We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Security in open source projects

00:00

Formal Metadata

Title
Security in open source projects
Title of Series
Number of Parts
94
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
In recent years, the amount of open source components used by developers has experienced significant growth. Millions of open source libraries are distributed through centralized systems such as Maven Central (Java), NPM (JavaScript) and GitHub (Go). In this talk, I will present the common security problems faced by companies that use open source. We will also talk about how to manage the risks of open source software using people, processes and tools
15
Thumbnail
1:16:56
20
Thumbnail
59:24
23
Thumbnail
10:02
48
Thumbnail
50:08
56
76
Thumbnail
12:05
Open sourceInformation securityFreewareTraffic reportingInformation securityEqualiser (mathematics)Projective planeMultiplication signWater vaporSoftware developerProcess (computing)Open sourcePoint (geometry)XMLUMLLecture/Conference
Open sourceInformation securityTrailSoftware testingServer (computing)Service (economics)Musical ensembleProcess (computing)Line (geometry)YouTubeShared memoryFormal languageProjective planeSymbol tableSpecial unitary groupElectronic program guideStaff (military)View (database)BlogInformation securityNP-hardWeb pageService (economics)Computer animationLecture/ConferenceMeeting/InterviewXML
Information securityCoding theoryFunction (mathematics)Vector graphicsCodeSoftware testingInterior (topology)Fluid staticsPort scannerVulnerability (computing)Network socketComputer networkForcing (mathematics)Information securitySoftwareCartesian coordinate systemSoftware testingUser interfaceFormal languagePresentation of a groupData miningBit rateBuildingRight angleService (economics)Theory of relativitySeries (mathematics)Server (computing)Vulnerability (computing)Different (Kate Ryan album)Web applicationProcess (computing)Library (computing)XML
Computer networkOpen sourceInformation securityCodeNetwork socketSoftware frameworkComputer programmingFlash memoryComputer architectureWeb applicationCASE <Informatik>WebsiteSharewareServer (computing)Event horizonInformation securityProjective planeSoftwareIndependence (probability theory)Web pageLink (knot theory)Vulnerability (computing)Open sourceCodePoint (geometry)Computer animation
Service (economics)Function (mathematics)SoftwareInformation securityProjective planeInformation securityOpen sourceMathematicsLink (knot theory)SoftwareService (economics)Internet service providerFunctional (mathematics)Computer animation
SoftwareInformation securityFunction (mathematics)Subject indexingMusical ensembleInformation securityMoment (mathematics)Revision controlCartesian coordinate systemMultiplication signSoftware developerMathematical analysisSoftware testingFunctional (mathematics)Computer animation
Information securityFunction (mathematics)Bit rateCartesian coordinate systemMultiplication signPoint (geometry)Musical ensembleProjective planeState of matterInformation securitySoftware testingIntelligent NetworkApproximationDecision theorySimilarity (geometry)Game theoryData flow diagramFreewareView (database)Real numberSelf-organization
Service (economics)System programmingError messageVariable (mathematics)Buffer overflowCodeData bufferIntegerCartesian coordinate systemInjektivitätLogicComputing platformComputing platformGene clusterInjektivitätLogicDataflowInteractive televisionMathematics1 (number)Computer programmingLatent heatLetterpress printingWeb applicationCartesian coordinate systemPhysical systemService (economics)Link (knot theory)Wave packetError messageVulnerability (computing)Buffer overflowComputer animation
Read-only memorySymbol tableSoftware testingForestLevel (video gaming)Forcing (mathematics)Computer programmingInterpreter (computing)Memory managementFormal languagePhysical systemVideo gameDataflowData managementSoftware developerSemiconductor memoryBuffer overflowTerm (mathematics)Error messageXML
Data bufferoutputRevision controlContent (media)String (computer science)Vulnerability (computing)Buffer overflowDataflowComputer programmingBuffer solutionLattice (order)Musical ensembleService (economics)Conditional-access moduleCartesian coordinate systemForcing (mathematics)Server (computing)Formal languageData managementoutputCodeResultantCASE <Informatik>Software developerSemiconductor memoryComputer animation
Computing platformData typeData bufferFluxInstallation artComponent-based software engineeringOpen sourceRevision controlVulnerability (computing)Exploit (computer security)ForestProjective planeValuation (algebra)Open setShift operatorInformation securityOpen sourceOrder (biology)Performance appraisalComputer animation
Installation artOpen sourceComponent-based software engineeringRevision controlMathematicsStandard deviationRevision controlInformation securityOpen sourceProjective planeGateway (telecommunications)Product (business)State of matterComponent-based software engineeringBasis <Mathematik>Computer animation
