?v=Xe1TZaElTAs
Who is OWASP?
The value of volunteerism
Show of hands
17Years of community service
OWASP's DNA
OWASP by the numbers
2,611,000owasp.org page views (per month)
1,447,000owasp.org unique visitors per month
126Active Projects
268Active Chapters
44,000+participants mailing lists
129+Government & Industry Citations!
9Academic Supporters
55Paid Corporate Memberships
2268Individual Members
Open Source Security
Is OSS insecure? W h y d o w e d o i t ? Source: https://www.schneier.com/blog/archives/2011/06/open-source_sof.html
Disappointing headlines H o w w e d o i t Source: https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/
Disappointing headlines H o w w e d o i t Source: http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
Repository Driven Development H o w d o w e d o i t ? NPM Maven Central NuGet Node Package Manager NuGet is the package manager for .NET Maven central repository
Package Management some stats H o w w e d o i t
Package Management some stats H o w w e d o i t Source: https://mvnrepository.com/repos/central
Package Management some stats H o w w e d o i t
Package Management some stats H o w w e d o i t
H o w w e d o i t The NPM dependency network
H o w w e d o i t And don’t forget about risk!
Usage of insecure libraries H o w w e d o i t Source: https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries/
H o w w e d o i t Attacks on Open Source Software
H o w w e d o i t Components with Unknown Vulnerabilities
Finding a Balance W h y d o w e d o i t ? Is it possible to have a relationship between Open Source and Security if we adopt a posture of security as a first class citizen in our organization. This means raising the bar and our standards following best practices.
W h y d o w e d o i t ? The OWASP Top 10 Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
W h y d o w e d o i t ? Always check your dependencies Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf • OWASP Dependency Check • Snyk • Node Security Project
W h y d o w e d o i t ? Maintaining third party components Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf • Keep track of Security Vulnerabilities • Monitoring and Updating • Unused components • TCP reaching end of life of support
H o w w e d o i t Open Source code Lifecycle Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
S e c u r i t y R i s k Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
W h y d o w e d o i t ? Final Thoughts Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf • Open Source not always means insecurity. • Contribute as much as possible to the Open Source community • Do informed decisions before using an open source component or software use some criteria items such as: • Security issues reported. • Frequency of bug fixes. • Activity and Testing • Patch often
Michael Hidalgo michael.hidalgo@owasp.org Q & A

Recommended

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Introduction to Open Source for Libraries
Introduction to Open Source for LibrariesIntroduction to Open Source for Libraries
Introduction to Open Source for LibrariesNicole C. Engard
 
Open Source: Freedom and Community
Open Source: Freedom and CommunityOpen Source: Freedom and Community
Open Source: Freedom and CommunityNicole C. Engard
 
Open source for Libraries
Open source for LibrariesOpen source for Libraries
Open source for LibrariesNicole Baratta
 
gsoc
gsocgsoc
gsocYask Srivastava
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017Brett Gravois
 
OCITA 2012: Opening Up to Open Source Software for Government
OCITA 2012: Opening Up to Open Source Software for GovernmentOCITA 2012: Opening Up to Open Source Software for Government
OCITA 2012: Opening Up to Open Source Software for GovernmentJillmz
 

Recommended

MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Introduction to Open Source for Libraries
Introduction to Open Source for LibrariesIntroduction to Open Source for Libraries
Introduction to Open Source for LibrariesNicole C. Engard
 
Open Source: Freedom and Community
Open Source: Freedom and CommunityOpen Source: Freedom and Community
Open Source: Freedom and CommunityNicole C. Engard
 
Open source for Libraries
Open source for LibrariesOpen source for Libraries
Open source for LibrariesNicole Baratta
 
gsoc
gsocgsoc
gsocYask Srivastava
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
OWASP overview 2017
OWASP overview 2017OWASP overview 2017
OWASP overview 2017Brett Gravois
 
OCITA 2012: Opening Up to Open Source Software for Government
OCITA 2012: Opening Up to Open Source Software for GovernmentOCITA 2012: Opening Up to Open Source Software for Government
OCITA 2012: Opening Up to Open Source Software for GovernmentJillmz
 
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
Providing Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source SolutionsProviding Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source SolutionsNicole C. Engard
 
What are the top 10 web security risks?
What are the top 10 web security risks?What are the top 10 web security risks?
What are the top 10 web security risks?Jacklin Berry
 
