ramping up security at an open source startup
play

Ramping up Security at an open-source startup Lukas Reschke whois - PowerPoint PPT Presentation

Nov 26, 2023 •46 likes •606 views

Ramping up Security at an open-source startup Lukas Reschke whois lukas@cloud.wtf owncloud.org 2 whois lukas@owncloud.com 1/31/16 3 Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4 The

  1. Ramping up Security at an open-source startup Lukas Reschke

  2. whois lukas@cloud.wtf owncloud.org 2

  3. whois lukas@owncloud.com 1/31/16 3

  4. Not much other hobbies Fixed a lot of stuff Employed since 2014 Contributor since 2012 1/31/16 4

  5. The good and bad of the cloud

  6. Awesomeness of the cloud • Accessible everywhere • Back up online • Easy sharing and collaboration • All free!!! (or super cheap … at least the licenses) owncloud.org 6

  8. Take back your data owncloud.org 8

  9. Introducing ownCloud • Sync and share • Open Source • Easy to use • Easy to install • Easy to extend • > 8 million users owncloud.org 9

  10. Web / Desktop / Mobile owncloud.org 10

  11. But that‘s not how we started… 1/31/16 11

  12. ownCloud 1.0

  13. … the project grew

  14. … and companies started to use it owncloud.org 14

  15. … market leader in education + research owncloud.org 15

  16. Security at the start • Everybody could push directly • No formal code review process • No static source code analysis • No manual security testing • No dedicated security personnel (i.e. the same as still today in many companies ;-)) 16 owncloud.org

  17. Ensuring ownCloud Security • Pull Request reviews owncloud.org 17

  18. Ensuring ownCloud Security • Pull Request reviews owncloud.org 18

  19. Ensuring ownCloud Security • Pull Request reviews Source: https://twitter.com/paulmgower/status/674411209836351488 owncloud.org 19

  20. Ensuring ownCloud Security • Pull Request reviews • Regular code reviews for security issues owncloud.org 20

  21. Ensuring ownCloud Security owncloud.org 21

  22. Ensuring ownCloud Security • Pull Request reviews • Regular code reviews for security issues • Automated static analysis owncloud.org 22

  23. owncloud.org 23

  24. Ensuring ownCloud Security • Pull Request reviews • Regular code reviews for security issues • Automated static analysis • Customers do perform security tests • Following industry best practice for security handling (oriented towards ISO 29147, 30111 and 27304) owncloud.org 24

  25. Title Risk Common Weakness Enumeration Vulnerability description Affected software + patches + CVE What we did to fix it Credits owncloud.org 25

  26. Lots and lots of hardenings… owncloud.org 26

  27. And yet… owncloud.org 27

  28. And yet… owncloud.org 28

  29. How are we doing? owncloud.org 29

  30. How are we doing? owncloud.org 30

  31. How are we doing? owncloud.org 31

  32. How are we doing? owncloud.org 32

  33. How are we doing? owncloud.org 33

  34. How are we doing? owncloud.org 34

  35. How are we doing? owncloud.org 35

  36. Security: Secure by Default! • Security checks have to be disabled by the developer (e.g. CSRF + authentication) owncloud.org 36

  37. Security: Secure by Default! • Sicherheitschecks müssen von Entwicklern bewusst deaktiviert werden. 1/31/16 37

  38. Security: Secure by Default! • Security checks have to be disabled by the developer (e.g. CSRF + Authentication) • Internal file system not vulnerable against directory traversal owncloud.org 38

  39. Security: Secure by Default! 1/31/16 39

  40. Security: Secure by Default! • Security checks have to be disabled by the developer (e.g. CSRF + Authentication) • Internal file system not vulnerable against directory traversal • Security functionalities are enabled by default in ownCloud server (e.g. Content-Security-Policy) • … owncloud.org 40

  41. Potential dangerous PHP functions are blacklisted owncloud.org 41

  42. Security is hard owncloud.org 42

  43. HackerOne owncloud.org 43

  44. Why HackerOne? • Used by other major vendors • Great triaging tools and support • Payments processed by HackerOne owncloud.org 44

  45. The platform owncloud.org 45

  46. The platform owncloud.org 46

  47. New Reports 50 45 40 35 30 25 20 15 10 5 0 owncloud.org 47

  48. … and? Type of reported bugs Resolved reports • 3 bugs in scope ($700) Resolved Not • 43 bugs out of scope 14% applicable 18% Informative 32% Duplicate 36% owncloud.org 48

  49. Lessons learned from a bug bounty program • Protect infrastructure against automated testing tools in advance – Don’t forget the contacts form • Quality of reports differs hugely depending on the reporter • Likely no low hanging fruits owncloud.org 49

