Securing Open Source Software

The Problem

Outline

The Vulnerability Landscape

Impact Categories

Open Source Dependencies

OpenOffice Build Dependencies

A Build-time Trojan Horse

Mozilla Library Dependencies

Internet Explorer Dependencies

Rt2 Runtime Dependencies

The Cost of Dependencies

Lifecycle Overview

Selecting Software

Software to Avoid

Deploying Software

Use the Source Luke!

Security Snapshots

netstat Output Example

find  Output Example

Maintenance Preparations

Maintenance

End of Life

Software Inspections

Bad Smells

Buffer Overflow

Buffer Overflow Example

The xterm Call Sequence

Problematic APIs

Problematic API Example

Race Condition

Race Example

Untrusted Input

Result Verification

Data or Privilege Leakage

Privilege Leakage Example

Hiding Code Secrets

Code Details Examples

Database Code

Trojan Horse Code

Trojan Horse Example

Tools

Further Reading

Conclusions

Questions ?