KEMBAR78
Open Source and Secure Coding Practices | PDF
All Things Open, profile picture
Uploaded byAll Things Open
157 views

Open Source and Secure Coding Practices

The document discusses secure coding practices for open source software, emphasizing the importance of project maturity, community involvement, and governance for security. It outlines strategies for identifying high-risk areas, performing secure code reviews, and adopting both automated and manual review tools to enhance security. Additionally, it highlights the role of Common Vulnerabilities and Exposures (CVEs) and resources for learning about open source security.

Technology
Related topics:
All Things Open
Download to read offline
Open Source and Secure Coding Practices — Sahdev Zala Senior Software Engineer Open Source Developer
Is Open Source Software secure? 2 qDepends on the project § Maturity § Community § Maintainers § Governance qIssues can be caught and fixed early in the development cycle “We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. It is one of the most important things we can do.” Jim Zemlin Executive Director The Linux Foundation
Secure Coding Practices 3 q Identify high security risk areas to pay special attention § Refer to the project architecture q Perform secure code review § Automated § Manual § Define roles of the assessment team q Third party security audit q Address findings - short and longer term q Plan to publish CVEs
Security Checklist 4 q Authentication and Authorization § Cover every users, check password length, encryption, RBAC q TLS certificates § Make sure not to allow Monkey-In-The-Middle interference q Data validations § Validate all input parameters, URLs, expected data type, length, range q File permissions § Pay special attention to third party tools you are using for file management q Logging § Log error for any security alert q Error handling § Make sure that you are not leaking any sensitive information that can help hackers q Third party tools security compliance § Use the latest releases, keep eye on any CVE advisories q Documentation and Configuration
Secure Code Review 5 q Automated analysis § Static tools • Prevents coding mistakes that can impact security o e.g. variable shadowing, unreachable code • govet, staticcheck https://github.com/analysis-tools-dev/static- analysis#go § Dynamic tools • Fuzzing o Finds implementation bugs using malformed/semi-malformed data injection in an automated way e.g. https://github.com/google/gofuzz q Manual review § Tools are good at assessing large amounts of code and pointing out possible issues • BUT a person needs to verify every single result to determine if it is a real issue § There is no alternative to manual code review
File Permission 6 Do you see any security issue in this code snippet? // create directory with 0700 permission err := os.MkdirAll(dirPath, 0700) if err != nil { return err } qIf path is already an existing directory, MkdirAll does nothing and returns nil Ø Make sure that if directory already exist, it has the desired permission, if not raise an error
Data Validation 7 What is wrong here in this snippet? What’s the security issue? // update log with msg at given time interval func updateLog(timeVal string, msg string) (err error) { rv, err := strconv.Atoi(timeVal) if err != nil { t = time.Duration(int64(rv)) //update log } return err } q The return value of strconv.Atoi can be negative which is not handled in the code q Misconfiguration can be done by setting input to a negative value § Forever logging, filling all disk space and rendering application unable to process properly Ø Add validation to check for the negative value
CVEs through GitHub 8 q Common Vulnerabilities and Exposures (CVEs) § List of publicly disclosed computer security flaws q Do you know that GitHub has an integrated feature to request and publish CVEs? q Very handy if your project is hosted on the GitHub q Keep your CVEs details on your project GitHub repo
Conclusion 9 q Writing secure code is challenging but possible § Understand project architecture § Perform secure code review § Use tools like static analyzer and fuzzer § Manual review § Keep in mind that less popular features can be a source of problems q Third party audit is helpful q Creating and Publishing CVEs with GitHub is easy
Learning Resources 10 qOpen Source @ IBM § ibm.com/opensource qOWASP § owasp.org qOpenSSF § openssf.org qMITRE Corporation § mitre.org qTrail of Bits blogs § trailofbits.com
Thank You! Sahdev Zala Senior Software Engineer, IBM — spzala@us.ibm.com @sp_zala 11

