Security in open source projects
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
Titel |
| |
Serientitel | ||
Anzahl der Teile | 94 | |
Autor | ||
Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
Identifikatoren | 10.5446/45651 (DOI) | |
Herausgeber | ||
Erscheinungsjahr | ||
Sprache |
Inhaltliche Metadaten
Fachgebiet | ||
Genre | ||
Abstract |
|
FrOSCon 201926 / 94
7
10
12
14
15
16
17
20
22
23
26
27
28
29
30
31
32
33
36
37
38
39
41
44
45
48
52
53
55
56
57
58
60
61
62
64
66
67
74
76
77
78
79
81
83
84
93
00:00
Open SourceComputersicherheitFreewareVerkehrsinformationComputersicherheitDifferenzkernProjektive EbeneMultiplikationsoperatorWasserdampftafelSoftwareentwicklerProzess <Informatik>Open SourcePunktXMLUMLVorlesung/Konferenz
01:06
Open SourceComputersicherheitWeg <Topologie>SoftwaretestServerDienst <Informatik>Formation <Mathematik>Prozess <Informatik>GeradeYouTubeGemeinsamer SpeicherFormale SpracheProjektive EbeneSymboltabelleSpezielle unitäre GruppeElektronischer ProgrammführerStabSichtenkonzeptWeb logComputersicherheitNP-hartes ProblemWeb-SeiteDienst <Informatik>ComputeranimationVorlesung/KonferenzBesprechung/InterviewXML
02:04
ComputersicherheitCodierungstheorieFunktion <Mathematik>Vektor <Datentyp>CodeSoftwaretestInnerer PunktHydrostatikPortscannerSoftwareschwachstelleSocketRechnernetzForcingComputersicherheitSoftwareKartesische KoordinatenSoftwaretestBenutzeroberflächeFormale SpracheCoxeter-GruppeData MiningBitrateGebäude <Mathematik>Rechter WinkelDienst <Informatik>RelativitätstheorieDivergente ReiheServerSoftwareschwachstelleDifferenteWeb-ApplikationProzess <Informatik>ProgrammbibliothekXML
03:19
RechnernetzOpen SourceComputersicherheitCodeSocketFramework <Informatik>SoftwareentwicklungFlash-SpeicherComputerarchitekturWeb-ApplikationCASE <Informatik>Web SiteSharewareServerEreignishorizontComputersicherheitProjektive EbeneSoftwareStochastische AbhängigkeitWeb-SeiteVerschlingungSoftwareschwachstelleOpen SourceCodePunktComputeranimation
04:18
Dienst <Informatik>Funktion <Mathematik>SoftwareComputersicherheitProjektive EbeneComputersicherheitOpen SourceMathematikVerschlingungSoftwareDienst <Informatik>Service providerFunktionalComputeranimation
05:10
SoftwareComputersicherheitFunktion <Mathematik>Automatische IndexierungFormation <Mathematik>ComputersicherheitMomentenproblemVersionsverwaltungKartesische KoordinatenMultiplikationsoperatorSoftwareentwicklerAnalysisSoftwaretestFunktionalComputeranimation
06:17
ComputersicherheitFunktion <Mathematik>BitrateKartesische KoordinatenMultiplikationsoperatorPunktFormation <Mathematik>Projektive EbeneAggregatzustandComputersicherheitSoftwaretestIntelligentes NetzApproximationEntscheidungstheorieÄhnlichkeitsgeometrieSpieltheorieDatenflussplanFreewareSichtenkonzeptReelle ZahlSelbst organisierendes System
07:50
Dienst <Informatik>SystemprogrammierungFehlermeldungVariablePufferüberlaufCodePufferspeicherGanze ZahlKartesische KoordinatenInjektivitätMathematische LogikSystemplattformSystemplattformCluster <Rechnernetz>InjektivitätMathematische LogikDatenflussInteraktives FernsehenMathematikEinsSoftwareentwicklungUmwandlungsenthalpieHochdruckWeb-ApplikationKartesische KoordinatenPhysikalisches SystemDienst <Informatik>VerschlingungWellenpaketFehlermeldungSoftwareschwachstellePufferüberlaufComputeranimation
08:44
ROM <Informatik>SymboltabelleSoftwaretestWald <Graphentheorie>MAPForcingSoftwareentwicklungInterpretiererSpeicherverwaltungFormale SprachePhysikalisches SystemComputerspielDatenflussDatenverwaltungSoftwareentwicklerHalbleiterspeicherPufferüberlaufTermFehlermeldungXML
09:24
PufferspeicherEin-AusgabeVersionsverwaltungInhalt <Mathematik>ZeichenketteSoftwareschwachstellePufferüberlaufDatenflussSoftwareentwicklungPuffer <Netzplantechnik>Vollständiger VerbandFormation <Mathematik>Dienst <Informatik>CAMKartesische KoordinatenForcingServerFormale SpracheDatenverwaltungEin-AusgabeCodierungResultanteCASE <Informatik>SoftwareentwicklerHalbleiterspeicherComputeranimation
10:25
SystemplattformDatentypPufferspeicherFluss <Mathematik>Installation <Informatik>Komponente <Software>Open SourceVersionsverwaltungSoftwareschwachstelleExploitWald <Graphentheorie>Projektive EbeneBewertungstheorieOffene MengeVerschiebungsoperatorComputersicherheitOpen SourceOrdnung <Mathematik>LeistungsbewertungComputeranimation
11:08
Installation <Informatik>Open SourceKomponente <Software>VersionsverwaltungMathematikStandardabweichungVersionsverwaltungComputersicherheitOpen SourceProjektive EbeneGatewayProdukt <Mathematik>AggregatzustandKomponente <Software>Basis <Mathematik>Computeranimation
11:47
DokumentenserverDokumentenserverSkriptspracheWeb-ApplikationGeradeSpeicherabzugMomentenproblemProjektive EbeneElektronischer ProgrammführerVerschlingungAppletOpen SourceComputeranimationDiagramm
12:39
