Collaborative Security: Securing Open Source Software
There is no set of practices that can guarantee that software will never have defects or vulnerabilities, whether that software is open source or proprietary. Even formal methods can fail if the speci …
Talk Title | Collaborative Security: Securing Open Source Software |
Speakers | Nicko van Someren (CTO, Linux Foundation) |
Conference | Open Source Summit North America |
Conf Tag | |
Location | Los Angeles, CA, United States |
Date | Sep 10-14, 2017 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
There is no set of practices that can guarantee that software will never have defects or vulnerabilities, whether that software is open source or proprietary. Even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. But with open source software, it is possible to reduce security issues in the same way it’s built – with collaboration and transparency. In this talk, The Linux Foundation CTO Nicko van Someren, will present the Core Infrastructure Initiative, a multi-million dollar project to fund and support critical elements of the global information infrastructure. He will discuss the latest research and an update on creative self-serve tools and best practices that help improve the security and quality of open source projects. The Best Practices Badges Program, for example, is a free open source secure development maturity model designed with and for the open source community. The Linux kernel, Curl, GitLab, OpenBlox, OpenStack, OpenSSL, Node.js, and Zephyr among the first projects to have a new Best Practices badge. Available on GitHub, the badges program continues to evolve. New badge levels were introduced this year to provide even more sophisticated criteria. Citing both good and bad examples, he’ll dive into what progress is or isn’t being made with security vis a vis the software development lifecycle. OpenSSL is in the habit of making major quality improvements and consciously works to bring the number of defects down. As of June 2016, the current number of defects was 407, its lowest since June 2006. This proves OpenSSL developers are making a concentrated effort to both find new bugs and close existing ones instead of just closing old ones. He will also explore how, and if, there are differences between open source and commercial software through multiple industry examples. Whether a producer and consumer of open source, attendees will gain an understanding of how to quickly assess which open source projects care about security-conscious development and how to apply secure development methodologies to the software that they create and use.