-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.html
635 lines (448 loc) · 26.2 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>abstractions_saracope</title>
<link rel="stylesheet" href="base.css" type="text/css" media="screen">
<link rel="stylesheet" href="web.css" type="text/css" media="screen">
<link rel="stylesheet" href="white.css" type="text/css" media="screen">
</head>
<body>
<h1>Practical Open Source Security</h1>
<h2>Sara Cope</h2>
<div class="slides">
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.001.jpg" alt="Image of slide number 1" />
</div>
<div class="slide-notes">
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.002.jpg" alt="Image of slide number 2" />
</div>
<div class="slide-notes">
<p>I work on an open source project that’s about other open source projects and consumes open source projects so I’m basically in open source and advocating for open source all day long. It’s amazing and I love it.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.003.jpg" alt="Image of slide number 3" />
</div>
<div class="slide-notes">
<p>When <a href="http://code.gov" target="_blank">code.gov</a> was first launch in 2016 it had under 50 projects.</p>
<p>Today there are more than 6 thousand.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.004.jpg" alt="Image of slide number 4" />
</div>
<div class="slide-notes">
<p>Popularity of open source isn’t just skyrocketing in the federal government. </p>
<p>Everyone seems to either want to publish an open source project, be a maintainer or contribute to an open source project. </p>
<p>Which is great because that creates even more software that’s available for everyone else to consume.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.005.jpg" alt="Image of slide number 5" />
</div>
<div class="slide-notes">
<p>And we can see that in the way that package managers like NPM are growing as well. And as a result, we’re adding more and more dependencies to our applications.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.006.jpg" alt="Image of slide number 6" />
</div>
<div class="slide-notes">
<p>So we see apps shifting to use more and more dependencies so much that amount of code we’re writing at times can me very small compared to the amount of code we’re consuming.</p>
<p>Using someone else’s code isn’t just set it and forget, that code at any time could potentially contain vulnerabilities. </p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.007.jpg" alt="Image of slide number 7" />
</div>
<div class="slide-notes">
<p>So who’s responsibility is it to be sure the dependencies in your project stay secure? </p>
<p>caption: group of people sitting around a table playing the "nose goes" (not it) game.</p>
<p>This was me until the government shutdown last year. With 2 front-end devs on our team, I worked more on the design UI side while the over dev worked more on the "back of the front" stack like JavaScript, components and the like. But during the shutdown, both of the other 2 developers left our team. So I went from being on an engineering team to BEING the engineering team. I had to figure out a lot of things really quickly and security has been one of those topics. And that's really what I'm going to talk to you about today, all these security things we should be doing.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.008.jpg" alt="Image of slide number 8" />
</div>
<div class="slide-notes">
<p>"As a developer consuming open source dependencies, it's my responsibility to make sure my dependencies are secure."</p>
<p>If you’re using open source (and you most certainly are), you need to take on the responsibility of keeping it secure. You must set up the tools and processes that will help you stay safe, and raise awareness of this risk throughout your organization. </p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.009.jpg" alt="Image of slide number 9" />
</div>
<div class="slide-notes">
<p>The 2017 Equifax breach serves as a very painful lesson of what could happen if you don’t adopt a security mindset and take action to keep your application dependencies secure.</p>
<p>Equifax had a massive data breach that exposed the personal information of millions people. It was completely preventable. This breach was caused by an open source package dependency which had an identified vulnerability that went unpatched for 2 months.</p>
<p>https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638/</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.010.jpg" alt="Image of slide number 10" />
</div>
<div class="slide-notes">
<p>So I want to go over specific things you could be doing for the applications that you develop which use open source dependencies.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.011.jpg" alt="Image of slide number 11" />
</div>
<div class="slide-notes">
<p>Figure out the dependencies you have and what packages those depend on. </p>
<p>Not everyone comes in to a project at the beginning and knows exactly what’s being used. So take the time to go through the dependencies list to see what’s there.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.012.jpg" alt="Image of slide number 12" />
</div>
<div class="slide-notes">
<p>Just stop and look at your dependencies. Familiarize and refresh yourself with what’s there. That way when you hear about a new vulnerability you might have a better reaction time when you know that your app is using certain packages.</p>
<p>If you’re an npm user, you can execute `npm ls` to display a dependency tree.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.013.jpg" alt="Image of slide number 13" />
</div>
<div class="slide-notes">
<p>Use `npm outdated` to check the registry to see if any installed packages are currently outdated</p>
<p>The more outdated a package is, the more likely it is to itself have vulnerable dependencies. </p>
<p>So npm outdated can tell you exactly how far behind you are in dependency versions.</p>
