Cyber SecurityAnd Open Source

Managing Expectations, Reducing Fears and Understanding Reality

Chad CravensOpen Source Systems

www.ossys.com

About The Speaker

1Open Source Systems – www.ossys.com

2007 - Graduate of New Mexico Institute of Mining and Technology(Scholarship for Service Recipient)

2007 – 2011 Federal Employee at SPAWAR(Space and Naval Warfare Systems Center)

2012 – Software Engineer at Small Wall St Firm2014 – Founded Open Source Systems

Chad CravensCharleston, SC

Software Fanatic

Stickler for Software Quality and Security!

What Is Cyber Security?

2Open Source Systems – www.ossys.com

The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.

- Confidentiality- Availability- Integrity

Life in the day of a Program Manager

3Open Source Systems – www.ossys.com

Walk a day in her shoes…..

People

Personalities

Customers

Burn Rates

Teams

Processes

Budgets

Implementation

IntegrationHiringStakeholders

DeadlinesVendors

Technology

What is the Issue with Open Source?

3Open Source Systems – www.ossys.com

Who’s afraid of theBoogey Man?

False

Expectations

Appearing

Real

What is this “Open Source” thing?-- A FEAR of the unknown --

Let’s Use this Open Source Tool!

3Open Source Systems – www.ossys.com

Billy Bob from dev team 6 suggestsWe use this open source product

What is the license?Is it supported?

Who developed it?What’s the cost?Is it accredited?

We are your Super-Vendor!

3Open Source Systems – www.ossys.com

Mr. Big-Name Vendor in a suit sayswe should use their product instead

What is the license?Is it supported?

Who developed it?What’s the cost?Is it accredited?

YESYES

YES

YES

YES

YES

YESYES

YES

YES

YES

YES

YES YES

Turn FEAR into Knowledge

3Open Source Systems – www.ossys.com

The Right Tool for the Right Job

First, What are the threats?

3Open Source Systems – www.ossys.com

• Zero-day Exploits• Web-Based Attacks• Ransomware• Social Media Scams• Phishing• Internet of Things• Mobile Attacks

http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf

Second, Debunk the Myths

3Open Source Systems – www.ossys.com

First thing, “Open Source” is BIG:

Operating Systems

Enterprise Libraries

Message Brokering

Encryption

Embedded SystemsProgramming Languages

Front-End Development

MVC FrameworksNetwork Devices

Mobile

“Big Guys” Going Open Source

3Open Source Systems – www.ossys.com

Tesla released all patents as open source

Netflix custom software released as open source

.NET Core is now open source

Oracle acquired Sun, giving it Java and MySQL

Open Source in the Government

3Open Source Systems – www.ossys.com

http://www.data.gov/

https://government.github.com/community/

http://mil-oss.org/

http://code.nasa.gov/

April, 2009 Whitehouse Report

Debunking Myths

3Open Source Systems – www.ossys.com

“Open Source is Insecure”Reality:- Source code is not needed to circumvent security- Licensing has little effect on the security of software

“Open Source is More Secure”Reality:- Open-sourcing bad / insecure code will not make it secure- Only good coding practices will create secure code- Having more reviewers may benefit the security of a project

Debunking Myths

3Open Source Systems – www.ossys.com

“Anyone Can Contribute Malicious Code”Reality:- Projects have a core team of contributors- Additions to the code are analyzed before merged

“Hackers Can More Easily Exploit”Reality:- Tools allow tracing of binaries, the exploit is in the binary not

the code- Hackers do not need source code to exploit

Exploit Example!

23Open Source Systems – www.ossys.com

Human Ingenuity Knows No Bounds

<div style="background:url('javascript:alert(1)')">

The MySpace Worm – Samy Is My Hero

<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">

JavaScript in a background CSS attribute in a <div> tag:

Putting javascript in an expr attribute

<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">

Putting javascript in an expr attribute

<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">

Using newlines to bypass filtering of “javascript”

Security is About Management

23Open Source Systems – www.ossys.com

Program Defensively!

1. Injection Flaws2. Broken Authentication / Session Management3. Cross-Site Scripting4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Control Access8. Cross-Site Request Forgery9. Using Components with Vulnerabilities10. Unvalidated Redirects and Forwards

Security is About Knowledge

23Open Source Systems – www.ossys.com

Security is About Processes

23Open Source Systems – www.ossys.com

Embrace Agile!

What Agile Is Not:• A Buzzword for Companies• A Fad• A JIRA Account

What Agile Is:• A Suite of Processes,

Methodologies and Tools

• Testing• Metrics• Automation

Use Open Source Effectively

23Open Source Systems – www.ossys.com

Use ORM tools to help mitigate SQL injection

Use unit testing to build test suites against your code

Use Jenkins for testing and build automation

Use SonarQube for code quality testing (PMD / FindBugs)

Use Open Source Effectively

23Open Source Systems – www.ossys.com

Use OWASP Zap to dynamically scan web-based software

Use picketlink for XACML policy enforcement

Use OpenSSL for Cryptographic functions

Use AspectJ for Logging and configuration management

Use Open Security Standards

23Open Source Systems – www.ossys.com

Use Mature Open Source Projects

23Open Source Systems – www.ossys.com

Roots in Open Source

23Open Source Systems – www.ossys.com

Cyber Security has roots in Open Source

Open Source Cyber Lab

23Open Source Systems – www.ossys.com

Thank you!

23Open Source Systems – www.ossys.com