Repository (publishing)Repository (publishing)Scripting languageWeb applicationLine (geometry)Core dumpMoment (mathematics)Projective planeElectronic program guideLink (knot theory)Java appletOpen sourceComputer animationDiagram
CodeControl flowCartesian coordinate systemOpen sourceSoftware developerLibrary (computing)CodeType theoryData miningBit rateComponent-based software engineeringSoftware frameworkMatching (graph theory)WeightSource codeDiagram
Component-based software engineeringCodeSurfaceVector potentialVulnerability (computing)Component-based software engineeringSoftware developerLibrary (computing)Cartesian coordinate systemProjective planeConditional-access moduleExploit (computer security)Particle systemOptical disc driveSurfaceCodeComputer animation
Directed setTraffic reportingMultiplication signVulnerability (computing)Field (computer science)Distribution (mathematics)Projective planeDifferent (Kate Ryan album)Group actionMusical ensembleRight anglePhysical systemForestHasse diagramScripting languageDiagram
Vector potentialComputer fileGraph (mathematics)ComputerInformation securityMathematicsMeasurementComputer configurationVector potentialSheaf (mathematics)Internet forumForestIndependence (probability theory)Channel capacityInternet service providerHash functionProjective planePower (physics)Information securityInformationPolygonGraph (mathematics)Point (geometry)View (database)Vulnerability (computing)Computer animation
Plug-in (computing)Programmable read-only memoryJava appletWeightSystem programmingMaizeCountingComputer engineeringEstimationIntelCartesian coordinate systemCorrelation and dependenceProjective planeWordSoftwareIdentifiabilityIndependence (probability theory)Vulnerability (computing)Plug-in (computing)Traffic reportingBoris (given name)Computer animation
CountingComputer engineeringEstimationContinued fractionCorrelation and dependenceCartesian coordinate systemSoftware developerInformationRevision controlVulnerability (computing)Service (economics)Musical ensembleDifferent (Kate Ryan album)Matching (graph theory)Projective planeDistortion (mathematics)Cartesian coordinate systemWater vaporFocus (optics)Patch (Unix)Electronic program guideOpen sourceSoftware developerComputer animationXML
TorusDensity of statesRegular expressionService (economics)Modul <Software>Open setInformationBoom (sailing)Group actionGUI widgetRepository (publishing)Latent heatINTEGRALCollaborative softwareService (economics)Broadcasting (networking)Data managementVulnerability (computing)DatabaseSelf-organizationXMLComputer animation
Density of statesService (economics)Regular expressionAsynchronous Transfer ModeOpen setDisintegrationLocal ringAreaInformation securityComputer fileVulnerability (computing)DistanceForestBeat (acoustics)Mobile appReading (process)Firewall (computing)Water vapor6 (number)Service (economics)Latent heatWordMathematical analysisProjective planeComputer fileInformationRevision controlLibrary (computing)Computer animationXMLProgram flowchart
Service (economics)TrailBlogSign (mathematics)Forcing (mathematics)Information securityControl flowPhysical lawLibrary (computing)Integrated development environmentVulnerability (computing)Electronic visual displayCorrespondence (mathematics)Projective planeService (economics)Latent heatFlagWordRevision controlKey (cryptography)XMLProgram flowchartComputer animation
Repository (publishing)Thomas BayesGreen's functionNumberPoint cloudEqualiser (mathematics)Multiplication sign12 (number)Scripting languageTwitterVulnerability (computing)CountingDiagram
Open setWebsiteNetwork socketInjektivitätComputer networkVulnerability (computing)Revision controlService (economics)Regular expressionVolumeMiniDiscCompilerParsingFrequencyEmailAddress spaceVector potentialDensity of statesPhysical systemType theoryInformation securityDirected setComponent-based software engineeringMobile appTrailDatabaseDigital rights managementMultiplication signExpert systemBus (computing)Exponential functionRegular graphElectronic program guidePerspective (visual)Cartesian coordinate systemPhysical lawVector spaceProjective planeRevision controlInjektivitätService (economics)Dependent and independent variablesPressureOrder (biology)outputDifferent (Kate Ryan album)Boom (sailing)NumberInformationData managementClient (computing)Server (computing)Level (video gaming)Latent heatOpen setVulnerability (computing)Thread (computing)Component-based software engineeringSoftware developerDenial-of-service attackOnline helpProcess (computing)SurfaceExistenceElectronic mailing listDiagram
View (database)StatisticsOnline helpInformation securityComputer fileInteractive televisionFault-tolerant systemForestProcess (computing)Repository (publishing)LoginGastropod shellXML
