(in)security in open source
TRANSCRIPT
(In)security in Open Source
Even great approaches to software can have challenges.
The question is how we address them.
Open Source is Massive
Open Source is everywhere
in embedded, mobile and
enterprise computing.
According to the leading
survey of Open Source
market adoption, 43% of
companies find it more
competitive than
alternatives, 43% find it
easier to deploy and 58%
find it has the greatest
ability to scale.
It exists in every sector and
adoption is growing
Reference: Black Duck 2015 Future of Open Source Survey
78%78% of surveyed companies run on Open Source and less than
3% do not use Open Source in any way.
Reference: Black Duck 2015 Future of Open Source Survey
89%89% of surveyed companies said that Open Source impacts the
speed of innovation and improves time to market for new
products.
Reference: Black Duck 2015 Future of Open Source Survey
What’s the catch?
Open Source and Security
There have been significant vulnerabilities discovered in widely
used open source components.
Each was present in applications tested using static and dynamic
tools for years without being detected.
They were disclosed by security researchers conducting manual
code reviews.
This Matters
This Matters
“Through 2020, security and quality defects
publicly attributed to OSS projects will increase
significantly, driven by a growing presence within
high-profile, mission-critical and mainstream IT
workloads.”
Gartner, Road Map for Open-Source Success: Understanding Quality and Security, Mark Driver, 3 March 2014.
This Matters
The DROWN attack left more than 11 million
websites using OpenSSL at risk.
http://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html
This Matters
IoT breaches expose infrastructure like the recent
hack of a bus arrival information screens in Korea
to display pornography.
http://m.chosun.com/svc/article.html?sname=news&contid=2016042601303
Open Source Security is a big deal
What Do We Do?
There are a lot of process documentation and tooling options
available for Open Source licensing compliance.
We are only starting to see the emergence of similar process
documentation and tooling for Open Source security.
Actually, most companies do not use any yet.
67%67% of surveyed companies said that they do not monitor Open
Source Code for security vulnerabilities
Reference: Black Duck 2015 Future of Open Source Survey
The Community Evolves
This is obviously not an area that can remain neglected for long.
New connected segments that substantially depend on Open
Source like IoT and Smart Infrastructure mean that we cannot
ignore security any longer.
The Community Adapts
The global Open Source community has dealt with improving
processes and tooling before.
The basic approach is to identify the core problems, decide what
needs documenting (processes) and what can be automated
(tooling), and then collaborating to create deliverables.
Improved Security in Open Source is Coming
Projects like the Core Infrastructure Initiative at Linux
Foundation have emerged to both explain key processes and
coordinate funding to address security issues.
Vendors and projects around the world are gradually building
tooling to help with Open Source security analysis and
monitoring.
Will 2017 be different?
Maturity Will Bring Increased Choice
In Open Source license compliance we have a lot of choices
around process documentation or automated tooling.
There is generic process material from FOSS Bazaar, specific
package description material from SPDX, or supply chain
management material from Open Chain. For automated tooling
there are products like the Binary Analysis Tool, Black Duck
Protex or Protocode and community projects like FOSSology.
The same will type of choice will apply to Open Source security.
Improved Security in Open Source is Coming
You can expect the emergence of best practices for generic Open
Source security, specific material to address development
problems, and other material to assist with supply chain
challenges.
On the tooling side you can expect the emergence of a range of
solutions to support requirements. We have already seen the
beginning of this from both security vendors and companies that
traditionally focused on license compliance issues.
Security
Open Source is no safer or
more dangerous than any
other type of software if
used without good
processes and best practices.
However, if good processes
and best practices are
applied, Open Source has
the potential to be more
secure than anything else.
is what you make of it
Open Source has some security challenges
It is still as secure as proprietary software
But it can be substantially better as more best practices emerge
You can be part of the solution