Download - Security Aspects of Open Source Software
![Page 1: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/1.jpg)
Information Security Systems
> Security Aspects of Open Source Software
Sander Temme <[email protected]>
![Page 2: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/2.jpg)
2
<O
pen
Sou
rce
Sec
urity
Thales Core Businesses
Aerospace
30%
Security
30%
Defense
40%
68,000 employees€12.7 B annual revenuesPresence in 50 countries
![Page 3: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/3.jpg)
3
<O
pen
Sou
rce
Sec
urity
Thales ISS Solutions
Payments security
Network encryption
Storage security
Data encryption
Identity management
![Page 4: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/4.jpg)
4
<O
pen
Sou
rce
Sec
urity
Your Presenter
• Member, Apache Software Foundation• Contributor, Apache HTTP Server• Sales Engineer & Consultant• Open Source Integration Expert
![Page 5: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/5.jpg)
5
<O
pen
Sou
rce
Sec
urity
Agenda
• Open Source Software• Security Process • Security Implications• Development Model
![Page 6: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/6.jpg)
6
<O
pen
Sou
rce
Sec
urity
Three Questions
• How does open source respond when security problems occur?
• How does the open source development process affect software quality?
• Is open source software more susceptible to security problems?
![Page 7: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/7.jpg)
7
<O
pen
Sou
rce
Sec
urity
About Open Source
• Closed Source Microsoft, Adobe, Oracle, Symantec, Check Point, …
• Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …
• Hybrid Red Hat, Springsource, Sun, Apple, SugarCRM, …
• Inclusion Oracle, IBM, Apple, Sun, Cisco, NetApp, …
![Page 8: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/8.jpg)
8
<O
pen
Sou
rce
Sec
urity
Open Source Is Not…
• Freeware• Trialware• Shareware• Abandonware (hopefully)• Public Domain
![Page 9: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/9.jpg)
9
<O
pen
Sou
rce
Sec
urity
Where is Open Source Used
• Server side• Operating Systems• Application Stack• Web Facing In the line of fire
![Page 10: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/10.jpg)
10
<O
pen
Sou
rce
Sec
urity
Defacements in 2007
40%
14%
13%
9%
7%
4%
4%
4%6%
Admin CredentialsShare MisconfigurationFile InclusionOther ServiceSQL InjectionWeb Server IntrusionBug exploitDNSOther or Unknown
Source: http://www.zone-h.org/news/id/4686
![Page 11: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/11.jpg)
11
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
![Page 12: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/12.jpg)
12
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!
![Page 13: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/13.jpg)
13
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!• Bad guys have the code, too!
![Page 14: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/14.jpg)
14
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!• Bad guys have the code, too!• Open Source is more secure than Closed
Source
![Page 15: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/15.jpg)
15
<O
pen
Sou
rce
Sec
urity CASE STUDY: APACHE
Open Source Software Security
![Page 16: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/16.jpg)
16
<O
pen
Sou
rce
Sec
urity
Example: Apache
• #1 Web Server• Non-profit Foundation• Contributors Sun, IBM, Novell, Springsource, Red Hat, Google Many individual contributors
• http://httpd.apache.org• Many packagers
http://people.apache.org/~coar/mlists.html
![Page 17: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/17.jpg)
17
<O
pen
Sou
rce
Sec
urity
Apache is Secure
• Very few vulnerabilities reported• No critical vulnerabilities in 2.2.x• Upgrade to any new release [email protected]
• Default installation locked down But it doesn’t do a whole lot
http://httpd.apache.org/security/vulnerabilities-oval.xml
![Page 18: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/18.jpg)
18
<O
pen
Sou
rce
Sec
urity
Apache Security Process
• Report security problems to [email protected]
• Real vulnerabilities are assigned CVE number
• Vulnerabilities are classified, fixed• New httpd version released
http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/impact_levels.html
![Page 19: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/19.jpg)
19
<O
pen
Sou
rce
Sec
urity
![Page 20: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/20.jpg)
20
<O
pen
Sou
rce
Sec
urity
Security Implications
• Developed by programmers• Provenance?• Liabilities?• Support?
![Page 21: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/21.jpg)
21
<O
pen
Sou
rce
Sec
urity
Developed by Programmers
• Not security experts• Get it running
![Page 22: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/22.jpg)
22
<O
pen
Sou
rce
Sec
urity
Database Privileges
Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";
Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';
Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES
Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;
Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
![Page 23: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/23.jpg)
23
<O
pen
Sou
rce
Sec
urity
Provenance
• Source Integrity• Intellectual Property• Apache: Digital signatures Committer License Agreement Patent Grant
![Page 24: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/24.jpg)
24
<O
pen
Sou
rce
Sec
urity
Liabilities
• Open Source No warranty
• Closed Source No warranty
![Page 25: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/25.jpg)
25
<O
pen
Sou
rce
Sec
urity
Support
• Often community based You can be part of it
• Visible to the world Don’t post confidential information!
• Support contracts available From third party companies
![Page 26: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/26.jpg)
26
<O
pen
Sou
rce
Sec
urity OPEN DEVELOPMENT
![Page 27: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/27.jpg)
27
<O
pen
Sou
rce
Sec
urity
Open Development
• Mailing lists• Source code changes• Releases• Bus Factor
![Page 28: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/28.jpg)
28
<O
pen
Sou
rce
Sec
urity
Mailing Lists
• All communication by e-mail• Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org
![Page 29: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/29.jpg)
29
<O
pen
Sou
rce
Sec
urity
Code Changes: Transparency
• Source history available• Every modification posted• Instant code review• Etiquette
![Page 30: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/30.jpg)
30
<O
pen
Sou
rce
Sec
urity
Bus Factor
• Development Community• Project Survival• Closed Source Equivalent Vendor out of business Product end-of-life
![Page 31: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/31.jpg)
31
<O
pen
Sou
rce
Sec
urity
Tips
• Get on announce mailinglist• Check out community• Get involved
![Page 32: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/32.jpg)
32
<O
pen
Sou
rce
Sec
urity
Conclusion
• Open Source responds proactively to security issues
• Open Development encourages clean and secure code
• Security Issues are universal and not specific to Open or Closed Source Software
![Page 33: Security Aspects of Open Source Software](https://reader035.vdocuments.site/reader035/viewer/2022062815/56816934550346895de08a0e/html5/thumbnails/33.jpg)
33
<O
pen
Sou
rce
Sec
urity QUESTIONS?