It’s not our code, but it is our product! Managing the security impact of bundled Open Source Software

Location: E145 Level: Intermediate
Average rating: ***..
(3.25, 4 ratings)

The benefits of including Open Source Software in products and services are very well understood, including many that greatly improve the security of the resultant product. Less well-known or understood, however, is the real security impact of bundling OSS and other third-party software into products.

Bundled third-party software presents new security challenges that must be managed. These challenges range from varied or nonexistent upstream disclosure practices to under-documented internal use and a general lack of ownership. Further complicating matters, there often exists a historic legacy of unbridled third-party software use that must be overcome. These challenges can be made more manageable through a structured approach specifically tailored to bundled third-party software security.

This session will discuss approaches to bundled third-party software security and the following specific topics:

  • Overcoming the “Not my problem!” mindset
  • Tracking third-party software use in products with security in mind
  • Quickly and consistently learning of new third-party software vulnerabilities that may impact your products
  • Internal developer notification of security issues
  • Instrumenting, managing and presenting product defects effectively
  • Disclosing product security issues that originate in third-party software

At the completion of this session attendees will be more equipped to tackle this challenging area within their own organizations.

Photo of Tim Sammut

Tim Sammut

Cisco Security Research and Operations

Tim Sammut is an engineer in the Security Research and Operations organization at Cisco where he leads company-wide initiatives around the product security impact of bundled third-party software. This area of work extends beyond Cisco where he chairs the Third-Party Software Security working group within ICASI—the Industry Consortium for Advancement of Security on the Internet—and volunteers on the Gentoo Linux Security Team.

Not always focused, Tim generally enjoys marrying creativity and technology to tackle difficult problems. He is a published author with more than 15 years of experience in some of the largest and most complex internetworks.

Tim lives in northern California with his wife, daughters, dog and fish.

Comments on this page are now closed.


Picture of Tim Sammut
Tim Sammut
07/22/2012 2:30pm PDT

Hi, Shane.

I don’t think it is fair for an organization or project to hand-out black marks when security issues arise in code they chose to consume. Everything has bugs, and some of those bugs may expose security issues. I also don’t think there is any direct correlation between the number of disclosed security issues and the actual security of a package. Some packages may be more active security-wise, but that does not mean they are inherently less secure.

To answer your question though, there are a few things projects can do to enhance their security image. If I had to pick three, they would be: disclose security issues as consistently, visibly and clearly as possible; use the standard URL for all vulnerability disclosure documents; and include a CVE identifier for each vulnerability up front (CVEs can be had for open source projects via the public oss-security mailing list).

Hope this helps, and please feel free to email me directly if you’d like to continue chatting about this.

Picture of Tim Sammut
Tim Sammut
07/22/2012 2:11pm PDT

Hi, Beverly. I apologize if the font was too small. Please check out the slides and let me know if you have any questions. Thanks!

Picture of Shane Curcuru
Shane Curcuru
07/20/2012 10:13am PDT

How can open source projects, especially community-led ones, ensure that their brands are represented fairly when they are included in larger products that users use? The security arena is especially important to brand image, because messing up security – even if it’s not my fault, but some other component’s fault – is a big black mark in the users’ mind.

How can projects protect their brands in the public eye from the backlash of security issues that happen in aggregated products?

Beverly Block
07/19/2012 7:04am PDT

Content was good, but slides were completely unreadable from the middle of the room. Presenter needs to use a much bigger font.

Picture of Tim Sammut
Tim Sammut
05/29/2012 8:59am PDT

Hi, folks. I am excited to be presenting on this topic at OSCON 2012. Do you have particular items you would like to hear about or discuss?

And two questions for you: What are you doing in the realm of third-party software security that is working well today? What is not working so well?



For information on exhibition and sponsorship opportunities at the conference, contact Sharon Cordesse at (707) 827-7065 or

View a complete list of OSCON contacts