CodeKontrollstrukturKartesische KoordinatenOpen SourceSoftwareentwicklerProgrammbibliothekCodeTypentheorieData MiningBitrateKomponente <Software>Framework <Informatik>MatchingGewicht <Ausgleichsrechnung>QuellcodeDiagramm
13:24
Komponente <Software>CodeFlächentheorieVektorpotenzialSoftwareschwachstelleKomponente <Software>SoftwareentwicklerProgrammbibliothekKartesische KoordinatenProjektive EbeneCAMExploitPartikelsystemBrennen <Datenverarbeitung>FlächentheorieCodeComputeranimation
14:18
Gerichtete MengeVerkehrsinformationMultiplikationsoperatorSoftwareschwachstelleDatenfeldDistributionenraumProjektive EbeneDifferenteGruppenoperationFormation <Mathematik>Rechter WinkelPhysikalisches SystemWald <Graphentheorie>Hasse-DiagrammSkriptspracheDiagramm
15:14
VektorpotenzialElektronische PublikationGraphDatenverarbeitungssystemComputersicherheitMathematikEinflussgrößeKonfiguration <Informatik>VektorpotenzialGarbentheorieElektronisches ForumWald <Graphentheorie>Stochastische AbhängigkeitKanalkapazitätService providerHash-AlgorithmusProjektive EbeneLeistung <Physik>ComputersicherheitInformationPolygonGraphPunktSichtenkonzeptSoftwareschwachstelleComputeranimation
15:58
Plug inPROMAppletGewicht <Ausgleichsrechnung>SystemprogrammierungMarketinginformationssystemZählenTechnische InformatikSchätzungIntelKartesische KoordinatenKorrelationProjektive EbeneWort <Informatik>SoftwareIdentifizierbarkeitStochastische AbhängigkeitSoftwareschwachstellePlug inVerkehrsinformationBORIS <Programm>Computeranimation
16:41
ZählenTechnische InformatikSchätzungKettenbruchKorrelationKartesische KoordinatenSoftwareentwicklerInformationVersionsverwaltungSoftwareschwachstelleDienst <Informatik>Formation <Mathematik>DifferenteMatchingProjektive EbeneVerzerrungstensorKartesische KoordinatenWasserdampftafelFokalpunktPatch <Software>Elektronischer ProgrammführerOpen SourceSoftwareentwicklerComputeranimationXML
17:51
TorusZustandsdichteRegulärer AusdruckDienst <Informatik>Modul <Software>Offene MengeInformationBaum <Mathematik>GruppenoperationWidgetDokumentenserverUmwandlungsenthalpieIntegralGroupwareDienst <Informatik>BroadcastingverfahrenDatenverwaltungSoftwareschwachstelleDatenbankSelbst organisierendes SystemXMLComputeranimation
18:33
ZustandsdichteDienst <Informatik>Regulärer AusdruckATMOffene MengeDesintegration <Mathematik>StellenringFlächeninhaltComputersicherheitElektronische PublikationSoftwareschwachstelleAbstandWald <Graphentheorie>SchwebungApp <Programm>Lesen <Datenverarbeitung>FirewallWasserdampftafelSechsDienst <Informatik>UmwandlungsenthalpieWort <Informatik>AnalysisProjektive EbeneElektronische PublikationInformationVersionsverwaltungProgrammbibliothekComputeranimationXMLFlussdiagramm
19:46
Dienst <Informatik>Weg <Topologie>Web logVorzeichen <Mathematik>ForcingComputersicherheitKontrollstrukturGesetz <Physik>ProgrammbibliothekProgrammierumgebungSoftwareschwachstelleDatensichtgerätMultifunktionProjektive EbeneDienst <Informatik>UmwandlungsenthalpieFahne <Mathematik>Wort <Informatik>VersionsverwaltungSchlüsselverwaltungXMLFlussdiagrammComputeranimation
20:32
DokumentenserverBAYESGreen-FunktionZahlenbereichPunktwolkeDifferenzkernMultiplikationsoperatorZwölfSkriptspracheTwitter <Softwareplattform>SoftwareschwachstelleZählenDiagramm
21:30
Offene MengeWeb SiteSocketInjektivitätRechnernetzSoftwareschwachstelleVersionsverwaltungDienst <Informatik>Regulärer AusdruckVolumenMini-DiscCompilerSyntaktische AnalyseFrequenzE-MailAdressraumVektorpotenzialZustandsdichtePhysikalisches SystemTypentheorieComputersicherheitGerichtete MengeKomponente <Software>App <Programm>Weg <Topologie>DatenbankDigital Rights ManagementMultiplikationsoperatorExpertensystemBus <Informatik>E-FunktionRegulärer GraphElektronischer ProgrammführerPerspektiveKartesische KoordinatenGesetz <Physik>VektorraumProjektive EbeneVersionsverwaltungInjektivitätDienst <Informatik>Exogene VariableDruckverlaufOrdnung <Mathematik>Ein-AusgabeDifferenteBaum <Mathematik>ZahlenbereichInformationDatenverwaltungClientServerMAPUmwandlungsenthalpieOffene MengeSoftwareschwachstelleThreadKomponente <Software>SoftwareentwicklerDoS-AttackeHilfesystemProzess <Informatik>FlächentheorieExistenzsatzMailing-ListeDiagramm
25:06
SichtenkonzeptStatistikHilfesystemComputersicherheitElektronische PublikationInteraktives FernsehenFehlertoleranzWald <Graphentheorie>Prozess <Informatik>DokumentenserverLoginNabel <Mathematik>XML
26:04
ComputersicherheitQuellcodeSoftwaretestProgrammierumgebungSoftwareDienst <Informatik>SatellitensystemVersionsverwaltungSichtenkonzeptAppletKartesische KoordinatenInformationPunktComputerspielKanalkapazitätSoftwaretestFormation <Mathematik>UmwandlungsenthalpieCodeBildschirmmaskeDatenkompressionHydrostatikVektorpotenzialMomentenproblemComputersicherheitSpider <Programm>Dynamisches SystemOrdnung <Mathematik>Metropolitan area networkQuaderSpezifisches VolumenSelbst organisierendes SystemStandardabweichungBlackboxProjektive EbeneSichtenkonzeptMereologiePhysikalischer EffektMultiplikationsoperatorSoftwareschwachstelleMusterspracheSoftwareentwicklungSoftwareentwicklerOpen SourceProgrammfehlerProgrammierumgebungQuellcodeTabelleComputeranimation