<p>It’s better to patch these up on your own terms instead of waiting for a vulnerability to be disclosed that you’re forced to immediately act on.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.014.jpg" alt="Image of slide number 14" />
</div>
<div class="slide-notes">
<p>Get rid of dependencies you don’t need. As the number of dependencies increase, the risk of ending up with a vulnerable package can also increase.</p>
<p>With the passage of time and changes in your code, it is likely that you'll stop using some packages altogether and instead add in new ones. However, developers tend not to remove old packages as they go along.</p>
<p>Take the time to remove unused packages.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.015.jpg" alt="Image of slide number 15" />
</div>
<div class="slide-notes">
<p>There are tools available to help with finding unused dependencies, here are a few.</p>
<p><a href="https://www.npmjs.com/package/depcheck" target="_blank">https://www.npmjs.com/package/depcheck</a></p>
<p><a href="https://www.npmjs.com/package/npm-check" target="_blank">https://www.npmjs.com/package/npm-check</a></p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.016.jpg" alt="Image of slide number 16" />
</div>
<div class="slide-notes">
<p>Set up monitoring mechanisms to stay aware of new vulnerabilities as they are discovered so you can keep track of security announcements affecting those dependencies and any versions released.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.017.jpg" alt="Image of slide number 17" />
</div>
<div class="slide-notes">
<p>Next you want to regularly scan for vulnerabilities so you know what’s going on with your dependencies and when to patch.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.018.jpg" alt="Image of slide number 18" />
</div>
<div class="slide-notes">
<p>A security audit could exist as part of a code review</p>
<p>where peers ensure that secure code best practices are</p>
<p>followed, or by running different variations of security</p>
<p>audits such as static or dynamic application security</p>
<p>testing. Whether manual or automatic audits, they are</p>
<p>all a vital part of detecting and reducing vulnerabilities</p>
<p>in your application, and should be executed as</p>
<p>regularly and early in the development phase as</p>
<p>possible in order to reduce risks of exposure and data</p>
<p>breaches at a later stage</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.019.jpg" alt="Image of slide number 19" />
</div>
<div class="slide-notes">
<p>There are several approaches you can take to scan for vulnerabilities and I would recommend a combination of all of these.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.020.jpg" alt="Image of slide number 20" />
</div>
<div class="slide-notes">
<p>CLI: </p>
<p>The output varies by tool, but most will list either the known vulnerabilities or vulnerable paths, and provide information for each of them. This typically includes a title, description, severity score, and more.</p>
<p>It even provides `npm audit fix` to actually go ahead an upgrade those dependencies to patched releases where possible.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.021.jpg" alt="Image of slide number 21" />
</div>
<div class="slide-notes">
<p>We use another tool called Snyk at the command line which can act pretty similar to `npm audit` and also provides an upgrade wizard.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.022.jpg" alt="Image of slide number 22" />
</div>
<div class="slide-notes">
<p>Using an SCM integration offers a few advantages over the CLI:</p>
<p>• Easier to test or browse multiple issues at once</p>
<p>• The web interface is naturally richer than the terminal, often</p>
<p>allowing better usability</p>
<p>• It simplifies continuous testing and fixing, as we’ll see later on</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.023.jpg" alt="Image of slide number 23" />
</div>
<div class="slide-notes">
<p>Github actually has a security tab on their interface now where you can see details of any detected vulnerabilities.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.024.jpg" alt="Image of slide number 24" />
</div>
<div class="slide-notes">
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.025.jpg" alt="Image of slide number 25" />
</div>
<div class="slide-notes">
<p>They’ve also added automated security fixes which you can turn on to have their dependabot submit PR’s to update packages that have identified vulnerabilities.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.026.jpg" alt="Image of slide number 26" />
</div>
<div class="slide-notes">
<p>More recently, though, Google and Microsoft integrated detection of</p>
<p>vulnerable JS libraries into their web development tools, Lighthouse</p>
<p>and Webhint. Lighthouse is also embedded in Chrome’s and Opera’s</p>
<p>browser dev tools, further simplifying and raising the visibility of</p>
<p>this test. I encourage you to try these tools out.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.027.jpg" alt="Image of slide number 27" />
</div>
<div class="slide-notes">
<p>https://webhint.io/scanner</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.028.jpg" alt="Image of slide number 28" />
</div>
<div class="slide-notes">
<p>Google lighthouse</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.029.jpg" alt="Image of slide number 29" />
</div>
<div class="slide-notes">
<p>As you’re seeing vulnerabilities in packages you’ll hopefully want to educate yourself a bit on what exactly the issue is. </p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.030.jpg" alt="Image of slide number 30" />
</div>
<div class="slide-notes">
<p>A good first place to start is to read the CVE for the vulnerability.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.031.jpg" alt="Image of slide number 31" />
</div>
<div class="slide-notes">
<p>A CVE is created with a unique number when a specific vulnerability is found in a package.</p>
