A security.txt for gits?
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 38 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/66676 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSS Backstage 202327 / 38
7
8
11
23
27
31
33
00:00
Source codeInformationOpen sourceNumberComputer animationLecture/ConferenceMeeting/Interview
00:28
Suite (music)Information securityProjective planePerfect groupControl flowComputer animationDiagram
00:58
Suite (music)Information securityVideo gameVulnerability (computing)Self-organizationDecision theoryTraffic reportingAutomationOpen sourceMobile appSoftware testingCodeInformationProcess (computing)RobotHacker (term)Cycle (graph theory)Virtual machineView (database)Axiom of choiceInformation securityPoint (geometry)Computer architectureRight angleMobile appVideo gameInformationVulnerability (computing)Capability Maturity ModelWhiteboardCoordinate systemDisk read-and-write headDivisorUniform resource locatorComputer programmingSet (mathematics)Computer virusGraph coloringHome pageElectronic mailing listMereologyPhysical systemSelf-organizationProcess (computing)SoftwareCASE <Informatik>Library (computing)Link (knot theory)Software frameworkOpen sourceMultiplication signRoboticsProjective planeCore dumpGoodness of fitProduct (business)Graph (mathematics)InternetworkingMessage passingSoftware testingSoftware development kitCodeBitPerfect groupData storage deviceKey (cryptography)Connected spaceQR codeAutomationPerspective (visual)Shift operatorNoise (electronics)outputComputer animationProgram flowchart
09:12
CodeParticle systemLevel (video gaming)Source codeComputer fileMereologyOpen setStandard deviationInformation securityProjective planeInternetworkingDivisorPointer (computer programming)InformationMultiplication signRight angleMusical ensembleComputer animationDiagramMeeting/Interview
Transcript: English(auto-generated)
00:03
Hello everybody. Does this work or okay? Great, so hello everybody. Thank you for masking up. It's nice to see that this kind of day because I actually work in open source for public health and we still read the numbers.
00:24
So what's our idea? We want to make it relevant information into pipelines. The name we came up for the project is Giturity which is a security TXT for Gits. And we would like to take you on a ride while we think this is necessary,
00:41
how it fits into the big picture. And we hope that you will explain to us why all this is actually wrong and we need to do something else. So imagine you live in a perfect world with puppies and rainbows and unicorns because we all just needed that because it's the last talk before the lunch break. No, actually you have security researchers
01:01
who are not prosecuted. Everybody has an S-bomb. Talk to Nick about what that is. And there are socks which are ready to go and they're just waiting for your input. And then you look at the life cycle of a vulnerability in a perfect world. And then it can either go to the graveyard
01:21
and no one will ever notice or know about it and it will die a lonely death. That's what we hope for them to happen. Or you can have someone find it and then there is a choice. The person can either be a white hat hacker or a black hat hacker. Those people have conferences and they're rather well-funded.
01:40
So what is one choice that can happen? And you can look at this and you can say, yeah, okay, this is a vulnerability which will allow you to change the color of the text on my homepage. I really don't care. Or a race begins, which is gonna be fascinating. And we're gonna look at this question, what we can do to give someone a heads up in this race.
02:01
Also, I want to point out to the work of Desiree Zacher who's doing amazing work to actually look at this. She's on the first board to prioritize which things you fix first because fixing them all is not a question anymore. So what are the challenge if you look at the journey of a vulnerability
02:20
in a good case like the white hat hacker front? They either can call up an organization which is running the software on an active system in production or they find a buck in a git. Because everybody has an S-bomb, by some time the organization is gonna find out in which git their problem actually lies.
02:40
And then because this git has an S-bomb, because everybody has an S-bomb, they're gonna find the git where the issue is. For example, if you look at the dependency graphs up on the, the one on the top right is ours with Iris Connect, our core product. The one on the left is Sigstore, which was put up by Radi and Valeshka, I hope I didn't butcher their names,
03:02
yesterday, and we actually shared dependency in gRPC protobuf stuff. It's in Go, basically everybody uses it. And that's used somewhere else and also somewhere else, so they're quite a point of points. So if you look at this journey, we have S-bombs which solve a thing. They explained it an hour or two in this.
03:23
There's security txt, which actually tells you where to call if you're a white hat hacker and you wanna reach out to an organization. Yeah, then there's the question, how do you call a git? This is one part of the project, Bundesbach Bounty, which we're currently running
03:41
out of the Innovation Council Public Health. This is what the German solution would look like. If anyone is interested, this on the right is actually the IT security architecture of Germany. That's a work done amazingly by the Stiftung Neue for Anfortung, who actually tirelessly indicated all of this. And there is some ideas how to get this
04:01
and get security for white hat hackers and all that. We're currently working with the BSI on it. But there is this question around, how do I reach open source? So whom do I call in Europe, respectively open source? And we hope that Giturity would give the same set of answers that you would find in a security txt to actually reach out to the people running the git.