28:12
VariableBefehl <Informatik>InjektivitätVektorpotenzialQuelle <Physik>Ganze ZahlComputersicherheitUmwandlungsenthalpieOrientierung <Mathematik>EinsProgrammierspracheVektorpotenzialMathematikIntelSpezifisches VolumenPlug inInjektivitätKanalkapazitätDifferenzkernServerTeilbarkeitForcingZentrische StreckungWald <Graphentheorie>Projektive EbeneBeobachtungsstudieDifferenteProgrammfehlerHumanoider RoboterComputersicherheitAppletCASE <Informatik>ProgrammierumgebungSoftwareschwachstelleQuelle <Physik>Open SourceComputeranimation
29:38
Offene MengeSchlussregelVorzeichen <Mathematik>ThumbnailInstantiierungKrümmungsmaßAppletSampler <Musikinstrument>PunktwolkeDrucksondierungCodeSoftwareschwachstelleSatellitensystemPseudorandom GeneratorMessage-PassingOpen SourceChiffrierungKonsistenz <Informatik>ATMSoftwaretestHydrostatikComputersicherheitMarketinginformationssystemGradientGewicht <Ausgleichsrechnung>SchnittmengeFormale SpracheKnotenmengeFramework <Informatik>VersionsverwaltungCodePASS <Programm>Kartesische KoordinatenPhysikalisches SystemUmwandlungsenthalpieWald <Graphentheorie>BetragsflächeFormale SpracheTabelleTeilbarkeitHalbleiterspeicherSymboltabelleAttributierte GrammatikForcingKontinuierliche IntegrationAnalysisTwitter <Softwareplattform>SchlussregelVektorpotenzialKanalkapazitätComputersicherheitKlasse <Mathematik>DatenflussNegative ZahlE-MailMomentenproblemElektronischer ProgrammführerSoftwaretestFlächeninhaltFramework <Informatik>Gesetz <Physik>HydrostatikSpezielle unitäre GruppeModallogikAnalytische FortsetzungSoftwareschwachstelleCASE <Informatik>MalwareFunktionalAppletDatenverwaltungPortscannerComputeranimation
32:38
ComputersicherheitRechenwerkInjektivitätCodeInklusion <Mathematik>ServerSpeicherabzugOISCInformation-Retrieval-SystemElektronische PublikationKanal <Bildverarbeitung>Suite <Programmpaket>SinusfunktionGeradeSingle Sign-OnGamecontrollerAnalysisDynamisches SystemProjektive EbeneGruppenoperationComputersicherheitComputerspielTouchscreenWort <Informatik>Motion CapturingSoftwareschwachstelleUmwandlungsenthalpieNichtlinearer OperatorSkriptspracheHydrostatikMailing-ListePhysikalischer EffektProgrammbibliothekVerkehrsinformationPortscannerCodeFlussdiagrammComputeranimation
33:49
ParserServerInjektivitätCodeFunktion <Mathematik>Arithmetischer AusdruckEin-AusgabeZeichenketteAbfrageWeb SiteExogene VariableSoftwareschwachstelleSkriptspracheComputersicherheitGeradeExistenzsatzFunktionalMathematikComputersicherheitSkriptspracheCASE <Informatik>SchlussregelElektronische PublikationCross-site scriptingSoftwareschwachstelleValiditätMultiplikationsoperatorBenutzerbeteiligungProgramm/QuellcodeJSONXML
34:34
ComputersicherheitCodePlug inOpen SourceTrigonometrieKryptologieSystemaufrufSoftwaretestFramework <Informatik>ZufallszahlenChiffrierungInjektivitätAbfrageDateiformatInformationRegulärer Ausdruck <Textverarbeitung>VektorraumFormation <Mathematik>IdentitätsverwaltungComputersicherheitGradientAnalytische FortsetzungBillard <Mathematik>AnalysisFormation <Mathematik>Workstation <Musikinstrument>HydrostatikCodePlug inDifferenteBefehl <Informatik>Gewicht <Ausgleichsrechnung>ZeichenketteMailing-ListeModul <Software>InformationSensitivitätsanalyseKartesische KoordinatenNichtlinearer OperatorSoftwareschwachstelleDatenfeldGefangenendilemmaSoftwaretestTouchscreenBildschirmmaskeZahlenbereichQuellcodeEin-AusgabeGebäude <Mathematik>Einfach zusammenhängender RaumXMLProgramm/QuellcodeJSON
36:25
SoftwaretestComputersicherheitQuellcodeOperations ResearchProzess <Informatik>GasströmungAuthentifikationDynamisches SystemSpezifisches VolumenSoftwaretestProjektive EbeneCOMClientKartesische KoordinatenComputersicherheitProxy ServerAnalysisKategorie <Mathematik>Mailing-ListeComputerspielFormation <Mathematik>NeuroinformatikPunktProgrammierumgebungCross-site scriptingSoftwareschwachstelleCodeComputeranimation
37:30
Proxy ServerDesintegration <Mathematik>DatentypE-MailGasströmungSoftwaretestComputersicherheitMessage-PassingOpen SourceLatent-Class-AnalysePasswortAlgorithmusBrowserKartesische KoordinatenStrahlensätzeSoftwaretestKonfigurationsraumClientServerWeb SiteIntegralSoftwareschwachstelleWeb-ApplikationProxy ServerMAPWald <Graphentheorie>InjektivitätNetzwerkbetriebssystemSharewareComputeranimationXMLProgramm/Quellcode
38:08