Information securitySource codeSoftware testingIntegrated development environmentSoftwareService (economics)SatelliteRevision controlView (database)Java appletCartesian coordinate systemInformationPoint (geometry)Video gameChannel capacitySoftware testingMusical ensembleLatent heatCodeForm (programming)Data compressionFluid staticsVector potentialMoment (mathematics)Information securityWeb crawlerDynamical systemOrder (biology)Metropolitan area networkCuboidVolume (thermodynamics)Self-organizationStandard deviationBlack boxProjective planeView (database)MereologyCausalityMultiplication signVulnerability (computing)Pattern languageComputer programmingSoftware developerOpen sourceSoftware bugIntegrated development environmentSource codeTable (information)Computer animation
Variable (mathematics)Statement (computer science)InjektivitätVector potentialSpring (hydrology)IntegerInformation securityLatent heatOrientation (vector space)1 (number)Programming languageVector potentialMathematicsIntelVolume (thermodynamics)Plug-in (computing)InjektivitätChannel capacityEqualiser (mathematics)Server (computing)DivisorForcing (mathematics)Scaling (geometry)ForestProjective planeObservational studyDifferent (Kate Ryan album)Software bugAndroid (robot)Information securityJava appletCASE <Informatik>Integrated development environmentVulnerability (computing)Spring (hydrology)Open sourceComputer animation
Open setRule of inferenceSign (mathematics)ThumbnailInstance (computer science)CurvatureJava appletCompilation albumPoint cloudCone penetration testCodeVulnerability (computing)SatellitePseudorandom GeneratorMessage passingOpen sourceEncryptionData integrityAsynchronous Transfer ModeSoftware testingFluid staticsInformation securityMaizeGradientWeightSet (mathematics)Formal languageVertex (graph theory)Software frameworkRevision controlCodeMountain passCartesian coordinate systemPhysical systemLatent heatForestReliefFormal languageTable (information)DivisorSemiconductor memorySymbol tableAttribute grammarForcing (mathematics)Continuous integrationMathematical analysisTwitterRule of inferenceVector potentialChannel capacityInformation securitySocial classDataflowNegative numberEmailMoment (mathematics)Electronic program guideSoftware testingAreaSoftware frameworkPhysical lawFluid staticsSpecial unitary groupModal logicAnalytic continuationVulnerability (computing)CASE <Informatik>MalwareFunctional (mathematics)Java appletData managementPort scannerComputer animation
Information securityExecution unitInjektivitätCodeInclusion mapServer (computing)Core dumpSicIndian Remote SensingComputer fileSanitary sewerSuite (music)SineLine (geometry)Single sign-onGame controllerMathematical analysisDynamical systemProjective planeGroup actionInformation securityVideo gameTouchscreenWordMotion captureVulnerability (computing)Latent heatOperator (mathematics)Scripting languageFluid staticsElectronic mailing listCausalityLibrary (computing)Traffic reportingPort scannerCodeProgram flowchartComputer animation
ParsingServer (computing)InjektivitätCodeFunction (mathematics)ExpressionoutputString (computer science)Query languageWebsiteDependent and independent variablesVulnerability (computing)Scripting languageInformation securityLine (geometry)ExistenceFunctional (mathematics)MathematicsInformation securityScripting languageCASE <Informatik>Rule of inferenceComputer fileCross-site scriptingVulnerability (computing)Validity (statistics)Multiplication signWeb 2.0Source codeJSONXML
Information securityCodePlug-in (computing)Open sourceTrigonometryCryptographySystem callSoftware testingSoftware frameworkRandom numberEncryptionInjektivitätQuery languageFile formatInformationRegulärer Ausdruck <Textverarbeitung>Vector spaceMusical ensembleIdentity managementInformation securityGradientAnalytic continuationCue sportsMathematical analysisMusical ensembleWorkstation <Musikinstrument>Fluid staticsCodePlug-in (computing)Different (Kate Ryan album)Statement (computer science)WeightString (computer science)Electronic mailing listModul <Software>InformationSensitivity analysisCartesian coordinate systemOperator (mathematics)Vulnerability (computing)Field (computer science)Prisoner's dilemmaSoftware testingTouchscreenForm (programming)NumberSource codeoutputBuildingConnected spaceXMLSource codeJSON
Software testingInformation securitySource codeOperations researchProcess (computing)AerodynamicsAuthenticationDynamical systemVolume (thermodynamics)Software testingProjective planeComa BerenicesClient (computing)Cartesian coordinate systemInformation securityProxy serverMathematical analysisCategory of beingElectronic mailing listVideo gameMusical ensembleNeuroinformatikPoint (geometry)Integrated development environmentCross-site scriptingVulnerability (computing)CodeComputer animation
Proxy serverDisintegrationData typeEmailAerodynamicsSoftware testingInformation securityMessage passingOpen sourceLatent class modelPasswordAlgorithmWeb browserCartesian coordinate systemIntercept theoremSoftware testingConfiguration spaceClient (computing)Server (computing)WebsiteINTEGRALVulnerability (computing)Web applicationProxy serverLevel (video gaming)ForestInjektivitätNetwork operating systemSharewareComputer animationXMLSource code