More Related Content

PDF
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
PPTX
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
byAspen Mesh
 
PDF
Containers in depth – Understanding how containers work to better work with c...
byAll Things Open
 
PPTX
Cleaner Code Through Test-Driven Development
byAll Things Open
 
PPT
IstioD - From Microservices to Monolithic
byAll Things Open
 
PDF
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
byAll Things Open
 
PDF
Jenkins in the real world - DevOpsCon 2017
byGianluca Arbezzano
 
PDF
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
Debugging Your Debugging Tools: What to do When Your Service Mesh Goes Down
byAspen Mesh
 
Containers in depth – Understanding how containers work to better work with c...
byAll Things Open
 
Cleaner Code Through Test-Driven Development
byAll Things Open
 
IstioD - From Microservices to Monolithic
byAll Things Open
 
Deploying Anything as a Service (XaaS) Using Operators on Kubernetes
byAll Things Open
 
Jenkins in the real world - DevOpsCon 2017
byGianluca Arbezzano
 
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 

What's hot

PDF
Go for Operations
byQAware GmbH
 
PDF
FluentD vs. Logstash
byAll Things Open
 
PDF
Series of Unfortunate Netflix Container Events - QConNYC17
byaspyker
 
PDF
Embracing Observability in CI/CD with OpenTelemetry
byCyrille Le Clerc
 
PDF
2017 Microservices Practitioner Virtual Summit: The Mechanics of Deploying En...
byAmbassador Labs
 
PDF
Clean Infrastructure as Code
byQAware GmbH
 
PDF
GitOps is the best modern practice for CD with Kubernetes
byVolodymyr Shynkar
 
PDF
A microservice architecture based on golang
byGianfranco Reppucci
 
PPTX
Onnx and onnx runtime
byVishwas N
 
PDF
Troubleshooting tips from docker support engineers
byDocker, Inc.
 
PDF
Developing a user-friendly OpenResty application
byThibault Charbonnier
 
PDF
Improving security with Istio | DevNation Tech Talk
byRed Hat Developers
 
PDF
Netflix OSS Meetup Season 4 Episode 4
byaspyker
 
PDF
2017 Microservices Practitioner Virtual Summit - Opening Keynote: Trends in M...
byAmbassador Labs
 
PDF
Breaking the monolith
byJacopo Nardiello
 
PDF
Canary deployment with Traefik and K3S
byJakub Hajek
 
PDF
Introduction to GitHub Actions - How to easily automate and integrate with Gi...
byAll Things Open
 
PPTX
Virtual Puppet User Group: Puppet Development Kit (PDK) and Puppet Platform 6...
byPuppet
 
PDF
Continuous (Non)-Functional Testing of Microservices on k8s
byQAware GmbH
 
PDF
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
byDocker, Inc.
 
Go for Operations
byQAware GmbH
 
FluentD vs. Logstash
byAll Things Open
 
Series of Unfortunate Netflix Container Events - QConNYC17
byaspyker
 
Embracing Observability in CI/CD with OpenTelemetry
byCyrille Le Clerc
 
2017 Microservices Practitioner Virtual Summit: The Mechanics of Deploying En...
byAmbassador Labs
 
Clean Infrastructure as Code
byQAware GmbH
 
GitOps is the best modern practice for CD with Kubernetes
byVolodymyr Shynkar
 
A microservice architecture based on golang
byGianfranco Reppucci
 
Onnx and onnx runtime
byVishwas N
 
Troubleshooting tips from docker support engineers
byDocker, Inc.
 