AbzählenBefehl <Informatik>TabelleDatenbankKonfiguration <Informatik>Digital Rights ManagementPhysikalisches SystemInformationDatenstrukturStrom <Mathematik>PasswortSpeicherabzugPASS <Programm>ParametersystemInjektivitätFront-End <Software>Public-domain-SoftwareMAPSoftwareschwachstelleTabelleDatenbankElektronisches ForumReelle ZahlSoftwaretestExogene VariableLesen <Datenverarbeitung>Programm/QuellcodeJSON
38:50
InjektivitätURLTabelleSoftwareschwachstelleUmwandlungsenthalpieKanalkapazitätVerschlingungSoftwareschwachstelleInjektivitätMAPProzess <Informatik>AdressierungKartesische KoordinatenDatenbankTabelleAbfrageComputeranimationFlussdiagramm
39:37
SoftwareOffene MengeComputersicherheitOpen SourceAbstrakter SyntaxbaumInformationMAPStetige FunktionInklusion <Mathematik>SoftwareschwachstelleVektorpotenzialQuellcodeBinärdatenSchlussregelProjektive EbeneComputersicherheitOpen SourceSoftwareDifferenteKollaboration <Informatik>Gesetz <Physik>ServerCodeSoftwareschwachstelleVerkehrsinformationProgrammverifikationComputeranimation
40:31
ComputersicherheitDruckverlaufOpen SourceProdukt <Mathematik>Prozess <Informatik>Projektive EbeneCodeLESUmwandlungsenthalpieComputersicherheitCodierungDruckverlaufOpen SourceProzess <Informatik>PunktComputeranimationJSONXMLUML
41:10
Produkt <Mathematik>ComputersicherheitProzess <Informatik>Open SourceCodierungstheorieNotepad-ComputerHydrostatikAnalysisSoftwaretestZeitabhängigkeitDatenmissbrauchDigital Rights ManagementPatch <Software>SoftwareComputerspielDreiecksfreier GraphDifferenzkernGewicht <Ausgleichsrechnung>TeilbarkeitComputersicherheitProdukt <Mathematik>PunktSchwebungOrdnung <Mathematik>Prozess <Informatik>SoftwareentwicklerUmwandlungsenthalpieSoftwaretestPhasenumwandlungAnalysisCodeMessage-PassingVerschlingungWald <Graphentheorie>Minkowski-MetrikDreiecksfreier GraphSpezifisches VolumenComputerspielSoftwareVollständigkeitFacebookXMLUMLComputeranimation
42:30
VerschiebungsoperatorComputerspielDreiecksfreier GraphSoftwareAutomatische HandlungsplanungMinkowski-MetrikProzess <Informatik>Kartesische KoordinatenFacebookSoftwareentwicklerProdukt <Mathematik>PhasenumwandlungDiagramm
43:10
SpeicherabzugProjektive EbeneResultanteSoftwareentwicklerSoftwareGeradeVerschlingungBAYESPunktSichtenkonzeptComputersicherheitOpen SourceComputeranimation
43:53
SoftwareentwicklerCodeComputersicherheitTypentheorieVorzeichen <Mathematik>SpeicherabzugInformationGoogolKette <Mathematik>KontrollstrukturSoftwareschwachstellePatch <Software>FrequenzExogene VariableSoftwareModelltheoriePhysikalisches SystemCASE <Informatik>Projektive EbeneComputersicherheitWeb-ApplikationSichtenkonzeptPunktDokumentenserverInformationTypentheorieSoftwareschwachstelleComputeranimation
44:41
Normierter RaumComputersicherheitOpen SourceVersionsverwaltungWort <Informatik>Mailing-ListeServerComputersicherheitVerkehrsinformationSoftwareentwicklerSoftwareProjektive EbeneQuaderOffene MengeBenutzerbeteiligungDatenbankSoftwareschwachstelleDatenverwaltungXML
45:40
SchlüsselverwaltungCodeKonfigurationsraumURLUmwandlungsenthalpieVerzeichnisdienstElektronische PublikationPasswortÄhnlichkeitsgeometrieWort <Informatik>KonfigurationsraumInformationRahmenproblemQuellcodeDatenbankElektronische PublikationProjektive EbeneDokumentenserverVersionsverwaltungComputeranimation
46:39
CodeFatou-MengeElektronische PublikationKonfigurationsdatenbankAuthentifikationPlug inSchlüsselverwaltungSpeicherabzugPasswortVarietät <Mathematik>Negative ZahlFramework <Informatik>DokumentenserverSensitivitätsanalyseGemeinsamer SpeicherMathematikSkriptspracheSoftwaretestInformationMailing-ListeUmwandlungsenthalpieSelbst organisierendes SystemFunktionalPublic-Key-KryptosystemAuthentifikationToken-RingElektronische PublikationComputeranimationXML
47:39
PasswortDokumentenserverKlon <Mathematik>CachingSichtenkonzeptPay-TVPasswortSensitivitätsanalyseVerkehrsinformationUmwandlungsenthalpieSoftwareentwicklerInformationSchlüsselverwaltungMultiplikationsoperatorDokumentenserverComputeranimation
48:32
CodeProzess <Informatik>TelekommunikationOpen SourceSoftwareschwachstelleComputersicherheitSoftwareentwicklerPunktStrategisches SpielOrdnung <Mathematik>Open SourceSoftwareentwicklerKartesische KoordinatenSoftwarewartungTelekommunikationSichtenkonzeptProjektive EbeneOffene MengeMetropolitan area networkExogene VariableComputersicherheitStochastische AbhängigkeitRichtungComputeranimation
49:27
SoftwareComputerspielDreiecksfreier GraphComputersicherheitAggregatzustandOpen SourceExplosion <Stochastik>Produkt <Mathematik>SoftwareschwachstelleSoftwaretestRelativitätsprinzipVerkehrsinformationComputersicherheitOffene MengeAggregatzustandOpen SourceInformationCoxeter-GruppeAutomatische IndexierungComputeranimation
50:18
Open SourceFreewareKartesische AbgeschlossenheitVorlesung/KonferenzXMLComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:07
OK, then please welcome Jose Manuel Ortega, who will give us a talk about security in open source projects. Thank you.