Enumerated typeStatement (computer science)Table (information)DatabaseComputer configurationDigital rights managementPhysical systemInformationData structureElectric currentPasswordCore dumpMountain passParameter (computer programming)InjektivitätFront and back endsPublic domainLevel (video gaming)Vulnerability (computing)Table (information)DatabaseInternet forumReal numberSoftware testingDependent and independent variablesReading (process)Source codeJSON
InjektivitätUniform resource locatorTable (information)Vulnerability (computing)Latent heatChannel capacityLink (knot theory)Vulnerability (computing)InjektivitätLevel (video gaming)Process (computing)Addressing modeCartesian coordinate systemDatabaseTable (information)Query languageComputer animationProgram flowchart
SoftwareOpen setInformation securityOpen sourceAbstract syntax treeInformationLevel (video gaming)Continuous functionInclusion mapVulnerability (computing)Vector potentialSource codeBinary fileRule of inferenceProjective planeInformation securityOpen sourceSoftwareDifferent (Kate Ryan album)CollaborationismPhysical lawServer (computing)CodeVulnerability (computing)Traffic reportingFormal verificationComputer animation
Information securityPressureOpen sourceProduct (business)Process (computing)Projective planeCodeLarge eddy simulationLatent heatInformation securityCodePressureOpen sourceProcess (computing)Point (geometry)Computer animationJSONXMLUML
Product (business)Information securityProcess (computing)Open sourceCoding theoryPersonal digital assistantFluid staticsMathematical analysisSoftware testingTime evolutionInformation privacyDigital rights managementPatch (Unix)SoftwareVideo gameCycle (graph theory)Equaliser (mathematics)WeightDivisorInformation securityProduct (business)Point (geometry)Beat (acoustics)Order (biology)Process (computing)Software developerLatent heatSoftware testingPhase transitionMathematical analysisCodeMessage passingLink (knot theory)ForestSpacetimeCycle (graph theory)Volume (thermodynamics)Video gameSoftwareComplete metric spaceFacebookXMLUMLComputer animation
Shift operatorVideo gameCycle (graph theory)SoftwarePlanningSpacetimeProcess (computing)Cartesian coordinate systemFacebookSoftware developerProduct (business)Phase transitionDiagram
Core dumpProjective planeResultantSoftware developerSoftwareLine (geometry)Link (knot theory)Thomas BayesPoint (geometry)View (database)Information securityOpen sourceComputer animation
Software developerCodeInformation securityType theorySign (mathematics)Core dumpInformationGoogolChainControl flowVulnerability (computing)Patch (Unix)FrequencyDependent and independent variablesSoftwareModel theoryPhysical systemCASE <Informatik>Projective planeInformation securityWeb applicationView (database)Point (geometry)Repository (publishing)InformationType theoryVulnerability (computing)Computer animation
Normed vector spaceInformation securityOpen sourceRevision controlWordElectronic mailing listServer (computing)Information securityTraffic reportingSoftware developerSoftwareProjective planeCuboidOpen setWeb 2.0DatabaseVulnerability (computing)Data managementXML
Key (cryptography)CodeConfiguration spaceUniform resource locatorLatent heatDirectory serviceComputer filePasswordSimilarity (geometry)WordConfiguration spaceInformationFrame problemSource codeDatabaseComputer fileProjective planeRepository (publishing)Revision controlComputer animation
CodeFatou-MengeComputer fileWindows RegistryAuthenticationPlug-in (computing)Key (cryptography)Core dumpPasswordVariety (linguistics)Negative numberSoftware frameworkRepository (publishing)Sensitivity analysisShared memoryMathematicsScripting languageSoftware testingInformationElectronic mailing listLatent heatSelf-organizationFunctional (mathematics)Public-key cryptographyAuthenticationToken ringComputer fileComputer animationXML
PasswordRepository (publishing)CloningCache (computing)View (database)Pay televisionPasswordSensitivity analysisTraffic reportingLatent heatSoftware developerInformationKey (cryptography)Multiplication signRepository (publishing)Computer animation
CodeProcess (computing)TelecommunicationOpen sourceVulnerability (computing)Information securitySoftware developerPoint (geometry)Strategy gameOrder (biology)Open sourceSoftware developerCartesian coordinate systemSoftware maintenanceTelecommunicationView (database)Projective planeOpen setMetropolitan area networkDependent and independent variablesInformation securityIndependence (probability theory)Direction (geometry)Computer animation
SoftwareVideo gameCycle (graph theory)Information securityState of matterOpen sourceExplosionProduct (business)Vulnerability (computing)Software testingPrinciple of relativityTraffic reportingInformation securityOpen setState of matterOpen sourceInformationPresentation of a groupSubject indexingComputer animation
Open sourceFreewareCartesian closed categoryLecture/ConferenceXMLComputer animation
Transcript: English(auto-generated)
OK, then please welcome Jose Manuel Ortega, who will give us a talk about security in open source projects. Thank you.
Good afternoon. Thank you for coming. Well, this is my name is Jose Manuel Ortega. I'm from Spain. This is my first time here, first come, and well is. And I was confident for sharing knowledge and projects.
