Download - Open Source Security
Security and Open Source
SoftwareSander Temme [email protected]@keysinthecloud
Your Presenter
Member, Apache Software Foundation
Contributor, Apache HTTP Server
Sales Engineer & Consultant
Open Source Integration Expert
Agenda
Open Source Software
Security Process
Security Implications
Development Model
Three Questions
How does open source respond when security problems occur?
How does the open source development process affect software quality?
Is open source software more susceptible to security problems?
Open Source Software
About Open Source Closed Source
Microsoft, Adobe, Oracle, Symantec, Check Point, …
Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …
Hybrid Red Hat, Hippo, Apple, SugarCRM, …
Inclusion Oracle, IBM, Apple, Autodesk, Cisco, NetApp, …
Open Source Is Not…
Freeware
Trialware
Shareware
Abandonware (hopefully)
Public Domain
Who Develops Open Source
Users
Consultants
Vendors
Hobbyists
Why Develop Open Source
Resume
User to contributor
Work
Where is Open Source Used
Server side
Operating Systems
Application Stack
Web Facing In the line of fire
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
Bad guys have the code, too!
Open Source Security Myths
Given enough eyeballs, all bugs are shallow
Open Source is Communist!
Bad guys have the code, too!
Open Source is more secure than Closed Source
28%
26%19%
11%
4%
4%2%
6%
Attack GoalsDefacement/Planting Malware
Information Leakage/Stealing Sensitive Data
Disinformation
Monetary Loss
Downtime
Link Spam
Phishing
Other
Source: The Web Hacking Incidents Database, 2009 Report
19%
11%
11%
10%10%
8%
8%
5%
5%
3% 10%
Attack VectorsSQL Injection
Unknown
Insufficient Authentication
Content Spoofing
Insufficient Anti-Automation (DoS/Brute Force)
Configuration/Admin Error
Cross-site Scripting (XSS)
Cross-site Request Forgery (CSRF)
DNS Hijacking
Worm
Other
Source: The Web Hacking Incidents Database, 2009 Report
Exploits of a Mom
http://xkcd.com/327/
Case Study
Apache HTTP Server Security
The httpd Project #1 Web Server
Non-profit Foundation
Contributors Oracle, IBM, Novell, VMWare, Red Hat, Google Many individual contributors
http://httpd.apache.org
Many packagers and distributors
http://people.apache.org/~coar/mlists.html
Apache Security
Very few vulnerabilities reported
No critical vulnerabilities in 2.2.x
Upgrade to any new release [email protected]
Default installation locked down But it doesn’t do a whole lot
http://httpd.apache.org/security/vulnerabilities-oval.xmlhttp://www.apache.org/security/
Apache Security Process
Report security problems to [email protected]
Real vulnerabilities are assigned CVE number
Vulnerabilities are classified, fixed
New httpd version released
http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/[email protected]://www.apache.org/security/committers.html
ImplicationsSecurity Implications of Open
Source Software
Application
App Server
Operating System
Network
Security Implications
Developed by programmers
Provenance?
Warranty?
Support?
Developed by Programmers
Not security experts
Get it running
Database Privileges
Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";
Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';
Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES
Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;
Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
Getting it Right: Bugzilla
Install script Creates database Executed as root
Application privileges Limited Only as needed
This is not always practical
GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
Provenance
Source Integrity
Intellectual Property
Apache: Digital signatures Committer License Agreement Patent Grant
http://www.apache.org/licenses/icla.txthttp://www.apache.org/licenses/cla-corporate.txt
Warranty
Open Source No warranty
Closed Source No warranty
Support
Often community based You can be part of it
Visible to the world Don’t post confidential information!
Support contracts available From third party companies
Development Model
Open Development At Apache
Open Development
Mailing lists
Source code changes
Releases
Bus Factor
Mailing Lists
All communication by e-mail
Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org
Code Changes: Transparency
Source history available
Every modification posted
Instant code review
Etiquette
Bus Factor
Development Community
Project Survival
Closed Source Equivalent Vendor out of business Product end-of-life
Tips for Open Source Users
Get on announce mailinglist
Investigate community
Get involved
Conclusion
Open Source responds proactively to security issues
Open Development encourages clean and secure code
Security Issues are universal and not specific to Open or Closed Source Software