00:21
Good afternoon. Thank you for coming. Well, this is my name is Jose Manuel Ortega. I'm from Spain. This is my first time here, first come, and well is. And I was confident for sharing knowledge and projects.
00:42
Well, in this talk, I will talk about security. Basically, what are the main problems that we have in security when we are working in a project with a developing team, with people, and so on?
01:02
What are the problems that we have from the security point of view? And what are the tools and the process that we can use for adopting best practice in our organization, in our team, and so on?
01:28
These are all the conferences that I have made in the last years. I have a conference, for example, talking about security in many languages, like Node.js, Python.
01:40
I also like security in Docker containers. With Python, also, I have talked about microservice and serverless projects. All these conferences that I won in my personal blog,
02:00
on my personal page. And also, in YouTube, you can find other conferences related with security, mainly with Python, because it's the language that I must use for testing the security of applications.
02:21
I also have other presentations related with security in Node.js, and so on. I also like writing about sharing my knowledge with books, with book series.
02:45
This is the first book I was writing last year, Master in Python for Security and Working. Basically, this book covers topics from building a network, from the different processes
03:00
you need to follow to security your network, or applications in general. You'll first be introduced to different packages in Python and libraries related with detecting vulnerabilities in servers and web applications. The second one I have writing about Python
03:23
is this, learning Python working, that covers topics like socket programming, how to design servers, and even driving architectures with Celery, Redis, and so on. And also, there is an introduction to web applications with Django and Flash frameworks.
03:44
Those are the most known frameworks for programming in Python. Well, this is the agenda. This is the main point for the talk. Basically, in this talk, we will look how open source projects can manage the security.
04:02
Basically, we will review tools for detecting vulnerabilities and dependencies of our project, and in the work code base. Finally, we will review techniques and tools for improving security in open source projects. Well, the main problem we have in open source projects
04:22
is that security is always a secondary concern. The primary role of software is to provide functionality or service to our users, for example.
04:41
And managing associated risks to the software, we are developing always is a repeat of secondary topics, secondary concerns, and it's basically the security is not a priority today. When we are developing, when we are starting a project.
05:04
And this, in the future, in the future of our project, can be a problem. There is often a trace of conflict between security and functionality. Companies believe that security is not a priority,
05:21
as I commented before. And when you ask developers if they are using some tools for analyzing the security, for testing the security of application, a very small percentage of answers affirmatively. And where security, basically nowadays,
05:44
there are companies that are interested in adopting security with practice, in organization, and transmitting this to developers' teams and so on.
06:01
But there are a lot of work for, at this moment, there are many companies that are not releasing this. And there are a lot of work to do in this aspect. Other of the problems for testing security
06:22
is that they are basically two approaches. They are, in one, they are for the Blue Team approach. Basically, it's testing the security of applications from the defensive point of view.
06:42
And the other approach is the Red Team, which basically is analyzing the security application from the attacker point of view. Blue Team basically refers to an internal security team that you can have in your organization and defends against real attackers, for example.
07:04
And the Red Team basically are external entities that are users that test the security of your application. Well, the Red Team basically completes this
07:22
by evaluating the behaviors and techniques of likely attackers in the most realistic way possible. The practice is similar to penetration testing.
07:41
The penetration testing is saying that the tools that use this is for Red Teams. Well, when we are developing, basically we can introduce flaws in our application
08:04
in two types. Basically, flaws that can be understood looking at the program itself. For example, errors in logic or in programming logic. And the other one is problems in the interaction
08:24
with the platform or other services and systems that interact with the application. Basically, at this point, we can detect problems like buffer overflow and specific vulnerabilities in web applications like SQL injection, cross-service forgery, and so on.
08:45
You may have heard terms like buffer overflow used after three-step corruption. These terms are related with memory flaws. It's very useful, for example, in C++ programs
09:00
found these errors. When you program with a scripting language like Python or PHP, for example, memory management is delegated to the interpreter or the system. And the developer can make mistakes related to the management of memory buffers, for example.
09:24
This is a typical buffer overflow vulnerability in a C program. The vulnerability, in this case, is because the buffer can be overflowed if the user input is bigger than its bytes.
