July 28, 2004
Building More Secure OSS with OSS
OSCON 2004 Day 3 starts with a presentation from John Viega, about securing open source software.
Looks like the general overview is common misconceptions, understand context for security issues,
security in development and a look at useful and free open source software.
Risks are across all languages, even Java. The Java "designed with security in mind" concept was primarily for applets, but doesn't apply to a high percentage of Java code. Average 5 problems per 1000 lines in C/C++, 1 problem per 1000 lines in Java.
Can't eliminate all security risk.
Customers don't really know what what to ask for in secure software, even though there is a bit of fear based on what layperson's sees in news.
The market evolution of software security is in the early adopter phase, with financial and government mandating secure software but many other markets are mandating. Secure software products are fairly new, just a handful and less that two years old.
Even though the source can be looked at and improved in most large open source projects there aren't credible people scritiinizing the code for security issues.
Look at IBM's deveopment process diagram examining the complex set of phases, no security built into process. SecureSoftware is working with IBM to add practices to ensure security is a consideration throughout the process. Microsoft has a Threat Modeling Tool, we need an open source equivalent.
John walks through a case study looking at use of OpenSSL libraries incorrectly in an application. Need to do more than just check for a valid certificate, or that it's signed by a trusted source. Need to check explicitly, which the OpenSSL libraries don't do by default. Need to check DNS address of certificate compared to DNS of server. It should happen by default, but it doesn't.
Secure Coding Cookbook has code snippets.
John points to a protocol, authentication project at Stanford, SRP: Secure Remote Passwords. It's a good compromise between usability and security. It is patented, so can't use it in commercial application.
RATS can look at PHP, Perl, Python, C++ for looking through code and comparing code to knowledgebase to find instances of insecure code.
Posted by mike at July 28, 2004 11:45 AM