Well, in this talk, I will talk about security. Basically, what are the main problems that we have in security when we are working in a project with a developing team, with people, and so on?
What are the problems that we have from the security point of view? And what are the tools and the process that we can use for adopting best practice in our organization, in our team, and so on?
These are all the conferences that I have made in the last years. I have a conference, for example, talking about security in many languages, like Node.js, Python.
I also like security in Docker containers. With Python, also, I have talked about microservice and serverless projects. All these conferences that I won in my personal blog,
on my personal page. And also, in YouTube, you can find other conferences related with security, mainly with Python, because it's the language that I must use for testing the security of applications.
I also have other presentations related with security in Node.js, and so on. I also like writing about sharing my knowledge with books, with book series.
This is the first book I was writing last year, Master in Python for Security and Working. Basically, this book covers topics from building a network, from the different processes
you need to follow to security your network, or applications in general. You'll first be introduced to different packages in Python and libraries related with detecting vulnerabilities in servers and web applications. The second one I have writing about Python
is this, learning Python working, that covers topics like socket programming, how to design servers, and even driving architectures with Celery, Redis, and so on. And also, there is an introduction to web applications with Django and Flash frameworks.
Those are the most known frameworks for programming in Python. Well, this is the agenda. This is the main point for the talk. Basically, in this talk, we will look how open source projects can manage the security.
Basically, we will review tools for detecting vulnerabilities and dependencies of our project, and in the work code base. Finally, we will review techniques and tools for improving security in open source projects. Well, the main problem we have in open source projects
is that security is always a secondary concern. The primary role of software is to provide functionality or service to our users, for example.
And managing associated risks to the software, we are developing always is a repeat of secondary topics, secondary concerns, and it's basically the security is not a priority today. When we are developing, when we are starting a project.
And this, in the future, in the future of our project, can be a problem. There is often a trace of conflict between security and functionality. Companies believe that security is not a priority,
as I commented before. And when you ask developers if they are using some tools for analyzing the security, for testing the security of application, a very small percentage of answers affirmatively. And where security, basically nowadays,
there are companies that are interested in adopting security with practice, in organization, and transmitting this to developers' teams and so on.
But there are a lot of work for, at this moment, there are many companies that are not releasing this. And there are a lot of work to do in this aspect. Other of the problems for testing security
is that they are basically two approaches. They are, in one, they are for the Blue Team approach. Basically, it's testing the security of applications from the defensive point of view.
And the other approach is the Red Team, which basically is analyzing the security application from the attacker point of view. Blue Team basically refers to an internal security team that you can have in your organization and defends against real attackers, for example.
And the Red Team basically are external entities that are users that test the security of your application. Well, the Red Team basically completes this
by evaluating the behaviors and techniques of likely attackers in the most realistic way possible. The practice is similar to penetration testing.
The penetration testing is saying that the tools that use this is for Red Teams. Well, when we are developing, basically we can introduce flaws in our application
in two types. Basically, flaws that can be understood looking at the program itself. For example, errors in logic or in programming logic. And the other one is problems in the interaction
with the platform or other services and systems that interact with the application. Basically, at this point, we can detect problems like buffer overflow and specific vulnerabilities in web applications like SQL injection, cross-service forgery, and so on.
You may have heard terms like buffer overflow used after three-step corruption. These terms are related with memory flaws. It's very useful, for example, in C++ programs
found these errors. When you program with a scripting language like Python or PHP, for example, memory management is delegated to the interpreter or the system. And the developer can make mistakes related to the management of memory buffers, for example.
This is a typical buffer overflow vulnerability in a C program. The vulnerability, in this case, is because the buffer can be overflowed if the user input is bigger than its bytes.
At this point, every C++ developer must know the buffer overflow problem before they do the coding. A lot of books generated in most cases can be exploded as a result of buffer overflow nowadays
because most of the servers and the tools that we use, at low level, are using C++ language for memory management, connecting with other applications,
other services, and so on. For example, in an exploit database, and this overflow, evidently, is a problem because, for example, if we go to exploit database, you can find a lot of exploits that attacks this vulnerability.
Well, in order to know, for example, when we are working with open source projects, for example, it's very useful using external dependencies for another project.
And in order to know dependencies and start a security evaluation in open source projects, you need to answer these questions. What open source components you are using? What versions you are coding, running, and where? How these components can be outdated,
and where do you get the update? What do you need to install them? All these questions are the basis for knowing the state of the open source project in general, and where the security is a critical topic.
Nowadays, most of web apps have dependencies available in core repositories like NPM for JavaScript, maybe for their projects,
and PyPy for Python. The use of open source projects is accelerating. For example, in the last year, Java package doubled, and NPM added 200,000 new packages the last year.
Only the last year. And at this moment, NPM is the bigger repository nowadays, and it will have almost 1 million packages in NPM.
