January 8, 2020

427 words 3 mins read

Collaborative Security: Securing Open Source Software

Collaborative Security: Securing Open Source Software

There is no set of practices that can guarantee that software will never have defects or vulnerabilities, whether that software is open source or proprietary. Even formal methods can fail if the speci …

Talk Title Collaborative Security: Securing Open Source Software
Speakers Nicko van Someren (CTO, Linux Foundation)
Conference Open Source Summit North America
Conf Tag
Location Los Angeles, CA, United States
Date Sep 10-14, 2017
URL Talk Page
Slides Talk Slides
Video

There is no set of practices that can guarantee that software will never have defects or vulnerabilities, whether that software is open source or proprietary. Even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. But with open source software, it is possible to reduce security issues in the same way it’s built – with collaboration and transparency. In this talk, The Linux Foundation CTO Nicko van Someren, will present the Core Infrastructure Initiative, a multi-million dollar project to fund and support critical elements of the global information infrastructure. He will discuss the latest research and an update on creative self-serve tools and best practices that help improve the security and quality of open source projects. The Best Practices Badges Program, for example, is a free open source secure development maturity model designed with and for the open source community. The Linux kernel, Curl, GitLab, OpenBlox, OpenStack, OpenSSL, Node.js, and Zephyr among the first projects to have a new Best Practices badge. Available on GitHub, the badges program continues to evolve. New badge levels were introduced this year to provide even more sophisticated criteria. Citing both good and bad examples, he’ll dive into what progress is or isn’t being made with security vis a vis the software development lifecycle. OpenSSL is in the habit of making major quality improvements and consciously works to bring the number of defects down. As of June 2016, the current number of defects was 407, its lowest since June 2006. This proves OpenSSL developers are making a concentrated effort to both find new bugs and close existing ones instead of just closing old ones. He will also explore how, and if, there are differences between open source and commercial software through multiple industry examples. Whether a producer and consumer of open source, attendees will gain an understanding of how to quickly assess which open source projects care about security-conscious development and how to apply secure development methodologies to the software that they create and use.

comments powered by Disqus