09:46
At this point, every C++ developer must know the buffer overflow problem before they do the coding. A lot of books generated in most cases can be exploded as a result of buffer overflow nowadays
10:02
because most of the servers and the tools that we use, at low level, are using C++ language for memory management, connecting with other applications,
10:23
other services, and so on. For example, in an exploit database, and this overflow, evidently, is a problem because, for example, if we go to exploit database, you can find a lot of exploits that attacks this vulnerability.
10:46
Well, in order to know, for example, when we are working with open source projects, for example, it's very useful using external dependencies for another project.
11:03
And in order to know dependencies and start a security evaluation in open source projects, you need to answer these questions. What open source components you are using? What versions you are coding, running, and where? How these components can be outdated,
11:21
and where do you get the update? What do you need to install them? All these questions are the basis for knowing the state of the open source project in general, and where the security is a critical topic.
11:48
Nowadays, most of web apps have dependencies available in core repositories like NPM for JavaScript, maybe for their projects,
12:01
and PyPy for Python. The use of open source projects is accelerating. For example, in the last year, Java package doubled, and NPM added 200,000 new packages the last year.
12:20
Only the last year. And at this moment, NPM is the bigger repository nowadays, and it will have almost 1 million packages in NPM.
12:41
Another critical aspect, as I told you before, is the use of third-party libraries. Instead of creating applications from scratch, basically, today's developers start with open source components, and then copy, extend, and glue them together with applications that they are creating.
13:05
18% is 30% party code for external libraries. This means that open source libraries and frameworks don't make up the vast majority of the source code used by companies today.
13:25
The main problem with components is that reusable components, when you try to introduce a component that is reusable in your project,
13:40
this is an odd idea, but reusable components originate reusable vulnerabilities. Nowadays, exploiting a library can potentially exploit many applications. This can be because the library is very common in specific applications
14:00
or has a very high reputation between developers. Basically, 19% of the attached surface of an application may be due to third-party code. In this report,
14:20
for example, made by Snyk, we can see the direct and indirect dependency distribution across ecosystems, in different ecosystems. Most dependencies in NPM, maybe in Android, for example, are indirect dependencies requested by the field libraries,
14:40
especially the feeders. Snyk has scanned over a million snapshot projects and has discovered that vulnerabilities in indirect dependencies, in JavaScript, for example, in JavaScript projects, accounts for almost 80%
15:00
of overall vulnerabilities. And in other languages, like Python, this percentage is reduced to 10%. If we, for example, if we work with GitHub, for example, if GitHub provides
15:21
the option to provide information, for example, to know all the dependencies in the dependency graph section, we can see the dependencies of our project. For, and when potential security vulnerabilities
15:42
unfold in our project, GitHub has the capacity to provide these social measures that this dependency can be dangerous for the security point of view. Also, for detecting dependencies
16:02
in our projects, we have the OWASP dependency check project that basically identifies project dependencies and checks if there are any known vulnerabilities in these dependencies. Basically, it provides plugins for Jenkins, Maven,
16:21
Gradle, that identifies project dependencies and checks if there are any known vulnerabilities. For example, basically, this tool provides a report where you can see for each, for each dependency, we can see the,
16:40
it has a vulnerability, we can see the critical level of the vulnerability and all the information related with the vulnerability. The version that is vulnerable and so on.
17:03
Well, Snyk, I am going to comment what are the main services we can use when we are developing an application that is starting, for example,
17:20
what are the services that we can use for detecting vulnerabilities. For example, Snyk is a service that focuses in detecting vulnerabilities and dependencies not only offers tools to detect known vulnerabilities in different kinds of projects, also helps users, developers
17:41
fix these issues using guide upgrades and open source patch that Snyk creates. This service, Snyk, has its own vulnerability database which gets
18:00
data from the NBD database, the NBD database. Basically, Snyk approach is to scale the management of known vulnerabilities through the organization with better collaboration tools and integration with GitHub repositories, for example.
18:21
And when you, and where this tool detects that a specific dependency has a vulnerability, it shows the information and you can open, for example, a fix for doing a pull request for a specific
18:43
vulnerability. If we are working with Python, for example, we have available a specific service like P-App and safety that allows us to analyze the dependencies and library that our project is using.
19:03
Internally, these tools, what this does, is analyze the requirements project file in Python and check for its module, if it is using the latest version, or you need to update a specific package,
19:21
specific module, based on the vulnerabilities information. Safety, for example, is a command line tool for checking your local environment, reading basically the requirements dot
19:41
the requirements file of the Python project. Safety also can call the local build environment for security issues and detect outdated libraries or libraries that may have
20:00
some kind of vulnerability. There are other interesting projects like require.io This is a service that allows to detect libraries and dependencies in our projects that are not updated.
20:20
If it detects an unsafe version of a specific for a particular package, it will display the corresponding insecure flag. When examining the five different ecosystems, that is PHP, Java, JavaScript,
20:41
Python and Go, we see an increasing trend in the number of vulnerabilities disclosed across all of them since the year 2014. In 2014, in this year, well, the number of vulnerabilities
21:01
is increasing each year in all ecosystems. And last year, for example, the vulnerability count grew by 30% regarding the the
21:20
270 years. If we are working, for example, with JavaScript and npm repository, we can see the the latest vulnerabilities discovered for certain versions of the package and the level of criticality.
21:43
In npm, we can see this information for open packages and components that are very common, useful using in JavaScript projects. For example, some packages
22:01
have vulnerabilities related with regular expression, denial of service. This vulnerability has a special impact in Node.js applications because it takes down the main thread that is processing client requests.
22:21
For example, when you give this when you give it some input that takes a very long time to process it, can produce a denial of service because the server takes a long time for processing requests. This is a very common common vulnerability that we can find
22:41
in specific in specific versions of some package and, well, this is one of the more critical vulnerabilities in specific Node.js applications.