Another critical aspect, as I told you before, is the use of third-party libraries. Instead of creating applications from scratch, basically, today's developers start with open source components, and then copy, extend, and glue them together with applications that they are creating.
18% is 30% party code for external libraries. This means that open source libraries and frameworks don't make up the vast majority of the source code used by companies today.
The main problem with components is that reusable components, when you try to introduce a component that is reusable in your project,
this is an odd idea, but reusable components originate reusable vulnerabilities. Nowadays, exploiting a library can potentially exploit many applications. This can be because the library is very common in specific applications
or has a very high reputation between developers. Basically, 19% of the attached surface of an application may be due to third-party code. In this report,
for example, made by Snyk, we can see the direct and indirect dependency distribution across ecosystems, in different ecosystems. Most dependencies in NPM, maybe in Android, for example, are indirect dependencies requested by the field libraries,
especially the feeders. Snyk has scanned over a million snapshot projects and has discovered that vulnerabilities in indirect dependencies, in JavaScript, for example, in JavaScript projects, accounts for almost 80%
of overall vulnerabilities. And in other languages, like Python, this percentage is reduced to 10%. If we, for example, if we work with GitHub, for example, if GitHub provides
the option to provide information, for example, to know all the dependencies in the dependency graph section, we can see the dependencies of our project. For, and when potential security vulnerabilities
unfold in our project, GitHub has the capacity to provide these social measures that this dependency can be dangerous for the security point of view. Also, for detecting dependencies
in our projects, we have the OWASP dependency check project that basically identifies project dependencies and checks if there are any known vulnerabilities in these dependencies. Basically, it provides plugins for Jenkins, Maven,
Gradle, that identifies project dependencies and checks if there are any known vulnerabilities. For example, basically, this tool provides a report where you can see for each, for each dependency, we can see the,
it has a vulnerability, we can see the critical level of the vulnerability and all the information related with the vulnerability. The version that is vulnerable and so on.
Well, Snyk, I am going to comment what are the main services we can use when we are developing an application that is starting, for example,
what are the services that we can use for detecting vulnerabilities. For example, Snyk is a service that focuses in detecting vulnerabilities and dependencies not only offers tools to detect known vulnerabilities in different kinds of projects, also helps users, developers
fix these issues using guide upgrades and open source patch that Snyk creates. This service, Snyk, has its own vulnerability database which gets
data from the NBD database, the NBD database. Basically, Snyk approach is to scale the management of known vulnerabilities through the organization with better collaboration tools and integration with GitHub repositories, for example.
And when you, and where this tool detects that a specific dependency has a vulnerability, it shows the information and you can open, for example, a fix for doing a pull request for a specific
vulnerability. If we are working with Python, for example, we have available a specific service like P-App and safety that allows us to analyze the dependencies and library that our project is using.
Internally, these tools, what this does, is analyze the requirements project file in Python and check for its module, if it is using the latest version, or you need to update a specific package,
specific module, based on the vulnerabilities information. Safety, for example, is a command line tool for checking your local environment, reading basically the requirements dot
the requirements file of the Python project. Safety also can call the local build environment for security issues and detect outdated libraries or libraries that may have
some kind of vulnerability. There are other interesting projects like require.io This is a service that allows to detect libraries and dependencies in our projects that are not updated.
If it detects an unsafe version of a specific for a particular package, it will display the corresponding insecure flag. When examining the five different ecosystems, that is PHP, Java, JavaScript,
Python and Go, we see an increasing trend in the number of vulnerabilities disclosed across all of them since the year 2014. In 2014, in this year, well, the number of vulnerabilities
is increasing each year in all ecosystems. And last year, for example, the vulnerability count grew by 30% regarding the the
270 years. If we are working, for example, with JavaScript and npm repository, we can see the the latest vulnerabilities discovered for certain versions of the package and the level of criticality.
In npm, we can see this information for open packages and components that are very common, useful using in JavaScript projects. For example, some packages
have vulnerabilities related with regular expression, denial of service. This vulnerability has a special impact in Node.js applications because it takes down the main thread that is processing client requests.
For example, when you give this when you give it some input that takes a very long time to process it, can produce a denial of service because the server takes a long time for processing requests. This is a very common common vulnerability that we can find
in specific in specific versions of some package and, well, this is one of the more critical vulnerabilities in specific Node.js applications.
Another common attack vector that is consistently featuring the OAuth top 10 over the last years is SQL injection. Looking across the last three years, we can see that main ecosystem, npm, Maven and PHP have peaks during different years.