04:22
Yeah, and then we have those ember situations, right? We actually want to use the people using your software before it's a CV. And that's a bit complicated. So we thought about the things we know a thing or two about and we felt like speed is not perfection, it's a very good thing to deal with things
04:41
which are infectious. And if you think of gits as being infected and they're spreading it like a virus, we might have made some idea, have come up with some ideas how to track those. So for example, if you look about this on your automate, in Germany, we had this rather successful thing called the Corona Varnab, rolled out with a 14 million people using it,
05:01
which came in and used here yesterday. And if someone gets just positive, they just warn the other Corona Varnabs within 12 hours and everybody knows that they might have been exposed to COVID. And there is the other approach. Yeah, that's from the view of this virus hackathon where the Innovation Council of Public Health comes from, sorry for the disruption.
05:21
There is the Luca, which is the other way to go at things. You get a test, then you wait for your public health center to call you and then you tell them that you actually use the app. Then they get the information from the location you were at because you checked in. And then they call the people who are on the list
05:42
of the location you checked in with. I'm not sure how your public health centers fared during the pandemic. In Germany, we had the problem that the key resource was humans using phones. Being a Gerontal millennial, this scares me. Also, they didn't even manage to call people.
06:05
So the question is what's the connection? We have the same situation now with CVEs, CWEs, CPEs, and all the frameworks we're employing to actually look at those vulnerabilities. People need to look at them. They need to be categorized. Someone needs to assess them.
06:20
Then someone's gonna push out the information. And then if you're happy and the thing has been tracked in the wild about half a year later, GitHub is gonna tell you that there's a CVE on a library that you're actually using. That might be a dent late. So we thought maturity might be an idea to copy this concept of the Corona Barna
06:41
and the idea to actually have things talk to each other. And we feel like if you look at the big picture, those are challenges and we want to tackle them this way. And those are us announcing the talk, setting up your Git for Coordinated Vulnerability Disclosure process,
07:00
and looking at up and down streaming vulnerabilities. And the idea is, well, make Gits talk to each other like the Corona Barna actually enabled people to talk to each other and put it in the pipe. There's good work being done on this. Flor introduced it earlier and Thomas and Surya
07:21
are talking about it, how to do this with assessment of licensees. Because licensees is what the open source community, what we use to actually communicate with others which don't want to pick up the phone. So we could just put another part next to it, right? A maturity TXT, for example.
07:41
So what's the idea, maturity? You take the concept of security TXT, you merge it with the concept of Gits, you make them talk to each other in a way that you do with RSS feeds or the Corona Barna update from the information perspective. You can do that, we can make machines talk to each other, we have robot TXT. Then there's a bunch of things we didn't remember
08:01
and an X factor that might be helpful. And that could become maturity TXT. And I would like you to join the discussion on that. What could X be? Could you be someone who's actually running an OSPOS and reach out to a project and tell them,
08:21
hey, if there's something wrong with your project and you're three people who are working on it and you sometimes want to go on vacation, put our contact information in your security TXT so that the people can call us and we can fix the stuff because your Git matters to us. I've been told this is how OSPOS might work if it's run well.
08:41
And well, then there's gonna be a bunch of other ideas. So we set up a Git on CodeBurb and there are two issues, how to set up a Coordinated Vulnerability Disclosure process and how to do the up and down streaming in an amber way. And I either ask you to scan those QR codes, especially to the people on the internet
09:01
who will see this talk embedded somewhere else. Or if you're privy to the program of this wonderful conference, you can just find the links in the announcement of the talk. Thanks for your time.
09:20
Thanks a lot, Craig, or maybe one or two questions before we can go to lunch. Sure, that is within my amount of skills. So if I understand right, you want to have a common ground,
09:42
every project in the world using security MD or security DXD file with detail contacts. That's the key factor of that one. That's basically the basic takeaway. And then just put it next to the license, which we all have, and then put relevant information in there and then there's a discussion to be had, what would relevant information be?
10:00
At least GitHub is doing now some push to have this file. So it has a check mark on the community guidelines to say you might need a security policy. So it's nagging you don't have it. So one step closer if you're on GitHub. And then basically you're looking for how we do the magic, right? So it's like, once we have these things, how we do the magic. Okay, cool, thank you very much.
10:22
One of the parts we hope for is that you might actually include parts of your ask mom in there. Because one of the things that we know that work on the internet from time to time if they're well maintained are actually pointers, even though we all know the internet is kind of rotten. But if you actually put an explanation date on them or when they were last updated, that might give the people working with them an idea.
10:42
And you might actually help people combining the ask bombs of their own project if you put your own ask bomb in there. But for that you need open standards. And I've been trying to find those for quite a while. And I wasn't able to find them. So I'm just gonna propose one and then someone's gonna tell me how it's actually done right
11:00
because this might get on the internet. Thanks a lot, Grigo.