Security and Open Source

SoftwareSander Temme sander@temme.net@keysinthecloud

Your Presenter

Member, Apache Software Foundation

Contributor, Apache HTTP Server

Sales Engineer & Consultant

Open Source Integration Expert

Agenda

Open Source Software

Security Process

Security Implications

Development Model

Three Questions

How does open source respond when security problems occur?

How does the open source development process affect software quality?

Is open source software more susceptible to security problems?

Open Source Software

About Open Source Closed Source

Microsoft, Adobe, Oracle, Symantec, Check Point, …

Open Source Apache, Debian, FreeBSD, Mozilla, Python, FSF, …

Hybrid Red Hat, Hippo, Apple, SugarCRM, …

Inclusion Oracle, IBM, Apple, Autodesk, Cisco, NetApp, …

Open Source Is Not…

Freeware

Trialware

Shareware

Abandonware (hopefully)

Public Domain

Who Develops Open Source

Users

Consultants

Vendors

Hobbyists

Why Develop Open Source

Resume

User to contributor

Work

Where is Open Source Used

Server side

Operating Systems

Application Stack

Web Facing In the line of fire

Open Source Security Myths

Given enough eyeballs, all bugs are shallow

Open Source Security Myths

Given enough eyeballs, all bugs are shallow

Open Source is Communist!

Open Source Security Myths

Given enough eyeballs, all bugs are shallow

Open Source is Communist!

Bad guys have the code, too!

Open Source Security Myths

Given enough eyeballs, all bugs are shallow

Open Source is Communist!

Bad guys have the code, too!

Open Source is more secure than Closed Source

28%

26%19%

11%

4%

4%2%

6%

Attack GoalsDefacement/Planting Malware

Information Leakage/Stealing Sensitive Data

Disinformation

Monetary Loss

Downtime

Link Spam

Phishing

Other

Source: The Web Hacking Incidents Database, 2009 Report

19%

11%

11%

10%10%

8%

8%

5%

5%

3% 10%

Attack VectorsSQL Injection

Unknown

Insufficient Authentication

Content Spoofing

Insufficient Anti-Automation (DoS/Brute Force)

Configuration/Admin Error

Cross-site Scripting (XSS)

Cross-site Request Forgery (CSRF)

DNS Hijacking

Worm

Other

Source: The Web Hacking Incidents Database, 2009 Report

Exploits of a Mom

http://xkcd.com/327/

Case Study

Apache HTTP Server Security

The httpd Project #1 Web Server

Non-profit Foundation

Contributors Oracle, IBM, Novell, VMWare, Red Hat, Google Many individual contributors

http://httpd.apache.org

Many packagers and distributors

http://people.apache.org/~coar/mlists.html

Apache Security

Very few vulnerabilities reported

No critical vulnerabilities in 2.2.x

Upgrade to any new release announce-subscribe@httpd.apache.org

Default installation locked down But it doesn’t do a whole lot

http://httpd.apache.org/security/vulnerabilities-oval.xmlhttp://www.apache.org/security/

Apache Security Process

Report security problems to security@apache.org

Real vulnerabilities are assigned CVE number

Vulnerabilities are classified, fixed

New httpd version released

http://httpd.apache.org/security_report.htmlhttp://cve.mitre.org/http://httpd.apache.org/security/impact_levels.htmlannounce@apache.orghttp://www.apache.org/security/committers.html

ImplicationsSecurity Implications of Open

Source Software

Application

App Server

Operating System

Network

Security Implications

Developed by programmers

Provenance?

Warranty?

Support?

Developed by Programmers

Not security experts

Get it running

Database Privileges

Wordpress: GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername"@"hostname” IDENTIFIED BY "password";

Joomla 1.5: GRANT ALL PRIVILEGES ON Joomla.* TO nobody@localhost IDENTIFIED BY 'password';

Drupal: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES

Gallery 2: mysql gallery2 -uroot -e"GRANT ALL ON gallery2.* TO username@localhost IDENTIFIED BY 'password'”;

Bugzilla: GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';

Getting it Right: Bugzilla

Install script Creates database Executed as root

Application privileges Limited Only as needed

This is not always practical

GRANT SELECT, INSERT, UPDATE, DELETE, INDEX, ALTER, CREATE, LOCK TABLES, CREATE TEMPORARY TABLES, DROP, REFERENCES ON bugs.* TO bugs@localhost IDENTIFIED BY '$db_pass';

Provenance

Source Integrity

Intellectual Property

Apache: Digital signatures Committer License Agreement Patent Grant

http://www.apache.org/licenses/icla.txthttp://www.apache.org/licenses/cla-corporate.txt

Warranty

Open Source No warranty

Closed Source No warranty

Support

Often community based You can be part of it

Visible to the world Don’t post confidential information!

Support contracts available From third party companies

users@httpd.apache.org

Development Model

Open Development At Apache

Open Development

Mailing lists

Source code changes

Releases

Bus Factor

Mailing Lists

All communication by e-mail

Several lists announce@<project>.apache.org users@<project>.apache.org dev@<project>.apache.org cvs@<project>.apache.org

Code Changes: Transparency

Source history available

Every modification posted

Instant code review

Etiquette

Bus Factor

Development Community

Project Survival

Closed Source Equivalent Vendor out of business Product end-of-life

Tips for Open Source Users

Get on announce mailinglist

Investigate community

Get involved

Conclusion

Open Source responds proactively to security issues

Open Development encourages clean and secure code

Security Issues are universal and not specific to Open or Closed Source Software

Questions?

Sander Temmesander@temme.net@keysinthecloud