Information Security Systems > Security Aspects of Open Source Software Sander Temme.
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of Information Security Systems > Security Aspects of Open Source Software Sander Temme.
Information Security Systems
> Security Aspects of Open Source Software
Sander Temme <[email protected]>
2
<O
pen
Sou
rce
Sec
urity
Thales Core Businesses
Aerospace
30%
Security
30%
Defense
40%
68,000 employees€12.7 B annual revenuesPresence in 50 countries
3
<O
pen
Sou
rce
Sec
urity
Thales ISS Solutions
Payments security
Network encryption
Storage security
Data encryption
Identity management
4
<O
pen
Sou
rce
Sec
urity
Your Presenter
• Member, Apache Software Foundation• Contributor, Apache HTTP Server• Sales Engineer & Consultant• Open Source Integration Expert
5
<O
pen
Sou
rce
Sec
urity
Agenda
• Open Source Software• Security Process • Security Implications• Development Model
6
<O
pen
Sou
rce
Sec
urity
Three Questions
• How does open source respond when security problems occur?
• How does the open source development process affect software quality?
• Is open source software more susceptible to security problems?
7
<O
pen
Sou
rce
Sec
urity
About Open Source
• Closed Source Microsoft, Adobe, Oracle, Symantec, Check Point, …
• Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …
• Hybrid Red Hat, Springsource, Sun, Apple, SugarCRM, …
• Inclusion Oracle, IBM, Apple, Sun, Cisco, NetApp, …
8
<O
pen
Sou
rce
Sec
urity
Open Source Is Not…
• Freeware• Trialware• Shareware• Abandonware (hopefully)• Public Domain
9
<O
pen
Sou
rce
Sec
urity
Where is Open Source Used
• Server side• Operating Systems• Application Stack• Web Facing In the line of fire
10
<O
pen
Sou
rce
Sec
urity
Defacements in 2007
40%
14%
13%
9%
7%
4%
4%
4%
6%
Admin Credentials
Share Misconfiguration
File Inclusion
Other Service
SQL Injection
Web Server Intrusion
Bug exploit
DNS
Other or Unknown
Source: http://www.zone-h.org/news/id/4686
12
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!
13
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!• Bad guys have the code, too!
14
<O
pen
Sou
rce
Sec
urity
Open Source Myths
• Given enough eyeballs, all bugs are shallow
• Open Source is Communist!• Bad guys have the code, too!• Open Source is more secure than Closed
Source
16
<O
pen
Sou
rce
Sec
urity
Example: Apache
• #1 Web Server• Non-profit Foundation• Contributors Sun, IBM, Novell, Springsource, Red Hat, Google Many individual contributors
• http://httpd.apache.org• Many packagers
http://people.apache.org/~coar/mlists.html
17
<O
pen
Sou
rce
Sec
urity
Apache is Secure
• Very few vulnerabilities reported• No critical vulnerabilities in 2.2.x• Upgrade to any new release [email protected]
• Default installation locked down But it doesn’t do a whole lot
http://httpd.apache.org/security/vulnerabilities-oval.xml
18
<O
pen
Sou
rce
Sec
urity
Apache Security Process
• Report security problems to [email protected]
• Real vulnerabilities are assigned CVE number
• Vulnerabilities are classified, fixed• New httpd version released
http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/impact_levels.html
20
<O
pen
Sou
rce
Sec
urity
Security Implications
• Developed by programmers• Provenance?• Liabilities?• Support?
22
<O
pen
Sou
rce
Sec
urity
Database Privileges
Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";
Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';
Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES
Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;
Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';
23
<O
pen
Sou
rce
Sec
urity
Provenance
• Source Integrity• Intellectual Property• Apache: Digital signatures Committer License Agreement Patent Grant
25
<O
pen
Sou
rce
Sec
urity
Support
• Often community based You can be part of it
• Visible to the world Don’t post confidential information!
• Support contracts available From third party companies
27
<O
pen
Sou
rce
Sec
urity
Open Development
• Mailing lists• Source code changes• Releases• Bus Factor
28
<O
pen
Sou
rce
Sec
urity
Mailing Lists
• All communication by e-mail• Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org
29
<O
pen
Sou
rce
Sec
urity
Code Changes: Transparency
• Source history available• Every modification posted• Instant code review• Etiquette
30
<O
pen
Sou
rce
Sec
urity
Bus Factor
• Development Community• Project Survival• Closed Source Equivalent Vendor out of business Product end-of-life
32
<O
pen
Sou
rce
Sec
urity
Conclusion
• Open Source responds proactively to security issues
• Open Development encourages clean and secure code
• Security Issues are universal and not specific to Open or Closed Source Software