Maven libraries, for example, leave the number of SQL injection vulnerabilities disclosed in both 2016 and 2016 and 2017
years. From the user's perspective, it's interesting to gain insight into how the layer of our vulnerabilities in their application dependencies in order to respond to potential threats
as they are discovered. Almost 30% of users don't have any productive or automatic way to find out about new discovered vulnerabilities. They don't they don't have any any way to
to discover new vulnerabilities or vulnerabilities that are that are public but the developer doesn't have information about this. And they don't and developers basically don't worry
because they haven't they haven't know that that exists. And only 30, 60% of users confirm that they use a list a dependency management or a scanning tool
to help surface vulnerabilities. This is another problem that we have for example in Python. We have the problem of finding malicious Python packets. This is a problem that the security researchers have
discovered mainly in the last two years. Some of these malicious packets what this does is download a file in a hidden way and execute a process in the background that creates an interactive shell
without logging. Obviously these packets have been removed from the repository by the PyPy security team but we might find this problem in the future. We don't know but maybe in the future this problem
we can find this problem. At this moment we have reviewed we have made a review what are the main tools for different what are the
kind of vulnerabilities that we can find in open source projects and at this moment I'm going to talk about tools. Basically we have two kinds of tools for static and dynamic. In order to analyze the code developers
for a specific program in the organization. Basically these tools have the capacity to detect potential dangerous patterns. In this table we can see a comparison between dynamic and static. Basically dynamic is oriented to black box testing
and static is oriented to white box security testing. Static requires source code and dynamic requires running the application basically in an environment in development.
And from the from the from the cost point of view the static is less expensive fees, vulnerabilities and dynamic normally it has
a higher cost. Well for static the command is oriented to code standing for discovery potential dangerous pattern and for example we can use very useful tools like find security bugs and SonarQube. These tools are the most
useful tool that organizations are using for testing the security applications from a static point of view. Basically find security bugs is oriented to Java and JavaScript projects and is an
open source project that can be installed in your environment in your server and you can you can be installed in for example you are using Java you can install it as plugin in Eclipse
IntelliJ IntelliJ Android Studio and for example it has the capacity to take a potential JDBC injection you are using for example a spring with the JDBC connector for Oracle for example
you can it has the capacity to take this kind of vulnerability. In the tool documentation you can see specific use cases that the tool has the capacity to take for different programming language
such as Java, Scala and JavaScript. If we are working for example with Java or PHP we have available specific plugins in SonarQube. Using Sonar for example
can be one of the first step when trying to improve the code of our application and discover areas in which it is probably necessary as a factor for example. For example here in Sonar is detecting that we are using the system.GC
method called function in Java code. That is that the using of this method can be considered a security fail in the application because it automatically
this method call the Java collector and at this moment if they are the application is executing this function can call the Java collector and destroy the memory
that is using in a specific moment. For example for each language with Sonar we can see the rules define it by by type, vulnerability, bug, security hotspot, code smell there are different rules that we can
Sonar has the capacity to detect. For example we are using GitLab continuous integration, continuous deployment. You can analyze your short code for known vulnerabilities using static application
security testing. Basically GitLab has the capacity to detect special use cases for example if your code has a potential dangerous attribute in a class or unsafe code that can lead to malicious code execution.
Also has the capacity to for example if your application is vulnerable to cross scripting attacks it has the capacity to take off all these all these cases.
GitLab also supports many languages and frameworks the following table shows which language package managers and frameworks are supported for static analysis. For example for C++ you can support Flaufinder
for Node.js it supports Node.js Scan and for Python it supports Debandit Ladera will comment on some of these tools. GitLab supports
both static and dynamic analysis. This is a screen capture of the security dashboard that GitLab provides the security dashboard is a good place to get an overview of all the security
vulnerabilities in your groups or projects. Well as I commented before we have a specific static analysis tool for example we are working
with Node.js we have the Node.js Scan as a static analysis tool that can detect security problems in secure code and obsolete libraries with vulnerabilities. Basically it's a Python script that when executed returns a report with
everything it has found that can cause security problems. Basically what this does is checking the security is checking the security rules that are defined in a XML file
and this script shows alert in case you are using for example the eval function that is dangerous in JavaScript or in general JavaScript the functions that can be dangerous. For example it allows detecting vulnerabilities
of tight cross-site scripting where user entries are not currently validating. And in Python we have Bandit. Bandit is a static code analysis tool designed to find common
security issues in Python code. It's written in Python and it can be easily extended with your own security police it can integrate if you are working with Jenkins for example you can integrate this tool
in your continuous deployment pipelines in Jenkins. Bandit basically is a tool that can connect information about user input and sensitive code to detect when the operations perform are dangerous
in your source code. It supports many different tests to detect many security issues in Python code. Basically it contains a blacklist that checks for a number of Python modules known to have security implications.
The following blacklist basically are following blacklist tests are run against any import statement or calls that are found in the scan codebase. For example it has
a plugin for detecting a typical screen detection. This plugin looks for strings that can be vulnerable and resemble SQL statements that are involved in some form of
a string building operation. Well running static on your code is the first step to detect vulnerabilities that can put the security of your project at risk. Once
the application is created and the application in your development environment your application is exposed to a new category of possible attacks such as cross-site scripting or broken authentication these kind of opportunities.
