This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.

1. Open Source Security – a vendor's
perspective
Matthew Wilkes

2. Who am I
Zope/Plone since 2004
Plone security team leader
Former FWT member
2013 board member
sprints, conferences, etc
Python security at The Code Distillery

3. Concepts

4. Vulnerability report
User emails security@plone.org
"Doctor, it hurts when I raise my arm like
this…"

5. Vulnerability
Security team confirms
Find the original cause
Find variants of the same bug

6. Severity
Is this bug an emergency?
Who knows how to exploit it so far?
What damage can an attacker cause?

7. Workaround
Develop a hotfix
Test on supported versions
Release hotfix

8. Fix
Apply changes from the hotfix to core
Create new releases for packages

9. Workflow

10. Workflow
1. Receive notification
2. Add to issue tracker and reply
3. Confirm bug exists
4. Find related problems
5. Request CVE
6. Write hotfix

11. Workflow
7. Test on supported versions
8. Release hotfix
9. Provide notes to oss-security
10. Receive allocated CVE
11. Update plone.org with CVE ids
12. Vulnerability shows on NVD

12. on CVEs

13. The MITRE Corporation
CVE
“ CVE's common identifiers enable data
exchange between security products and provide a
baseline index point for evaluating coverage of tools
and services.

14. Steve Christey, MITRE
CVE
‘ In reality, all of the large vulnerability databases
may have missed published vulnerabilities in the
product …. We routinely see this.

15. National Vulnerability Database
CVE
‘ Summary for CVE-2011-0720: Unspecified
vulnerability in Plone 2.5 through 4.0, allows remote
attackers to obtain administrative access.

16. Not all equal
Can MERGE under certain circumstances
Have to fight for more
Many vulns never have one assigned

17. Why use CVE?
We're expected to
Lets us influence what people say about us
You can google the number

18. CVSSv2

19. What is CVSSv2?
A systematic way of assigning severity
Three sections: Base, Temporal,
Environmental
Our job to provide Base scores
Users can apply the Temporal and
Environmental scores

20. Comparing CVSSv2s
Sometimes vendors release temporal scores
not base
Very few vendors publish the vectors
Vendors often disagree with researchers
Not all options always apply

21. CVSSv2 for companies
Temporal scores let us scale scores over the
lifecycle of the bug
Environmental scores let you weight scores
according to your business goals

22. Why use CVSSv2?
Lets us influence what people say about us
Easier to form policies about what things are
urgent
We can make stats!

23. CWE

24. What is CWE?
OWASP Top-10 2010
A5 Cross-Site-Request Forgery
SANS Top-25 2013 Rank #12
OWASP Top-10 2013
A8 Cross-Site-Request Forgery
CWE-352: Cross-Site Request Forgery
(CSRF)

25. Problems with CWE
940 CWEs currently listed
Very granular

26. Granularity
CWE-759: Use of a One-Way Hash without
a Salt
CWE-916: Use of Password Hash With
Insufficient Computational Effort

27. Why use CWE?
Lets us influence what people say about us
We can make stats

28. Databases

29. Databases
Manually maintained
Pull public information and tabulate
Some companies have write access
Almost all vendors do not

30. Latest Plone update
NVD: November 2011
OSVDB: June 2010
CVE Details: November 2011

31. Statistics

32. Statistics

33. CVE-2013-4196
No gain information?
‘ Multiple information exposure flaws were
found in the way object manager implementation of
Plone, a user friendly and powerful content
management system, protected access to its internal
methods.

34. CVE-2012-5505
No gain information?
‘ On some content types an anonymous view
lookup returns a private data structure, which under
certain circumstances may be used to read out
confidential data.

35. Fix it!

36. Kurt Seifried, RedHat
Collaborative
databases?
‘ Sadly it probably won't work, most projects
barely care about security, even fewer care about
doing advisories correctly.

37. Open Source Vulnerability Database
Collaborative
databases?
‘ Use of the OSVDB, and/or API in a commercial
atmosphere requires a license from OSF or a
commercial partner of our designation. Failure to
obtain a license for such use will result in account
termination and legal action as necessary.

38. Kurt Seifried, RedHat
SPOF
‘ Remember this is supposed to be basically a
small side part of my job at Red Hat and I sometimes
get slammed and grumpy =)

39. Recommendations
1. A wiki type vulnerability database
2. Freely available vulnerability ids
3. Direct editing access for vendors
4. Open data

40. Recommendations
1. Extend CVSSv2 for webapps
2. Allow the public to tag CWE
3. Decouple vulnerability instances and causes

41. Questions?