Unsolved Problems in Open Source Security
Offered By: Linux Foundation via YouTube
Course Description
Overview
Syllabus
Intro
Open Source Security: Navigating the Iceberg
The Enemy Gets a Vote
Dependency Maturity Levels
Open Source Detection
Security Notifications
Remediating Open Source Vulnerabilities
Important: Vulnerable vs Malicious Packages
Malicious Packages . Bad from the start - Typosquatting
Identity Concepts
Identity: Risk and Reward • Package compromise rewards are mostly predictable: • Stolen credentials
FA Challenges • Transitive dependencies
Security Multipliers
Why Malicious Updates Are Missed
Open Source Updates: Inconvenient To Review . Source control platforms are designed for reviewing your code, not someone else's you imported
All things equal, Decentralized makes Security Worse . Whenever a malicious package is discovered, the first instinct is: Why didn't the registry detect this, and how long did it take them to remove
SemVer Range Example
Uncapped Version Ranges Are An Antipattern
Version Selection: The Way Forward
1. Better Open Source Publishing Protection - Single factor authentication is unacceptable • Registries should ideally allow enforcing of 2FA for publishing • Consumers can elect to use dependencies with enforced 2FA only
2. Verifiable Source Code using Reproducible Builds . There's no point reviewing for malicious code if we're scanning the wrong code to begin with - Non-reproducible builds should be a code smell, like lack of 2FA
Open Source Dependencies Should Be Sandboxed • Today's approach to malicious open source packages can be compared to Windows 95 pre-malware tsunami . Unfortunately, no relief in sight from language ecosystems
Package Managers Implement Minimal Selection . It's madness that a malicious package release can be installed accidentally seconds after it's published, without anybody reviewing it • Minimal Version Selection should be a configurable option for package ecosystems
Taught by
Linux Foundation
Tags
Related Courses
Cloud Application SecurityUniversity of Minnesota via Coursera iOS Development: Security
LinkedIn Learning Cybersecurity Awareness: Social Engineering
LinkedIn Learning Ethical Hacking: The Complete Malware Analysis Process
LinkedIn Learning The Windows Sandbox Paradox
nullcon via YouTube