23:00
Another common attack vector that is consistently featuring the OAuth top 10 over the last years is SQL injection. Looking across the last three years, we can see that main ecosystem, npm, Maven and PHP have peaks during different years.
23:23
Maven libraries, for example, leave the number of SQL injection vulnerabilities disclosed in both 2016 and 2016 and 2017
23:42
years. From the user's perspective, it's interesting to gain insight into how the layer of our vulnerabilities in their application dependencies in order to respond to potential threats
24:01
as they are discovered. Almost 30% of users don't have any productive or automatic way to find out about new discovered vulnerabilities. They don't they don't have any any way to
24:21
to discover new vulnerabilities or vulnerabilities that are that are public but the developer doesn't have information about this. And they don't and developers basically don't worry
24:41
because they haven't they haven't know that that exists. And only 30, 60% of users confirm that they use a list a dependency management or a scanning tool
25:01
to help surface vulnerabilities. This is another problem that we have for example in Python. We have the problem of finding malicious Python packets. This is a problem that the security researchers have
25:22
discovered mainly in the last two years. Some of these malicious packets what this does is download a file in a hidden way and execute a process in the background that creates an interactive shell
25:40
without logging. Obviously these packets have been removed from the repository by the PyPy security team but we might find this problem in the future. We don't know but maybe in the future this problem
26:01
we can find this problem. At this moment we have reviewed we have made a review what are the main tools for different what are the
26:21
kind of vulnerabilities that we can find in open source projects and at this moment I'm going to talk about tools. Basically we have two kinds of tools for static and dynamic. In order to analyze the code developers
26:42
for a specific program in the organization. Basically these tools have the capacity to detect potential dangerous patterns. In this table we can see a comparison between dynamic and static. Basically dynamic is oriented to black box testing
27:00
and static is oriented to white box security testing. Static requires source code and dynamic requires running the application basically in an environment in development.
27:21
And from the from the from the cost point of view the static is less expensive fees, vulnerabilities and dynamic normally it has
27:40
a higher cost. Well for static the command is oriented to code standing for discovery potential dangerous pattern and for example we can use very useful tools like find security bugs and SonarQube. These tools are the most
28:01
useful tool that organizations are using for testing the security applications from a static point of view. Basically find security bugs is oriented to Java and JavaScript projects and is an
28:20
open source project that can be installed in your environment in your server and you can you can be installed in for example you are using Java you can install it as plugin in Eclipse
28:41
IntelliJ IntelliJ Android Studio and for example it has the capacity to take a potential JDBC injection you are using for example a spring with the JDBC connector for Oracle for example
29:03
you can it has the capacity to take this kind of vulnerability. In the tool documentation you can see specific use cases that the tool has the capacity to take for different programming language
29:21
such as Java, Scala and JavaScript. If we are working for example with Java or PHP we have available specific plugins in SonarQube. Using Sonar for example
29:40
can be one of the first step when trying to improve the code of our application and discover areas in which it is probably necessary as a factor for example. For example here in Sonar is detecting that we are using the system.GC
30:00
method called function in Java code. That is that the using of this method can be considered a security fail in the application because it automatically
30:21
this method call the Java collector and at this moment if they are the application is executing this function can call the Java collector and destroy the memory
30:40
that is using in a specific moment. For example for each language with Sonar we can see the rules define it by by type, vulnerability, bug, security hotspot, code smell there are different rules that we can
31:02
Sonar has the capacity to detect. For example we are using GitLab continuous integration, continuous deployment. You can analyze your short code for known vulnerabilities using static application
31:22
security testing. Basically GitLab has the capacity to detect special use cases for example if your code has a potential dangerous attribute in a class or unsafe code that can lead to malicious code execution.
31:41
Also has the capacity to for example if your application is vulnerable to cross scripting attacks it has the capacity to take off all these all these cases.
32:01
GitLab also supports many languages and frameworks the following table shows which language package managers and frameworks are supported for static analysis. For example for C++ you can support Flaufinder
32:21
for Node.js it supports Node.js Scan and for Python it supports Debandit Ladera will comment on some of these tools. GitLab supports
32:41
both static and dynamic analysis. This is a screen capture of the security dashboard that GitLab provides the security dashboard is a good place to get an overview of all the security
33:01
vulnerabilities in your groups or projects. Well as I commented before we have a specific static analysis tool for example we are working
33:22
with Node.js we have the Node.js Scan as a static analysis tool that can detect security problems in secure code and obsolete libraries with vulnerabilities. Basically it's a Python script that when executed returns a report with
33:41
everything it has found that can cause security problems. Basically what this does is checking the security is checking the security rules that are defined in a XML file
34:00
and this script shows alert in case you are using for example the eval function that is dangerous in JavaScript or in general JavaScript the functions that can be dangerous. For example it allows detecting vulnerabilities
34:21
of tight cross-site scripting where user entries are not currently validating. And in Python we have Bandit. Bandit is a static code analysis tool designed to find common
34:42
security issues in Python code. It's written in Python and it can be easily extended with your own security police it can integrate if you are working with Jenkins for example you can integrate this tool
35:00
in your continuous deployment pipelines in Jenkins. Bandit basically is a tool that can connect information about user input and sensitive code to detect when the operations perform are dangerous
35:21
in your source code. It supports many different tests to detect many security issues in Python code. Basically it contains a blacklist that checks for a number of Python modules known to have security implications.