Open Source Issues and Trends
Open Source Issues and TrendsOpen Source Issues and Trends
Open Source Issues and TrendsNicole Baratta
 
Open Source & Libraries
Open Source & LibrariesOpen Source & Libraries
Open Source & LibrariesNicole C. Engard
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_BrochureThi Dang
 
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...Jon Galloway
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergISSA LA
 
C4 sandip-oss
C4 sandip-ossC4 sandip-oss
C4 sandip-ossSandip Das
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stackHéctor Eryx Paredes Camacho
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trendsYi-Lang Tsai
 
Acting on Open
Acting on OpenActing on Open
Acting on Opensparcopen
 
IWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kellyIWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kellyIWMW
 
Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011Andrei Savu
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...DuraSpace
 
Building Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15xBuilding Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15xNithya A. Ruff
 
Semantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in WikipediaSemantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in WikipediaFabrizio Orlandi
 
Diversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software CommunitiesDiversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software CommunitiesAlexander Serebrenik
 
La importancia de los datos
La importancia de los datos La importancia de los datos
La importancia de los datos Universidad Cenfotec
 
¿Por qué no me funciona SCRUM?
¿Por qué no me funciona SCRUM?¿Por qué no me funciona SCRUM?
¿Por qué no me funciona SCRUM?Universidad Cenfotec
 

More Related Content

Similar to Open source and Security

Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Black Duck by Synopsys
 
Providing Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source SolutionsProviding Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source SolutionsNicole C. Engard
 
What are the top 10 web security risks?
What are the top 10 web security risks?What are the top 10 web security risks?
What are the top 10 web security risks?Jacklin Berry
 
Open Source Issues and Trends
Open Source Issues and TrendsOpen Source Issues and Trends
Open Source Issues and TrendsNicole Baratta
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_BrochureThi Dang
 
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...Jon Galloway
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergISSA LA
 
Security of internet
Security of internetSecurity of internet
Security of internetOWASPKerala
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trendsYi-Lang Tsai
 
Acting on Open
Acting on OpenActing on Open
Acting on Opensparcopen
 
IWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kellyIWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kellyIWMW
 
Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011Andrei Savu
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...DuraSpace
 
Building Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15xBuilding Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15xNithya A. Ruff
 
Semantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in WikipediaSemantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in WikipediaFabrizio Orlandi
 
Diversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software CommunitiesDiversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software CommunitiesAlexander Serebrenik
 

Similar to Open source and Security (20)

Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
Open Source Insight: Open Source 360 Survey, DockerCon 2017, & More on the Cl...
 
Providing Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source SolutionsProviding Services to our Remote Users: Open Source Solutions
Providing Services to our Remote Users: Open Source Solutions
 
What are the top 10 web security risks?
What are the top 10 web security risks?What are the top 10 web security risks?
What are the top 10 web security risks?
 
Open Source Issues and Trends
Open Source Issues and TrendsOpen Source Issues and Trends
Open Source Issues and Trends
 
Open Source & Libraries
Open Source & LibrariesOpen Source & Libraries
Open Source & Libraries
 
BlockChain_Brochure
BlockChain_BrochureBlockChain_Brochure
BlockChain_Brochure
 
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
[NDC Oslo 2017] Open Source Software Foundations: Not Totally Boring, Actuall...
 
Microsoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenbergMicrosoft power point closing presentation-greenberg
Microsoft power point closing presentation-greenberg
 
C4 sandip-oss
C4 sandip-ossC4 sandip-oss
C4 sandip-oss
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
Security of internet
Security of internetSecurity of internet
Security of internet
 
20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends20160713 2016 the honeynet projct annual workshop focus and global trends
20160713 2016 the honeynet projct annual workshop focus and global trends
 
Acting on Open
Acting on OpenActing on Open
Acting on Open
 
IWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kellyIWMW 2002: open source sofware debate: kelly
IWMW 2002: open source sofware debate: kelly
 
Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011Building a Great Team in Open Source - Open Agile 2011
Building a Great Team in Open Source - Open Agile 2011
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
12.5.18 "How For-Profit Companies Can Be a Part of the Open Environment" pres...
 