<p><a href="http://cve.mitre.org/">cve.mitre.org</a></p>
<p>MITRE is a government-funded organization that puts out standards to be used by the information security community.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.032.jpg" alt="Image of slide number 32" />
</div>
<div class="slide-notes">
<p>To follow new CVE announcements, you can checkout @CVEnew on Twitter.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.033.jpg" alt="Image of slide number 33" />
</div>
<div class="slide-notes">
<p>Mitre also keeps a list of common issues they see, or CWE's. So you can visit this database to get a better idea of specific types of security vulnerabilities.</p>
<p><a href="http://cwe.mitre.org/">cwe.mitre.org</a></p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.034.jpg" alt="Image of slide number 34" />
</div>
<div class="slide-notes">
<p>There’s a whole informational database about different types of vulnerabilities which is interesting and fun to dive-in to.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.035.jpg" alt="Image of slide number 35" />
</div>
<div class="slide-notes">
<p>Just to recap these:</p>
<p>CWE stands for Common Weakness Enumeration, and has to do with the vulnerability—not the instance within a product or system.</p>
<p>CVE stands for Common Vulnerabilities and Exposures, and has to do with the specific instance within a product or system—not the underlying flaw.</p>
<p>Here's a great blog post that recaps these and more: <a href="https://danielmiessler.com/blog/mitre-quick-reference/">https://danielmiessler.com/blog/mitre-quick-reference/</a></p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.036.jpg" alt="Image of slide number 36" />
</div>
<div class="slide-notes">
<p>Establish a policy and process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.037.jpg" alt="Image of slide number 37" />
</div>
<div class="slide-notes">
<p>On <a href="http://code.gov" target="_blank">code.gov</a>, we’ve added a SECURITY.md file which give info on several areas. Here are some ideas for your security policy:</p>
<p>How quickly should we be releasing security fixes</p>
<p>How can someone let us know if we have a security vulnerability</p>
<p>Who to contact for more information</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.038.jpg" alt="Image of slide number 38" />
</div>
<div class="slide-notes">
<p>Continuously tracking your application’s dependencies for vulnerabilities and efficiently addressing them is no simple feat. When you can, it’s great to automate a lot of these things to remove some of the security burden.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.039.jpg" alt="Image of slide number 39" />
</div>
<div class="slide-notes">
<p>Often when developing open source software, and especially software that relies on outside services, you’ll find that you have to manage sensitive information. While there are a large number of things that can be considered sensitive, open source developers often deal with sensitive items such as API tokens, passwords, and private keys that are required for the system to function. One thing you can do is to scan your code on commit to check for these types of items.
<p> Here's a blog post which details the tool we use and includes a quick setup script: <a href="https://18f.gsa.gov/2017/09/26/automated-scanning-for-sensitive-information/">https://18f.gsa.gov/2017/09/26/automated-scanning-for-sensitive-information/</a></p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.040.jpg" alt="Image of slide number 40" />
</div>
<div class="slide-notes">
<p>You can add these CLI scanning applications to your tests so you can run them locally as part of your tests along with linting, accessibility testing, unit testing and anything else you might want to verify before making a pull request.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.041.jpg" alt="Image of slide number 41" />
</div>
<div class="slide-notes">
<p>We’ve also added checks to our open source project using web hooks so that all pull requests are scanned for new vulnerabilities. </p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.042.jpg" alt="Image of slide number 42" />
</div>
<div class="slide-notes">
<p>To continuously avoid known vulnerabilities in your dependencies, integrate a scanning tool into your build system.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.043.jpg" alt="Image of slide number 43" />
</div>
<div class="slide-notes">
<p>Snyk is one the tools that we use to continuously monitor our projects. It will give you an immediate notification of any security vulnerabilities as well as send you a weekly email summary of new vulnerabilities.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.044.jpg" alt="Image of slide number 44" />
</div>
<div class="slide-notes">
<p>It actually gives you a dashboard to you can see all your projects in one place which is really helpful.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.045.jpg" alt="Image of slide number 45" />
</div>
<div class="slide-notes">
<p>WhiteSource is another example of a monitoring tool you can use and it’s actually what GitHub uses to do their security monitoring.</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.046.jpg" alt="Image of slide number 46" />
</div>
<div class="slide-notes">
<p>Just to recap these things:</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.047.jpg" alt="Image of slide number 47" />
</div>
<div class="slide-notes">
<p>And finally please remember that Open source is created by the community, and we as participants in that should work to keep it secure. </p>
<p>Please try to be a responsible member of both this ecosystem and your organization and accept ownership for controlling the risk from the libraries you use. </p>
<p>I hope you all stay secure!</p>
</div>
</div>
<div class="slide slide--bordered">
<div class="slide-image">
<img src="images/images.048.jpg" alt="Image of slide number 48" />
</div>
<div class="slide-notes">
</div>
</div>
</div>
</body>
</html>