35:40
The following blacklist basically are following blacklist tests are run against any import statement or calls that are found in the scan codebase. For example it has
36:01
a plugin for detecting a typical screen detection. This plugin looks for strings that can be vulnerable and resemble SQL statements that are involved in some form of
36:21
a string building operation. Well running static on your code is the first step to detect vulnerabilities that can put the security of your project at risk. Once
36:40
the application is created and the application in your development environment your application is exposed to a new category of possible attacks such as cross-site scripting or broken authentication these kind of opportunities.
37:01
And at this point dynamic application security testing comes into place. For dynamic analysis for example we can use tools like OWASP basically it's a proxy between your application
37:21
and the client and other tools like Boresweet. Boresweet is another proxy. OWASP for example is an integration in an integrated penetration testing tool for finding vulnerabilities in a web application
37:42
that acts as a proxy between the browser client and the application server intercepting requests for detecting fault configurations. And for example
38:00
for detecting for SQL injection we have other tools like SQL map SQL map is one of the most useful tools for detecting SQL injection vulnerabilities and with this tool you can discover table names, download database
38:20
and perform SQL queries automatically. To do this basically the tool allows a request to the parameters of the URL either through a guess or post request. Basically the test if for some parameter
38:40
in the URL of the domain is vulnerable because the parameters are not being validated correctly in the backend. These are the main steps that the tools follow for SQL injection process. Basically
39:01
the first step is searching if the URL is vulnerable to attack and if it detects that URL is vulnerable basically they use many techniques for adding specific SQL queries
39:20
that transform the original query. And once the tool has discovered that the database or application is vulnerable it has the capacity to discover table and columns from the database. Well,
39:40
what we can do to improve the security of open source project? Well, basically we can do all the same things as we do when other kinds of server. The big difference is that in open source we do it
40:01
collaboratively. There are The main difference for example in between proprietary and open source projects is that in open source projects we have the advantage that vulnerabilities are reported and verified
40:21
and often suggest fixes and are not so available which are more easy to find and fix than trying to scan the code yourself. In open source projects typically there are many people contributing. Sometimes there are a culture of
40:41
coding and the code is more important than the specification. And this is important because in specific projects there
41:01
are many less market pressure to put security first. At this point it's important to be aware that security is a process not a product. Security needs to be given equal weight
41:22
with scalability, performance, usability, and all the other design factors that matter to your users. At this point it's important not to wait at the end of the process of developing to audit the code.
41:42
For example we can recommend starting the 18% complete in the development phase. We can use specific methodologies like show our development lifecycle with the methodology. For example we can
42:01
in each phase of the development, requirements, design, coding, testing, and deployment, we can introduce security testing in each one. For example in the design phase of the methodology we could realize a risk analysis that includes
42:21
for example, threat modeling, security requirements, security test, and pen testing. The idea with the methodology is detecting and fixing issues in each phase in the development process from the design phase
42:41
to until release the application in in production. And using this methodology finding an issue problem, an issue in your application development process has less
43:01
impact on cost and resources than finding the same issue later in the process. For example if we have an open source project and we want to certify for example
43:21
from the security point of view we can use the Linux Foundation Core infrastructure initiative basically it is a way for it provides best practice from the security point of view and developers can
43:40
quickly access which open source projects are following best practice and as a result are more likely to produce higher quality security software. For example we can use this project can
44:01
your project need to certify for example you can do it with this tool. Projects can voluntarily certify by using this web application to explain how they follow each best practice from the security point of view.
44:26
You can check for example this repository from GitHub and you can find a lot of information for security requirements and common types of security vulnerabilities.
44:43
Finally I'm going to comment the final when we detect an issue in our project what are the tools for reporting vulnerabilities. For example we can use
45:01
for example you have issues that are available in in your project public and private and also we can use for example with Thila for basically it's a server software designed to help you manage software development and you can install it in your own server
45:20
basically with Thila needs for example a database server a web server with GitHub for example you can create automatic security fix when you discover an issue in an open security project.
45:43
In GitHub also of the problems that we have is the the confidential information related with database credentials infrastructure configuration or hard-coded information in the source code itself.
46:04
For example these are some files which are probably always consistently sensitive and shouldn't be add in source control. For example private keys, in-story files, log files,
46:21
configuration files, with the files we have we need to be aware that that can be in the you can commit this file in a private or public repository.
46:40
GitHub search also is a useful feature and can be used to share sensitive data on public and private repositories. Also we can use specific tools for detecting confidential information in GitHub repositories. We have the
47:02
you have door search tool. Basically it's a Python script that can search through your repository or your organization user repositories. This script provides a basic functionality to automate the search on your
47:21
repository against the doors specified in a file. We have a collection of GitHub doors that can rebuild sensitive personnel and organization information such as private key credentials, authentication tokens and so on.
47:42
And if you have detected all this information in in a GitHub repository you can remove data this kind of data from a repository. If you commit sensitive data such as password or a key
48:00
you can remove it from the history. It's not it's not the best solution but well, it's an intermediate solution because maybe in a specific time you have you have commit a specific
48:21
you have shared a password or a key with your development team for example. And finally for conclusions from open source
48:41
maintainer point of view you should offer secure release of your code and provide a communication strategy to those developers in order to possibly impact other projects and applications. And from a developer point of view
49:02
is the developer has the responsibility to understand the direct and indirect dependencies in your project including any security flaws that might exist in that dependency tree. And it's important to consider reading security
49:22
guidelines and adopting security best practice. And that's all this is finally a report for example SNCC has a lot of information related to the state of the open security
49:41
open source security in this year. And this is a recommended reading before before attending this presentation. And that's all. Thank you very much. Do you have any questions?
50:15
Well, it doesn't look like there are any questions now. So well, thank you very much. And you'll be available for
50:22
questions later around here. Yeah, I will be there. Well, thank you. Thank you.