while using open source
play

While Using Open Source Guy Bar Gil, Product Manager 1 2 3 - PowerPoint PPT Presentation

Jan 02, 2024 •326 likes •739 views

How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager 1 2 3 SmallComp s M&A Staying Secure The Equifax Breach 2 Introduction Slide Two dogs + one cat In my free time I enjoy: Sports

  1. How to Sleep Soundly at Night While Using Open Source Guy Bar Gil, Product Manager

  2. 1 2 3 SmallComp ’ s M&A Staying Secure The Equifax Breach 2

  3. Introduction Slide • Two dogs + one cat • In my free time I enjoy: • Sports • Reading • Traveling Guy Bar Gil, Product Manager 3

  4. 1 The Equifax Breach 4

  5. • Consumer credit reporting agency • Equifax collects and aggregates information • 800M+ individual consumers • 88M+ businesses • Publicly traded (NYSE), 9.5K+ employees, $3.14B in revenues (2016)

  6. Apache Struts • Open-source framework, for creating Java web applications. • CVE-2017-5638 allows remote code execution through the web applications.

  7. The Equifax Breach – A Timeline Hackers gained access to Equifax ’ s Hackers begin Equifax publicized March 15 th July 29 th March 9 th exfiltrating data. the breach systems. May 13 th September 7 th March 10 th Equifax renews their Equifax's IT CVE-2017-5638 was • expired public-key published. department ran a certificate series of scans to The Apache Software • Foundation released a identify unpatched patch for the systems. vulnerability. Equifax administrators • were told to apply the patch to any affected systems.

  8. Incident Aftermath $3 billion 145 million The amount Equifax spent upgrading its People affected by the breach . security and resolving consumer claims

  9. What Can We Learn? #1 Act Fast Exploits are public for everyone #2 Continuously Monitor 300 new vulnerabilities published every month #3 Get the Basics Right Millions spent on security gear but it was poorly implemented 9

  10. 2 SmallComp’s M&A 10

  11. SmallComp ’ s M&A • SmallComp required to do an open- source audit. • Found a dependency licensed under AGPL. 11

  12. $4M Dollars in Escrow • Terms of the escrow: • Remove any trace of AGPL from the software. • 80% of customers must deploy the updated software to production. • Two year timeframe. • Development/deployment-related costs taken from the escrow. 12

  13. Solving The Problem Isn’t So Easy Two main obstacles: Development + QA time is 1 year for 1 person. • SmallComp ’ s customers are hospitals, where • solutions are often manually deployed and technicians are required to train staff. 13

  14. They Did It! SmallComp was able to fulfill the terms of the escrow after 1 year and 8 months! 14

  15. How Do We Avoid This Situation? #1 Set Clear Policies for the whole company in regards to licensing #2 Communicate the company ’ s policies to developers #3 Enforce make sure your policies are being enforced 15

  16. 3 Staying Secure 16

  17. Step 1: Create Transparency Transparency is the baseline to everything • Understand exactly what you’re using: • Direct Dependencies • Transitive Dependencies • Source files • 17

  18. Lots of jars ? 18

  19. Lots of jars, but lots more java beans ? 19

  20. Step 2: Detect Potential Issues • Match your components to the most comprehensive DB possible: • Published CVEs • Vulnerabilities published in security advisories • Vulnerabilities detected by research teams • Thorough license detection 20

  21. Step 3: Prioritize How would you prioritize your vulnerabilities? 21

  22. Step 3: Prioritize • Prioritize by: • Business risk • Exploitability • Severity • Availability of fixes • Effectiveness 22

  23. Vulnerabilities Prioritization 23

  24. After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective. 24

  25. Step 4: Execution Understand the best path to remediation Upgrade the component ’ s version? • Change the component? • Set up an external defense? • 25

  26. 2 3 4 1 Create Detect Issues Prioritize Execute Transparency 26

  27. Let’s Talk About Implementation!

  28. Step 1 : Creating Transparency Identify the processes in your software development lifecycle (SDLC) 28

  29. Step 2: Detect Where you want to implement security checks • Where you can automate • 29

  30. Development 30

  31. Build 31

  32. Deploy 32

  33. Maintain New vulnerabilities are constantly being published 33

  34. Step 3: Prioritize Act on early -> Shifting left • Avoid allowing vulnerable components • reach deployment 34

  35. Detect Issues As Early As Possible 35

  36. Step 4: Execution Who ’ s responsibility is it? Security team: • Setting policies • Educating developers • Development team: • Execution • 36

  37. Developers need robust tools, that fit into their workflows 37

  38. #1 Educate On the basics of open-source security & compliance Empower Teams #2 By providing them the right tools #3 Enable Success By creating a shared mission 38