Building Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15xBuilding Bridges Across Company and Community -SCALE15x
Building Bridges Across Company and Community -SCALE15x
 
Semantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in WikipediaSemantic Representation of Provenance in Wikipedia
Semantic Representation of Provenance in Wikipedia
 
Diversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software CommunitiesDiversity and inclusion in Open Source Software Communities
Diversity and inclusion in Open Source Software Communities
 

More from Universidad Cenfotec

QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®
QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®
QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®Universidad Cenfotec
 
Día de la ciberseguridad en UCenfotec expo 4
Día de la ciberseguridad en UCenfotec expo 4Día de la ciberseguridad en UCenfotec expo 4
Día de la ciberseguridad en UCenfotec expo 4Universidad Cenfotec
 
Día de la ciberseguridad en UCenfotec expo 3
Día de la ciberseguridad en UCenfotec expo 3Día de la ciberseguridad en UCenfotec expo 3
Día de la ciberseguridad en UCenfotec expo 3Universidad Cenfotec
 
Día de la ciberseguridad en UCenfotec expo 1
Día de la ciberseguridad en UCenfotec expo 1Día de la ciberseguridad en UCenfotec expo 1
Día de la ciberseguridad en UCenfotec expo 1Universidad Cenfotec
 
Día de la ciberseguridad en UCenfotec expo 2
Día de la ciberseguridad en UCenfotec expo 2Día de la ciberseguridad en UCenfotec expo 2
Día de la ciberseguridad en UCenfotec expo 2Universidad Cenfotec
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Universidad Cenfotec
 
Buenas prácticas en Ciberseguridad
Buenas prácticas en CiberseguridadBuenas prácticas en Ciberseguridad
Buenas prácticas en CiberseguridadUniversidad Cenfotec
 
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto Leal
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto LealCharla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto Leal
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto LealUniversidad Cenfotec
 
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto Universidad Cenfotec
 
La mujer en el papel de la ciberseguridad
La mujer en el papel de la ciberseguridadLa mujer en el papel de la ciberseguridad
La mujer en el papel de la ciberseguridadUniversidad Cenfotec
 
Los WiFi públicos ¿son un peligro potencial?
Los WiFi públicos ¿son un peligro potencial?Los WiFi públicos ¿son un peligro potencial?
Los WiFi públicos ¿son un peligro potencial?Universidad Cenfotec
 

More from Universidad Cenfotec (20)

La importancia de los datos
La importancia de los datos La importancia de los datos
La importancia de los datos
 
¿Por qué no me funciona SCRUM?
¿Por qué no me funciona SCRUM?¿Por qué no me funciona SCRUM?
¿Por qué no me funciona SCRUM?
 
linux y certificaciones
linux y certificacioneslinux y certificaciones
linux y certificaciones
 
Charla visualizacion de datos
Charla visualizacion de datosCharla visualizacion de datos
Charla visualizacion de datos
 
QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®
QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®
QUÉ DEBO SABER SOBRE LA NUEVA VERSIÓN DE ITIL®
 
Día de la ciberseguridad en UCenfotec expo 4
Día de la ciberseguridad en UCenfotec expo 4Día de la ciberseguridad en UCenfotec expo 4
Día de la ciberseguridad en UCenfotec expo 4
 
Día de la ciberseguridad en UCenfotec expo 3
Día de la ciberseguridad en UCenfotec expo 3Día de la ciberseguridad en UCenfotec expo 3
Día de la ciberseguridad en UCenfotec expo 3
 
Día de la ciberseguridad en UCenfotec expo 1
Día de la ciberseguridad en UCenfotec expo 1Día de la ciberseguridad en UCenfotec expo 1
Día de la ciberseguridad en UCenfotec expo 1
 
Día de la ciberseguridad en UCenfotec expo 2
Día de la ciberseguridad en UCenfotec expo 2Día de la ciberseguridad en UCenfotec expo 2
Día de la ciberseguridad en UCenfotec expo 2
 
Criptomonedas
Criptomonedas Criptomonedas
Criptomonedas
 
Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.Material de apoyo Un replanteamiento masivo de la seguridad.
Material de apoyo Un replanteamiento masivo de la seguridad.
 