Developing a user-friendly OpenResty application
byThibault Charbonnier
 
Improving security with Istio | DevNation Tech Talk
byRed Hat Developers
 
Netflix OSS Meetup Season 4 Episode 4
byaspyker
 
2017 Microservices Practitioner Virtual Summit - Opening Keynote: Trends in M...
byAmbassador Labs
 
Breaking the monolith
byJacopo Nardiello
 
Canary deployment with Traefik and K3S
byJakub Hajek
 
Introduction to GitHub Actions - How to easily automate and integrate with Gi...
byAll Things Open
 
Virtual Puppet User Group: Puppet Development Kit (PDK) and Puppet Platform 6...
byPuppet
 
Continuous (Non)-Functional Testing of Microservices on k8s
byQAware GmbH
 
A Story of Cultural Change: PayPal's 2 Year Journey to 150,000 Containers wit...
byDocker, Inc.
 

Similar to Open Source and Secure Coding Practices

PDF
Security in open source projects
byJose Manuel Ortega Candel
 
PPTX
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
PPTX
All You need to Know about Secure Coding with Open Source Software
byJavier Perez
 
PDF
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
PDF
Health and Sustainability of Open Source Software from a Public Sector Perspe...
byJohan Linåker
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
PDF
Open Source evaluation: A comprehensive guide on what you are using
byAll Things Open
 
PDF
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
PPTX
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
PDF
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
PPT
SoftwareSecurity.ppt
byssuserfb92ae
 
KEY
Open Source Compliance at Twitter
byChris Aniszczyk
 
PPTX
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
PDF
Secure coding-guidelines
byTrupti Shiralkar, CISSP
 
PDF
Introduction to the CII Badge Programe, OW2con'16, Paris.
byOW2
 
PDF
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
byBlueHat Security Conference
 
PPT
Code Quality - Security
bysedukull
 
PDF
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
byFINOS
 
PPTX
Security in the Age of Open Source
byBlack Duck by Synopsys
 
PDF
ProdSec: A Technical Approach
byJeremy Brown
 
Security in open source projects
byJose Manuel Ortega Candel
 
testtesttesttesttesttesttesttesttesttesttesttesttesttest
byyamisukehiro9843
 
All You need to Know about Secure Coding with Open Source Software
byJavier Perez
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
byRinaldi Rampen
 
Health and Sustainability of Open Source Software from a Public Sector Perspe...
byJohan Linåker
 
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
Open Source evaluation: A comprehensive guide on what you are using
byAll Things Open
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
bySynopsys Software Integrity Group
 
Security engineering 101 when good design & security work together
byWendy Knox Everette
 
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
SoftwareSecurity.ppt
byssuserfb92ae
 
Open Source Compliance at Twitter
byChris Aniszczyk
 
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
Secure coding-guidelines
byTrupti Shiralkar, CISSP
 
Introduction to the CII Badge Programe, OW2con'16, Paris.
byOW2
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
byBlueHat Security Conference
 
Code Quality - Security
bysedukull
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
byFINOS
 
Security in the Age of Open Source
byBlack Duck by Synopsys
 
ProdSec: A Technical Approach
byJeremy Brown
 

More from All Things Open

PDF
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
PDF
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
PDF
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
PDF
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
PDF
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
PDF
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
PDF
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
PPTX
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
PDF
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
PDF
The Missing Link to Inclusion and Performance
byAll Things Open
 
PDF
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
PDF
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
PDF
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
PDF
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
PDF
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
PDF
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
PPTX
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...
byAll Things Open
 
PDF
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
byAll Things Open
 
PDF
Let's Create a GitHub Copilot Extension! - Nick Taylor, Pomerium
byAll Things Open
 
PDF
Leveraging Pre-Trained Transformer Models for Protein Function Prediction - T...
byAll Things Open
 
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
The Missing Link to Inclusion and Performance
byAll Things Open
 
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...
byAll Things Open
 
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
byAll Things Open
 
Let's Create a GitHub Copilot Extension! - Nick Taylor, Pomerium
byAll Things Open
 
Leveraging Pre-Trained Transformer Models for Protein Function Prediction - T...
byAll Things Open
 

Recently uploaded

PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
Milvus Community Meetup SF (Oct 21, 2025)
byZilliz
 
