This document discusses whether open source software can be secure. It begins by defining open source software as software with publicly available source code and a license allowing anyone to study, change and distribute the software. It then notes that open source is collaborative in nature, with better ideas and faster bug fixing coming from more contributors. However, it also acknowledges that open source software can be insecure if vulnerable libraries are used or dependencies are not checked carefully. The document argues that open source and security are possible if security is a first-class concern, through following best practices like the OWASP Top 10, monitoring dependencies, and maintaining transparency around vulnerabilities and updates.

1. Open Source Software and Security
Is it possible to have both?
Michael Hidalgo
@michael_hidalgo

2. Disclaimer
W h a t d o w e d o ?
• This disclaimer informs attenders that the views, thoughts, and opinions
expressed in this presentation belong solely to the author, and not necessarily to
the author’s employer, organization, committee or other group or individual.
• I have abused the word Open Source.

3. What’s Open Source Software?
W h a t d o w e d o ?
Computer software with its source code made available with a license in which the copyright
holder provides the rights to study, change, and distribute the software to anyone and for any
purpose - Wikipedia
Source: https://en.wikipedia.org/wiki/Open-source_software

4. Open Source is about Collaboration!
W h a t d o w e d o
• People meet together
• Better ideas come out more people.
• Fast rate of bug fixing, features
development

5. Exponential Growth of OSS
W h y d o w e d o i t
Source: Black Duck Management Webinar

6. Doing great things for Love.
W h y d o w e d o i t
“.. The coordinating tools we have now –mailing list, Usenet, web blogs, wikis – those
tools turn love into a renewable building material. In the middle of the 90’s most
software was commercially manufactured but only visible means of support was love
plus mailing list… Perl, Apache, Linux.
.. Linux gets rebuild every night by people whose principal goal is allow it to exist the next
morning. This means that the ability to aggregate non financial motivations to get people
together outside of the profitable model have receive a huge competitive advantage…
… In the past we would do little things for love but great things required money, now
you can do big things for love.” -Clay Shirk on Love, Internet Style1
Source: https://www.youtube.com/watch?v=Xe1TZaElTAs

7. Who is OWASP?

8. The value of
volunteerism

9. Show of hands

10. 17Years of community service

11. OWASP's DNA

12. OWASP
by the numbers

13. 2,611,000owasp.org page views (per month)

14. 1,447,000owasp.org unique visitors per month

15. 126Active Projects

16. 268Active Chapters

17. 44,000+participants mailing lists

18. 129+Government & Industry Citations!

19. 9Academic Supporters

20. 55Paid Corporate Memberships

21. 2268Individual Members

22. Open Source Security

23. Is OSS insecure?
W h y d o w e d o i t ?
Source: https://www.schneier.com/blog/archives/2011/06/open-source_sof.html

24. Disappointing headlines
H o w w e d o i t
Source: https://snyk.io/blog/equifax-breach-vulnerable-open-source-libraries/

25. Disappointing headlines
H o w w e d o i t
Source: http://www.zdnet.com/article/equifax-blames-open-source-software-for-its-record-breaking-security-breach/

26. Repository Driven Development
H o w d o w e d o i t ?
NPM
Maven Central
NuGet
Node Package Manager
NuGet is the package manager for .NET
Maven central repository

27. Package Management some stats
H o w w e d o i t

28. Package Management some stats
H o w w e d o i t
Source: https://mvnrepository.com/repos/central

29. Package Management some stats
H o w w e d o i t

30. Package Management some stats
H o w w e d o i t

31. H o w w e d o i t
The NPM dependency network

32. H o w w e d o i t
And don’t forget about risk!

33. Usage of insecure libraries
H o w w e d o i t
Source: https://snyk.io/blog/77-percent-of-sites-use-vulnerable-js-libraries/

34. H o w w e d o i t
Attacks on Open Source Software

35. H o w w e d o i t
Components with Unknown Vulnerabilities

36. Finding a Balance
W h y d o w e d o i t ?
Is it possible to have a relationship
between Open Source and Security if
we adopt a posture of security as a first
class citizen in our organization.
This means raising the bar and our
standards following best practices.

37. W h y d o w e d o i t ?
The OWASP Top 10
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf

38. W h y d o w e d o i t ?
Always check your dependencies
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
• OWASP Dependency Check
• Snyk
• Node Security Project

39. W h y d o w e d o i t ?
Maintaining third party components
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf
• Keep track of Security Vulnerabilities
• Monitoring and Updating
• Unused components
• TCP reaching end of life of support

40. H o w w e d o i t
Open Source code Lifecycle
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf

41. S e c u r i t y R i s k
Source: https://www.safecode.org/wp-content/uploads/2017/05/SAFECode_TPC_Whitepaper.pdf

42. W h y d o w e d o i t ?
Final Thoughts
Source: https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf
• Open Source not always means insecurity.
• Contribute as much as possible to the Open Source
community
• Do informed decisions before using an open source
component or software use some criteria items such as:
• Security issues reported.
• Frequency of bug fixes.
• Activity and Testing
• Patch often

43. Michael Hidalgo
michael.hidalgo@owasp.org
Q & A