Information Security Systems

> Security Aspects of Open Source Software

Sander Temme <Sander.Temme@thalesesec.com>

2

<O

pen

Sou

rce

Sec

urity

Thales Core Businesses

Aerospace

30%

Security

30%

Defense

40%

68,000 employees€12.7 B annual revenuesPresence in 50 countries

3

<O

pen

Sou

rce

Sec

urity

Thales ISS Solutions

Payments security

Network encryption

Storage security

Data encryption

Identity management

4

<O

pen

Sou

rce

Sec

urity

Your Presenter

• Member, Apache Software Foundation• Contributor, Apache HTTP Server• Sales Engineer & Consultant• Open Source Integration Expert

5

<O

pen

Sou

rce

Sec

urity

Agenda

• Open Source Software• Security Process • Security Implications• Development Model

6

<O

pen

Sou

rce

Sec

urity

Three Questions

• How does open source respond when security problems occur?

• How does the open source development process affect software quality?

• Is open source software more susceptible to security problems?

7

<O

pen

Sou

rce

Sec

urity

About Open Source

• Closed Source Microsoft, Adobe, Oracle, Symantec, Check Point, …

• Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …

• Hybrid Red Hat, Springsource, Sun, Apple, SugarCRM, …

• Inclusion Oracle, IBM, Apple, Sun, Cisco, NetApp, …

8

<O

pen

Sou

rce

Sec

urity

Open Source Is Not…

• Freeware• Trialware• Shareware• Abandonware (hopefully)• Public Domain

9

<O

pen

Sou

rce

Sec

urity

Where is Open Source Used

• Server side• Operating Systems• Application Stack• Web Facing In the line of fire

10

<O

pen

Sou

rce

Sec

urity

Defacements in 2007

40%

14%

13%

9%

7%

4%

4%

4%6%

Admin CredentialsShare MisconfigurationFile InclusionOther ServiceSQL InjectionWeb Server IntrusionBug exploitDNSOther or Unknown

Source: http://www.zone-h.org/news/id/4686

11

<O

pen

Sou

rce

Sec

urity

Open Source Myths

• Given enough eyeballs, all bugs are shallow

12

<O

pen

Sou

rce

Sec

urity

Open Source Myths

• Given enough eyeballs, all bugs are shallow

• Open Source is Communist!

13

<O

pen

Sou

rce

Sec

urity

Open Source Myths

• Given enough eyeballs, all bugs are shallow

• Open Source is Communist!• Bad guys have the code, too!

14

<O

pen

Sou

rce

Sec

urity

Open Source Myths

• Given enough eyeballs, all bugs are shallow

• Open Source is Communist!• Bad guys have the code, too!• Open Source is more secure than Closed

Source

15

<O

pen

Sou

rce

Sec

urity CASE STUDY: APACHE

Open Source Software Security

16

<O

pen

Sou

rce

Sec

urity

Example: Apache

• #1 Web Server• Non-profit Foundation• Contributors Sun, IBM, Novell, Springsource, Red Hat, Google Many individual contributors

• http://httpd.apache.org• Many packagers

http://people.apache.org/~coar/mlists.html

17

<O

pen

Sou

rce

Sec

urity

Apache is Secure

• Very few vulnerabilities reported• No critical vulnerabilities in 2.2.x• Upgrade to any new release announce@httpd.apache.org

• Default installation locked down But it doesn’t do a whole lot

http://httpd.apache.org/security/vulnerabilities-oval.xml

18

<O

pen

Sou

rce

Sec

urity

Apache Security Process

• Report security problems to security@apache.org

• Real vulnerabilities are assigned CVE number

• Vulnerabilities are classified, fixed• New httpd version released

http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/impact_levels.html

announce@apache.org

19

<O

pen

Sou

rce

Sec

urity

20

<O

pen

Sou

rce

Sec

urity

Security Implications

• Developed by programmers• Provenance?• Liabilities?• Support?

21

<O

pen

Sou

rce

Sec

urity

Developed by Programmers

• Not security experts• Get it running

22

<O

pen

Sou

rce

Sec

urity

Database Privileges

Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";

Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';

Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES

Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;

Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';

23

<O

pen

Sou

rce

Sec

urity

Provenance

• Source Integrity• Intellectual Property• Apache: Digital signatures Committer License Agreement Patent Grant

24

<O

pen

Sou

rce

Sec

urity

Liabilities

• Open Source No warranty

• Closed Source No warranty

25

<O

pen

Sou

rce

Sec

urity

Support

• Often community based You can be part of it

• Visible to the world Don’t post confidential information!

• Support contracts available From third party companies

26

<O

pen

Sou

rce

Sec

urity OPEN DEVELOPMENT

27

<O

pen

Sou

rce

Sec

urity

Open Development

• Mailing lists• Source code changes• Releases• Bus Factor

28

<O

pen

Sou

rce

Sec

urity

Mailing Lists

• All communication by e-mail• Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org

29

<O

pen

Sou

rce

Sec

urity

Code Changes: Transparency

• Source history available• Every modification posted• Instant code review• Etiquette

30

<O

pen

Sou

rce

Sec

urity

Bus Factor

• Development Community• Project Survival• Closed Source Equivalent Vendor out of business Product end-of-life

31

<O

pen

Sou

rce

Sec

urity

Tips

• Get on announce mailinglist• Check out community• Get involved

32

<O

pen

Sou

rce

Sec

urity

Conclusion

• Open Source responds proactively to security issues

• Open Development encourages clean and secure code

• Security Issues are universal and not specific to Open or Closed Source Software

33

<O

pen

Sou

rce

Sec

urity QUESTIONS?