Securing Open Source Software

The Problem


The Vulnerability Landscape

Impact Categories

Open Source Dependencies

OpenOffice Build Dependencies

A Build-time Trojan Horse

Mozilla Library Dependencies

Internet Explorer Dependencies

Rt2 Runtime Dependencies

The Cost of Dependencies

Lifecycle Overview

Selecting Software

Software to Avoid

Deploying Software

Use the Source Luke!

Security Snapshots

netstat Output Example

find  Output Example

Maintenance Preparations


End of Life

Software Inspections

Bad Smells

Buffer Overflow

Buffer Overflow Example

The xterm Call Sequence

Problematic APIs

Problematic API Example

Race Condition

Race Example

Untrusted Input

Result Verification

Data or Privilege Leakage

Privilege Leakage Example

Hiding Code Secrets

Code Details Examples

Database Code

Trojan Horse Code

Trojan Horse Example


Further Reading


Questions ?