  50. What went wrong? What could have been better?

  51. Pull Request Reviews • Added at a late stage. • Prevents a lot of pitfalls • … ensure they actually get reviewed … owncloud.org 51

  52. Cryptography owncloud.org 52

  53. Openness • In retrospective: Consider publishing advisories first after you consider your project secure enough. 53 owncloud.org

  54. External reviews • Reviews will come anyways. • Best to be pro-active and have stuff fixed before. • Bug bounty a good addition to external reviews. – … consider starting with higher rewards though. Do not trust reviews without checking them in detail. 54 owncloud.org

  55. Don’t fix single bugs … fix the categories of bugs and do root cause analysis. 55 owncloud.org

  56. Thanks! github.com/owncloud hackerone.com/owncloud

Recommend

How to Ignore Most Startup Advice and Build a Decent Software Business Ines Montani Explosion

How to Ignore Most Startup Advice and Build a Decent Software Business Ines Montani Explosion

How to Ignore Most Startup Advice and Build a Decent Software Business Ines Montani Explosion AI Open-source library for industrial-strength Natural Language Processing in Python Company and digital studio, bootstrapped Open-source

749 views • 29 slides
Tools for large-scale collection & analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection & analysis of source code repositories OPEN SOURCE GIT

Tools for large-scale collection & analysis of source code repositories OPEN SOURCE GIT REPOSITORY COLLECTION PIPELINE Intro Alexander Bezzubov source{d} committer & PMC @ apache zeppelin startup in Madrid engineer

436 views • 25 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By

Adventures in Open Source Software: Dealing with Security Life in the pkgsrc security team By Sevan Janiyan What is pkgsrc Cross platform packaging system 23 listed platforms in 2015Q3 release notes Strive to keep local changes minimal

563 views • 44 slides
Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko

Here's where we are with open source security and here's what we need to do about it Nicko van Someren, Core Infrastructure Initiative 2014 was a bad year for FOSS security The Linux Foundation created the Core Infrastructure Initiative

931 views • 25 slides
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

462 views • 31 slides
Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead

Raising The Security Bar with Guardr Mediacurrent Mark Shropshire Open Source Security Lead Mark is the lead maintainer of Guardr, a suite of modules predicated around Drupal security. He is passionate about architecting systems to solve

812 views • 38 slides
Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group

Web Security CSP and Web Cryptography Habib Virji Samsung Open Source Group habib.virji@samsung.com FOSDEM 2015 Agenda Why Web Security Cross site scripting Content security policy (CSP) CSP Directives and reporting

718 views • 44 slides
OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System

OSSAMS Open Source Security Assessment Management System System Overview Purpose To provide a framework for security assessors to correlate and

438 views • 12 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario

Hassle Free Security Automation with Free and Open Source tools Anderson Dadario https://dadario.com.br - - - - - - - - - - - - - - Source: https://blog.ripstech.com/2016/the-state-of-wordpress-security/ [1] Source:

752 views • 71 slides
The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

673 views • 64 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts & Sciences Ubani A Balogun & Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and

My Kind of Flexibility 21 21 Increase Flexibility with Open Source Respond faster with a flexible and modular infrastructure built using open source and delivered with: Better quality and security Lower costs No vendor

941 views • 40 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

605 views • 32 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

582 views • 18 slides
Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and

Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and

Qt and Tizen together can do more Tomasz Olszak Qt, Tizen and Open Source enthusiast Why Qt and Tizen? Why Tizen? Desktop Web IVI Security Wearable Open Source Community Store Mobile Tv 3 Why Qt? Web Performance Gui Components

465 views • 24 slides
I S R A E L Startup Nation Small but Outstanding 15/1/15 Israel source of innovative

I S R A E L Startup Nation Small but Outstanding 15/1/15 Israel source of innovative

I S R A E L Startup Nation Small but Outstanding 15/1/15 Israel source of innovative ideas and high Knowledge for global expansion film 15/1/15 8000 startups Capital raising 5.2 Billion US $ Total exists 24Billion US$ Net New

627 views • 23 slides
ramping impacts and proposed resolution September 2019 Aggregate ramping issues with gate-

ramping impacts and proposed resolution September 2019 Aggregate ramping issues with gate-

RC_2017_02: Aggregate ramping impacts and proposed resolution September 2019 Aggregate ramping issues with gate- closure The WEM Rules ensure that generation equals the demand forecast at the last second of the Trading Interval Balance

557 views • 10 slides
OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris AGENDA Who are we? Open Source Monitoring Software Results Demonstration Responses Mitigations and conclusion

1.02k views • 45 slides

More recommend