PDF
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
Milvus Community Meetup SF (Oct 21, 2025)
byZilliz
 
Unlock This Brilliant App Freezur That Builds Brainrot Videos That Captivate ...
bySOFTTECHHUB
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
Netflix's Scalable Page Construction with Real-Time Impression History by Sau...
byScyllaDB
 

Open Source and Secure Coding Practices

  • 1.
    Open Source andSecure Coding Practices — Sahdev Zala Senior Software Engineer Open Source Developer
  • 2.
    Is Open Source Softwaresecure? 2 qDepends on the project § Maturity § Community § Maintainers § Governance qIssues can be caught and fixed early in the development cycle “We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. It is one of the most important things we can do.” Jim Zemlin Executive Director The Linux Foundation
  • 3.
    Secure Coding Practices 3 q Identifyhigh security risk areas to pay special attention § Refer to the project architecture q Perform secure code review § Automated § Manual § Define roles of the assessment team q Third party security audit q Address findings - short and longer term q Plan to publish CVEs
  • 4.
    Security Checklist 4 q Authenticationand Authorization § Cover every users, check password length, encryption, RBAC q TLS certificates § Make sure not to allow Monkey-In-The-Middle interference q Data validations § Validate all input parameters, URLs, expected data type, length, range q File permissions § Pay special attention to third party tools you are using for file management q Logging § Log error for any security alert q Error handling § Make sure that you are not leaking any sensitive information that can help hackers q Third party tools security compliance § Use the latest releases, keep eye on any CVE advisories q Documentation and Configuration
  • 5.
    Secure Code Review 5 qAutomated analysis § Static tools • Prevents coding mistakes that can impact security o e.g. variable shadowing, unreachable code • govet, staticcheck https://github.com/analysis-tools-dev/static- analysis#go § Dynamic tools • Fuzzing o Finds implementation bugs using malformed/semi-malformed data injection in an automated way e.g. https://github.com/google/gofuzz q Manual review § Tools are good at assessing large amounts of code and pointing out possible issues • BUT a person needs to verify every single result to determine if it is a real issue § There is no alternative to manual code review
  • 6.
    File Permission 6 Do yousee any security issue in this code snippet? // create directory with 0700 permission err := os.MkdirAll(dirPath, 0700) if err != nil { return err } qIf path is already an existing directory, MkdirAll does nothing and returns nil Ø Make sure that if directory already exist, it has the desired permission, if not raise an error
  • 7.
    Data Validation 7 What iswrong here in this snippet? What’s the security issue? // update log with msg at given time interval func updateLog(timeVal string, msg string) (err error) { rv, err := strconv.Atoi(timeVal) if err != nil { t = time.Duration(int64(rv)) //update log } return err } q The return value of strconv.Atoi can be negative which is not handled in the code q Misconfiguration can be done by setting input to a negative value § Forever logging, filling all disk space and rendering application unable to process properly Ø Add validation to check for the negative value
  • 8.
    CVEs through GitHub 8 qCommon Vulnerabilities and Exposures (CVEs) § List of publicly disclosed computer security flaws q Do you know that GitHub has an integrated feature to request and publish CVEs? q Very handy if your project is hosted on the GitHub q Keep your CVEs details on your project GitHub repo
  • 9.
    Conclusion 9 q Writing securecode is challenging but possible § Understand project architecture § Perform secure code review § Use tools like static analyzer and fuzzer § Manual review § Keep in mind that less popular features can be a source of problems q Third party audit is helpful q Creating and Publishing CVEs with GitHub is easy
  • 10.
    Learning Resources 10 qOpen Source@ IBM § ibm.com/opensource qOWASP § owasp.org qOpenSSF § openssf.org qMITRE Corporation § mitre.org qTrail of Bits blogs § trailofbits.com
  • 11.
    Thank You! Sahdev Zala SeniorSoftware Engineer, IBM — spzala@us.ibm.com @sp_zala 11