Buenas prácticas en Ciberseguridad
Buenas prácticas en CiberseguridadBuenas prácticas en Ciberseguridad
Buenas prácticas en Ciberseguridad
 
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto Leal
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto LealCharla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto Leal
Charla 1.1 de la serie de conferencias de Fintech- Expositor Ernesto Leal
 
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto
Charla 1.2 de la serie de conferencias de Fintech- Expositor Marvin Soto
 
Soc en el mundo
Soc en el mundoSoc en el mundo
Soc en el mundo
 
La mujer en el papel de la ciberseguridad
La mujer en el papel de la ciberseguridadLa mujer en el papel de la ciberseguridad
La mujer en el papel de la ciberseguridad
 
Aplicaciones seguras
Aplicaciones seguras Aplicaciones seguras
Aplicaciones seguras
 
Los WiFi públicos ¿son un peligro potencial?
Los WiFi públicos ¿son un peligro potencial?Los WiFi públicos ¿son un peligro potencial?
Los WiFi públicos ¿son un peligro potencial?
 
4 técnicas para estudiar
4 técnicas para estudiar4 técnicas para estudiar
4 técnicas para estudiar
 
Ciudades Inteligentes
Ciudades InteligentesCiudades Inteligentes
Ciudades Inteligentes
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingWSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

Open source and Security

  • 1. Open Source Software and Security Is it possible to have both? Michael Hidalgo @michael_hidalgo
  • 2. Disclaimer W h a t d o w e d o ? • This disclaimer informs attenders that the views, thoughts, and opinions expressed in this presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual. • I have abused the word Open Source.
  • 3. What’s Open Source Software? W h a t d o w e d o ? Computer software with its source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone and for any purpose - Wikipedia Source: https://en.wikipedia.org/wiki/Open-source_software
  • 4. Open Source is about Collaboration! W h a t d o w e d o • People meet together • Better ideas come out more people. • Fast rate of bug fixing, features development
  • 5. Exponential Growth of OSS W h y d o w e d o i t Source: Black Duck Management Webinar
  • 6. Doing great things for Love. W h y d o w e d o i t “.. The coordinating tools we have now –mailing list, Usenet, web blogs, wikis – those tools turn love into a renewable building material. In the middle of the 90’s most software was commercially manufactured but only visible means of support was love plus mailing list… Perl, Apache, Linux. .. Linux gets rebuild every night by people whose principal goal is allow it to exist the next morning. This means that the ability to aggregate non financial motivations to get people together outside of the profitable model have receive a huge competitive advantage… … In the past we would do little things for love but great things required money, now you can do big things for love.” -Clay Shirk on Love, Internet Style1 Source: https://www.youtube.com/watch?v=Xe1TZaElTAs
  • 23. Is OSS insecure? W h y d o w e d o i t ? Source: https://www.schneier.com/blog/archives/2011/06/open-source_sof.html
  • 24. Disappointing headlines H o w w e d o i t Source: https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/
  • 25. Disappointing headlines H o w w e d o i t Source: http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/
  • 26. Repository Driven Development H o w d o w e d o i t ? NPM Maven Central NuGet Node Package Manager NuGet is the package manager for .NET Maven central repository
  • 27. Package Management some stats H o w w e d o i t
  • 28. Package Management some stats H o w w e d o i t Source: https://mvnrepository.com/repos/central
  • 29. Package Management some stats H o w w e d o i t
  • 30. Package Management some stats H o w w e d o i t
  • 31. H o w w e d o i t The NPM dependency network
  • 32. H o w w e d o i t And don’t forget about risk!
  • 33. Usage of insecure libraries H o w w e d o i t Source: https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries/
  • 34. H o w w e d o i t Attacks on Open Source Software
  • 35. H o w w e d o i t Components with Unknown Vulnerabilities
  • 36. Finding a Balance W h y d o w e d o i t ? Is it possible to have a relationship between Open Source and Security if we adopt a posture of security as a first class citizen in our organization. This means raising the bar and our standards following best practices.
  • 37. W h y d o w e d o i t ? The OWASP Top 10 Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
  • 38. W h y d o w e d o i t ? Always check your dependencies Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf • OWASP Dependency Check • Snyk • Node Security Project
  • 39. W h y d o w e d o i t ? Maintaining third party components Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf • Keep track of Security Vulnerabilities • Monitoring and Updating • Unused components • TCP reaching end of life of support
  • 40. H o w w e d o i t Open Source code Lifecycle Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
  • 41. S e c u r i t y R i s k Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
  • 42. W h y d o w e d o i t ? Final Thoughts Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf • Open Source not always means insecurity. • Contribute as much as possible to the Open Source community • Do informed decisions before using an open source component or software use some criteria items such as: • Security issues reported. • Frequency of bug fixes. • Activity and Testing • Patch often