Security Issues in Open Source Projects

1
Security Issues in Open Source Projects
2
Outline

• What is Security?
• Problems.
• Why Open Source does not work.
• Why Closed Source does not work.
• CERTs Comparison.
• Improvements.
• Conclusion

3
What is Security?

• Part Dependability
• Resist accidental or deliberate attacks.
• Includes
• Integrity
• Confidentiality

4
Three Sorts of Damage

• Denial of Service
• Availability
• Corruption of programmes or data
• Reliability
• Safety
• Disclosure of confidential information
• Availability
• Reliability
• Safety

5
Security Assurance

• Vulnerability Avoidance
• Attack Detection and Neutralisation
• Exposure Limitation

6
Problems
7
Quantifying Problems

• Not just number of vulnerabilities
• Damage Potential
• Detection Potential
• Exploitation Potential
• Exposure Potential
• Response Time

8
Project Problems

• Large and successful projects
• Business backed
• Writers agenda

9
Why Open Source does not work.

• Many Eyeballs.
• Competence
• Tedious
• Difficult
• Black Hats

10
Why Open Source does not work.

• The Programmer.
• Reads code that he wishes to change
• Functionality
• Elitism
• We know all there is to security
• Enjoy talking security
• It was hard to write, so it should be hard to read

11
Examples where Open Source did not work

• Good
• OpenBSD, LAP, Mozilla Firefox
• Bad
• Sardonix
• Trusted Information Systems Gauntlet
• Source Available
• Sendmail
• Debug SMTP command
• Morris Worm
• Complex, little understood, undocumented
• Unheard Warning
• Ken Thompsons UNIX C Compiler
• Magic password in the compilers complier
• Bootstrapping
• Precompiled software distributions Red Hat,
  Debian

12
Why Closed Source does not work

• Hiding problems will not halt attacks
• Dynamic
• Problematic data
• Programmes response
• Vulnerability indication
• Check the Linux page
• Static
• Assembly Language
• De-compiler

13
Examples where Closed Source did not work

• AHH, Pleeeeease

14
CERTs Comparison

• Quantity of Critical Bugs
• Qualifying 0 180
• 40 is critical
• Non-ratio scale
• Windows 250 27 94.5
• Linux 100 6 87.5
• Red Hat -100 3 108.16
• Apache 78 14 89,5
• IIS 55 13 79,31
• More Users more Alerts
• Microsoft sucks
• Red Hat no longer gives back to the community

15
Myth 1.

• Silly Conclusions using one information
• Unqualified Counting
• Less Alerts Less Vulnerability
• Closed Source has quicker response times
• Microsoft
• 9 months for critical vulnerability of IE
• Never will be fixed NT and all systems older than
  XP
• Viegas Mailman
• 3 years to find and many months to fix
• Never for one configuration

16
Myth 2.

• Less Users Less Attacks
• Windows v. Linux
• IIS v. Apache
• 20.61 v. 67.11
• IIS Many Worms including Code Red, Code Red A,
  IISWorm
• Apache Slapper -gt vulnerability in OpenSSL

17
Needed Improvements

• Programmes must be reviewed
• A few reviewers must be able to write secure
  code
• Commercial interest
• Analysis Tools
• Reports must improve
• Readable and non-monolithic code
• No pseudo open source projects
• Maybe adoption of structured software engineering

18
Conclusion

• Closed Source is not the answer
• The Open Source community must change

19
Thank You
20
Questions?