7–9 November 2016: Conference & Tutorials
9–10 November 2016: Training
Amsterdam, The Netherlands

Who owns open source security?

Guy Podjarny (Snyk)
11:50–12:30 Tuesday, 8/11/2016
Reimaging DevOps, security, and infrastructure DevOps, Security Emerald Room & Lounge Audience level: Non-technical
Average rating: ****.
(4.29, 7 ratings)

What you'll learn

  • Learn why the only solution to securing open source software is for all of us—OSS authors, OSS consumers, and security tooling providers alike—to own OSS security

Description

From Heartbleed to ImageTragick, vulnerabilities in open source software are repeatedly making headlines, each punching a new security hole in a large portion of the Web. These vulnerabilities are bad, but more importantly they’re extremely prevalent due to the mass adoption of open source software.

But who is responsible for avoiding or fixing these issues? Do we expect an unpaid OSS author to drop everything and rush to fix a newly found vuln? And how likely is a single developer, without a surrounding team, to have the security expertise and tooling needed to avoid the issue in the first place?

Alternatively, do we expect OSS consumers to own securing code they didn’t write? Companies are struggling with auditing their own code and treat OSS as off-the-shelf software, assuming someone else owns its security—if they consider the question at all.

This challenge is fundamental to the future of open source.

Guy Podjarny digs into the core problem elements, demonstrating why this is something we have to tackle together, as a community—OSS authors, OSS consumers, and security tooling providers alike. Guy discusses the steps each needs to own and take so we can keep open source secure together.

  • OSS developers must care about security, since some of their users need it; use free/open security tools, declare what security measures you have or have not taken, and declare security trade-offs they have chosen; and have emergency collaborators for handling vulnerabilities when they’re away (especially when projects are dead).
  • OSS consumers must know what they are using; track and fix known vulnerabilities in components; contribute back any security issues they find (and fixes they have made); track behavior of open source software in their system (i.e., mistrust their own code, to the extent they can); and disclose issues responsibly.
  • The community as a whole must care about the issue and raise awareness in events and online; create education and training collateral; create open source security testing tools; promote security as quality; and create central repositories for open source vulnerabilities.
  • Security tool providers must make their tools free for open source and consider the open source developer use case (zero budget, low on time).
Photo of Guy Podjarny

Guy Podjarny

Snyk

Guy Podjarny is Snyk’s co-founder and CEO, focusing on using open source and staying secure. Guy was previously CTO at Akamai following their acquisition of his startup, Blaze.io, and worked on the first web app firewall & security code analyzer. Guy is a frequent conference speaker & the author of O’Reilly “Securing Open Source Libraries”, "Responsive & Fast” and “High Performance Images”.