And at this point dynamic application security testing comes into place. For dynamic analysis for example we can use tools like OWASP basically it's a proxy between your application
and the client and other tools like Boresweet. Boresweet is another proxy. OWASP for example is an integration in an integrated penetration testing tool for finding vulnerabilities in a web application
that acts as a proxy between the browser client and the application server intercepting requests for detecting fault configurations. And for example
for detecting for SQL injection we have other tools like SQL map SQL map is one of the most useful tools for detecting SQL injection vulnerabilities and with this tool you can discover table names, download database
and perform SQL queries automatically. To do this basically the tool allows a request to the parameters of the URL either through a guess or post request. Basically the test if for some parameter
in the URL of the domain is vulnerable because the parameters are not being validated correctly in the backend. These are the main steps that the tools follow for SQL injection process. Basically
the first step is searching if the URL is vulnerable to attack and if it detects that URL is vulnerable basically they use many techniques for adding specific SQL queries
that transform the original query. And once the tool has discovered that the database or application is vulnerable it has the capacity to discover table and columns from the database. Well,
what we can do to improve the security of open source project? Well, basically we can do all the same things as we do when other kinds of server. The big difference is that in open source we do it
collaboratively. There are The main difference for example in between proprietary and open source projects is that in open source projects we have the advantage that vulnerabilities are reported and verified
and often suggest fixes and are not so available which are more easy to find and fix than trying to scan the code yourself. In open source projects typically there are many people contributing. Sometimes there are a culture of
coding and the code is more important than the specification. And this is important because in specific projects there
are many less market pressure to put security first. At this point it's important to be aware that security is a process not a product. Security needs to be given equal weight
with scalability, performance, usability, and all the other design factors that matter to your users. At this point it's important not to wait at the end of the process of developing to audit the code.
For example we can recommend starting the 18% complete in the development phase. We can use specific methodologies like show our development lifecycle with the methodology. For example we can
in each phase of the development, requirements, design, coding, testing, and deployment, we can introduce security testing in each one. For example in the design phase of the methodology we could realize a risk analysis that includes
for example, threat modeling, security requirements, security test, and pen testing. The idea with the methodology is detecting and fixing issues in each phase in the development process from the design phase
to until release the application in in production. And using this methodology finding an issue problem, an issue in your application development process has less
impact on cost and resources than finding the same issue later in the process. For example if we have an open source project and we want to certify for example
from the security point of view we can use the Linux Foundation Core infrastructure initiative basically it is a way for it provides best practice from the security point of view and developers can
quickly access which open source projects are following best practice and as a result are more likely to produce higher quality security software. For example we can use this project can
your project need to certify for example you can do it with this tool. Projects can voluntarily certify by using this web application to explain how they follow each best practice from the security point of view.
You can check for example this repository from GitHub and you can find a lot of information for security requirements and common types of security vulnerabilities.
Finally I'm going to comment the final when we detect an issue in our project what are the tools for reporting vulnerabilities. For example we can use
for example you have issues that are available in in your project public and private and also we can use for example with Thila for basically it's a server software designed to help you manage software development and you can install it in your own server
basically with Thila needs for example a database server a web server with GitHub for example you can create automatic security fix when you discover an issue in an open security project.
In GitHub also of the problems that we have is the the confidential information related with database credentials infrastructure configuration or hard-coded information in the source code itself.
For example these are some files which are probably always consistently sensitive and shouldn't be add in source control. For example private keys, in-story files, log files,
configuration files, with the files we have we need to be aware that that can be in the you can commit this file in a private or public repository.
GitHub search also is a useful feature and can be used to share sensitive data on public and private repositories. Also we can use specific tools for detecting confidential information in GitHub repositories. We have the
you have door search tool. Basically it's a Python script that can search through your repository or your organization user repositories. This script provides a basic functionality to automate the search on your
repository against the doors specified in a file. We have a collection of GitHub doors that can rebuild sensitive personnel and organization information such as private key credentials, authentication tokens and so on.
And if you have detected all this information in in a GitHub repository you can remove data this kind of data from a repository. If you commit sensitive data such as password or a key
you can remove it from the history. It's not it's not the best solution but well, it's an intermediate solution because maybe in a specific time you have you have commit a specific
you have shared a password or a key with your development team for example. And finally for conclusions from open source
maintainer point of view you should offer secure release of your code and provide a communication strategy to those developers in order to possibly impact other projects and applications. And from a developer point of view
is the developer has the responsibility to understand the direct and indirect dependencies in your project including any security flaws that might exist in that dependency tree. And it's important to consider reading security
guidelines and adopting security best practice. And that's all this is finally a report for example SNCC has a lot of information related to the state of the open security
open source security in this year. And this is a recommended reading before before attending this presentation. And that's all. Thank you very much. Do you have any questions?
Well, it doesn't look like there are any questions now. So well, thank you very much. And you'll be available for
questions later around here. Yeah, I will be there. Well, thank you. Thank you.