Upload
posscon
View
49
Download
1
Embed Size (px)
Citation preview
Cyber SecurityAnd Open Source
Managing Expectations, Reducing Fears and Understanding Reality
Chad CravensOpen Source Systems
www.ossys.com
About The Speaker
1Open Source Systems – www.ossys.com
2007 - Graduate of New Mexico Institute of Mining and Technology(Scholarship for Service Recipient)
2007 – 2011 Federal Employee at SPAWAR(Space and Naval Warfare Systems Center)
2012 – Software Engineer at Small Wall St Firm2014 – Founded Open Source Systems
Chad CravensCharleston, SC
Software Fanatic
Stickler for Software Quality and Security!
What Is Cyber Security?
2Open Source Systems – www.ossys.com
The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.
- Confidentiality- Availability- Integrity
Life in the day of a Program Manager
3Open Source Systems – www.ossys.com
Walk a day in her shoes…..
People
Personalities
Customers
Burn Rates
Teams
Processes
Budgets
Implementation
IntegrationHiringStakeholders
DeadlinesVendors
Technology
What is the Issue with Open Source?
3Open Source Systems – www.ossys.com
Who’s afraid of theBoogey Man?
False
Expectations
Appearing
Real
What is this “Open Source” thing?-- A FEAR of the unknown --
Let’s Use this Open Source Tool!
3Open Source Systems – www.ossys.com
Billy Bob from dev team 6 suggestsWe use this open source product
What is the license?Is it supported?
Who developed it?What’s the cost?Is it accredited?
We are your Super-Vendor!
3Open Source Systems – www.ossys.com
Mr. Big-Name Vendor in a suit sayswe should use their product instead
What is the license?Is it supported?
Who developed it?What’s the cost?Is it accredited?
YESYES
YES
YES
YES
YES
YESYES
YES
YES
YES
YES
YES YES
Turn FEAR into Knowledge
3Open Source Systems – www.ossys.com
The Right Tool for the Right Job
First, What are the threats?
3Open Source Systems – www.ossys.com
• Zero-day Exploits• Web-Based Attacks• Ransomware• Social Media Scams• Phishing• Internet of Things• Mobile Attacks
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
Second, Debunk the Myths
3Open Source Systems – www.ossys.com
First thing, “Open Source” is BIG:
Operating Systems
Enterprise Libraries
Message Brokering
Encryption
Embedded SystemsProgramming Languages
Front-End Development
MVC FrameworksNetwork Devices
Mobile
“Big Guys” Going Open Source
3Open Source Systems – www.ossys.com
Tesla released all patents as open source
Netflix custom software released as open source
.NET Core is now open source
Oracle acquired Sun, giving it Java and MySQL
Open Source in the Government
3Open Source Systems – www.ossys.com
http://www.data.gov/
https://government.github.com/community/
http://mil-oss.org/
http://code.nasa.gov/
April, 2009 Whitehouse Report
Debunking Myths
3Open Source Systems – www.ossys.com
“Open Source is Insecure”Reality:- Source code is not needed to circumvent security- Licensing has little effect on the security of software
“Open Source is More Secure”Reality:- Open-sourcing bad / insecure code will not make it secure- Only good coding practices will create secure code- Having more reviewers may benefit the security of a project
Debunking Myths
3Open Source Systems – www.ossys.com
“Anyone Can Contribute Malicious Code”Reality:- Projects have a core team of contributors- Additions to the code are analyzed before merged
“Hackers Can More Easily Exploit”Reality:- Tools allow tracing of binaries, the exploit is in the binary not
the code- Hackers do not need source code to exploit
Exploit Example!
23Open Source Systems – www.ossys.com
Human Ingenuity Knows No Bounds
<div style="background:url('javascript:alert(1)')">
The MySpace Worm – Samy Is My Hero
<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">
JavaScript in a background CSS attribute in a <div> tag:
Putting javascript in an expr attribute
<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">
Putting javascript in an expr attribute
<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">
Using newlines to bypass filtering of “javascript”
Security is About Management
23Open Source Systems – www.ossys.com
Program Defensively!
1. Injection Flaws2. Broken Authentication / Session Management3. Cross-Site Scripting4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Control Access8. Cross-Site Request Forgery9. Using Components with Vulnerabilities10. Unvalidated Redirects and Forwards
Security is About Knowledge
23Open Source Systems – www.ossys.com
Security is About Processes
23Open Source Systems – www.ossys.com
Embrace Agile!
What Agile Is Not:• A Buzzword for Companies• A Fad• A JIRA Account
What Agile Is:• A Suite of Processes,
Methodologies and Tools
• Testing• Metrics• Automation
Use Open Source Effectively
23Open Source Systems – www.ossys.com
Use ORM tools to help mitigate SQL injection
Use unit testing to build test suites against your code
Use Jenkins for testing and build automation
Use SonarQube for code quality testing (PMD / FindBugs)
Use Open Source Effectively
23Open Source Systems – www.ossys.com
Use OWASP Zap to dynamically scan web-based software
Use picketlink for XACML policy enforcement
Use OpenSSL for Cryptographic functions
Use AspectJ for Logging and configuration management
Use Open Security Standards
23Open Source Systems – www.ossys.com
Use Mature Open Source Projects
23Open Source Systems – www.ossys.com
Roots in Open Source
23Open Source Systems – www.ossys.com
Cyber Security has roots in Open Source
Open Source Cyber Lab
23Open Source Systems – www.ossys.com
Thank you!
23Open Source Systems – www.ossys.com