  39. “ Don ’ t Be That Guy 39

  40. Q & A

  41. Thank You! For any questions, please contact me: Guy.bar-gil@whitesourcesoftware.com 41

Recommend

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source

The State of Open Source Databases Peter Zaitsev CEO, Percona October 1 st , 2019 Open Source Software Amazing times for Open Source Software! Commercial Success Fantastic Success of Open Source Based Businesses! RedHat Acquired by IBM

1.19k views • 52 slides
Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric

Open Komodo: An Open Source IDE For Open Languages For Open Languages Own Your IDE Eric Promislow ActiveState Software Inc. OpenKomodo: Own Your IDE Copenhagen, Denmark April 2, 2008 1 History Perl for Windows Active Python,

820 views • 65 slides
Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview

Creating Open Source Electronic Hardware with Open Source Software Tom Anderson Overview Open Source hardware (This is the smallest font) Business model Example circuit, concept -> production Make circuit boards with Open

806 views • 78 slides
1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

1 Version 2: MIT, 1983 Bazaar Model Richard Stallman was Characteristics include

Open Source Idea? SHARE and the Origins of Open The basic idea behind open source is very simple: When programmers can read, Source Software: 1953-1972 redistribute, and modify the source code for a piece of software, the software evolves.

530 views • 8 slides
Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD)

Design principles for 5G Toward a new paradigm, All-IT Network architecture Unbundling Open Source Software/Hardware Decoupling Open Source Software (OpenStack, CORD) Unbundled Function Blocks Open Source Hardware (OCP,

180 views • 15 slides
OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A

OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A

OPEN SOURCE PROGRAMS + THEIR ETHICAL DEVELOPMENT AND FUTURE OPEN SOURCE PROGRAMS PROVIDE A VIABLE FOUNDATION FOR THE SUSTAINABLE FUTURE OF THE WORLD S CREATIVE ECONOMY. FIGURE A Figure A. Skok, 2012, p. 13 WHAT IS AN OPEN SOURCE PROGRAM?

343 views • 8 slides
VSI's Open Source Strategy Plans and schemes for Open Source so9ware on OpenVMS Bre% Cameron /

VSI's Open Source Strategy Plans and schemes for Open Source so9ware on OpenVMS Bre% Cameron /

VSI's Open Source Strategy Plans and schemes for Open Source so9ware on OpenVMS Bre% Cameron / Camiel Vanderhoeven April 2016 AGENDA Cloud Programming languages UNIX compa;bility Integra;on technologies Analy;cs Databases

946 views • 40 slides
Challenges in Open-source RISC-V Implementations Differentiation & Customization Open Source

Challenges in Open-source RISC-V Implementations Differentiation & Customization Open Source

Challenges in Open-source RISC-V Implementations Differentiation & Customization Open Source Hardware Promises and Hopes Great way to collaborate Faster development thanks to readily available IP (e.g. peripherals, ) Very

411 views • 17 slides
Databases Peter Zaitsev Percona You Might Know I am passionate about Open Source Databases

Databases Peter Zaitsev Percona You Might Know I am passionate about Open Source Databases

Maximizing the Power and Value of Open Source Databases Peter Zaitsev Percona You Might Know I am passionate about Open Source Databases 2 Open Source Databases Leading in Growth Source: https://db-engines.com/en/ranking 3 Long Term

708 views • 42 slides
Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open

Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open

Open-source without headaches Edwin Dalmaijer @esdalmaijer 20 November 2018 Wait, isnt open source a Good Thing ? To science , open-source if unequivocally good Tools are free and open to public scrutiny Wait, isnt open source a

649 views • 45 slides
Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in

Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in

Open Source: A Way of Life Transform Government Operations 1. Deploy open source technology in the enterprise 2. Arm everyone as a knowledge worker 3. Democratize data: the digital public square Open Source Technology in the Enterprise Arm

166 views • 15 slides
The state of the Community Gabriele Columbro Executive Director Open Source Strategy Forum,

The state of the Community Gabriele Columbro Executive Director Open Source Strategy Forum,

The state of the Community Gabriele Columbro Executive Director Open Source Strategy Forum, 11/20/2019 Fintech Open Source Foundation finos.org If theres two things... 1 Financial Services is serious about Open Source 2 Open Source is

667 views • 20 slides
Open source your daily work! What happens if your daily work is happening in the open?

Open source your daily work! What happens if your daily work is happening in the open?

Open source your daily work! What happens if your daily work is happening in the open? DrupalEurope Darmstadt Bastian Widmer - @dasrecht | @amazeeio We will talk about: open source, challenges, benefits, a bit of history a recap on our past

820 views • 55 slides
Moodle by Moonami Open Source Moodle - your way 2 Who we are Open Source Moodle your way Our

Moodle by Moonami Open Source Moodle - your way 2 Who we are Open Source Moodle your way Our

1 Moodle by Moonami Open Source Moodle - your way 2 Who we are Open Source Moodle your way Our goal here at Moodle by Moonami is simple: to provide world-class cloud hosting & support with excellent customer support at boutique prices

1.07k views • 9 slides

More recommend