SlideShare une entreprise Scribd logo

Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity

Télécharger en tant que PPTX, PDF
Great Wide Open
Great Wide Open

This document summarizes the cybersecurity research agenda of the U.S. Department of Homeland Security Science and Technology Directorate. It discusses how DHS is focusing on areas like critical infrastructure security, open source software, cyber-physical systems, and new technology programs. The research aims to drive innovation in cybersecurity solutions through collaboration with academia, industry and open source communities to address evolving threats and transition technologies for real-world use.

Technologie
1  sur  27
Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity Dr. Douglas Maughan U.S. Department of Homeland Security Science and Technology Directorate Director, Cyber Security Division 3 April 2014 1
2
Homeland Security Office of Cybersecurity and Communications Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/ Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:  Develop a technology-neutral voluntary cybersecurity framework  Promote/incentivize adoption of cybersecurity practices  Increase the volume, timeliness and quality of cyber threat information sharing  Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure  Explore existing regulation to promote cyber security Presidential Policy Directive-21: Critical Infrastructure  Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to: – Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time – Understand cascading consequences of infrastructure failures – Evaluate and mature the public-private partnership – Update the National Infrastructure Protection Plan – Develop comprehensive research and development plan 3 “America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.” President Barack Obama, 2013 State of the Union Credit: White House / Pete Souza
Open Source and Government July 2001 Jan 2003 July 2004 June 2007 May 2003 Stenbit Memo MITRE Bus. Case MITRE Survey OMB Procurement Memo June 2006 OTD Roadmap Launched Oct 2009 OTD Phase 2 DONCIO Guidance DoD NII Guidance Oct 2009 PITAC HPC July 2001 2001 - 03 4
24 September 2010 5 Univ. of Pennsylvania Network Associates Labs WireX Communications DARPA Program (2001-2003)  President’s Information Technology Advisory Committee (PITAC) Report on Open Source Software (OSS) Panel for High Performance Computing (HPC) Critical Findings 1. Federal government should encourage the development of Open Source Software. 2. Federal government should allow Open Source development efforts to compete on a “level playing field” with proprietary solutions in government procurement 3. Government sponsored Open Source projects should choose from a small set of established Open Source licenses after analysis of each license and determination of which may be preferable.
6 Cuts 2.9% from FY2014 budget Gives agencies $79 billion for IT Includes $13 billion for cyber security
7 178 5,815 4,360 178 61 3,479 440 34 National 24K stations 170 1,120 19,902 10,000 3,637 47 COMM/911 6,153 EMS - 21,283 LE - 17,985 Fire - 30,125 and similar health facilities 5,000 Colleges & Universities 6,900 Departments 14,800 Social Services 210,427 Utilities 16,960 327 Transportation 217,926 Public Works ~24,000 Media 14,650 Chemical, Oil and Gas 2,500 Restoration & Repair 402,440 >1.5 million NGOs Veterinarians 21,731 Schools 132,656 Telecom & IT 11,000 Sports Facilities 1,965 State, Tribal, Local Govts 39,3130 Telematics Providers 16,960 Doctors’ Offices, Nursing Homes 19,286 EMPLOYERS 7,601,160 Mental Health Services 15,000 Federal Agencies 16,960 308,500 Insurance Companies Our Stakeholder Community
Presenter’s Name June 17, 2003  Malware – Malicious software to disrupt computers  Viruses, worms, …  Theft of Intellectual Property or Data  Hactivism – Cyber protests that are socially or politically motivated  Mobile Devices and Applications and their associated Cyber Attacks  Social Engineering – Entice users to click on Malicious Links  Spear Phishing – Deceptive communications (E-Mails, Texts, Tweets)  Domain Name System (DNS) Hijacking  Router Security – Border Gateway Protocol (BGP) Hijacking  Denial of Service (DOS) – blocking access to web sites  Others ….. Cyber Threats and Sources 8 Nation States Cyber Criminals Hackers/Hacktivists Insider Threats Terrorists, DTOs, etc.
Presenter’s Name June 17, 2003 CSD R&D Execution Model • Ironkey – Secure USB – Standard Issue to S&T employees from S&T CIO – Acquired by Imation • Komoku – Rootkit Detection Technology – Acquired by Microsoft • HBGary – Memory and Malware Analysis – Over 100 pilot deployments as part of Cyber Forensics • Endeavor Systems – Malware Analysis tools – Acquired by McAfee • Stanford – Anti-Phishing Technologies – Open source; most browsers have included Stanford R&D • Secure Decisions – Data Visualization – Pilot with DHS/NCSD/US-CERT; Acquisition Successes Research Development Test and Evaluation & Transition (RDTE&T) "Crossing the ‘Valley of Death’: Transitioning Cybersecurity Research into Practice," IEEE Security & Privacy, March-April 2013, Maughan, Douglas; Balenson, David; Lindqvist, Ulf; Tudor, Zachary http://www.computer.org/portal/web/computingnow/securityandprivacy 9
Presenter’s Name June 17, 2003 Cyber Security Focus Areas  Trustworthy Cyber Infrastructure  Working with the global Internet community to secure cyberspace  Research Infrastructure to Support Cybersecurity  Developing necessary research infrastructure to support R&D community  R&D Partnerships  Establishing R&D partnerships with private sector, academia, and international partners  Innovation and Transition  Ensuring R&D results become real solutions  Cybersecurity Education  Leading National and DHS cybersecurity education initiatives 10
Presenter’s Name June 17, 2003 11  Enhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO 13636 and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors).  Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)  Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills. NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies. A National Problem
12 HOST Program  Homeland Open Security Technology investigates open security methods, models and technologies to identify viable and sustainable approaches to cybersecurity objectives.  Focus on cybersecurity (Open Security) solutions  Priority to Federal, State and local governments  Secondary to critical infrastructure and general IT solutions DISCOVERY – COLLABORATION – INVESTMENT
13 HOST DISCOVERY Identify existing resources, methods, techniques, practices  Lessons Learned: Roadblocks and Opportunities for Open Source Software in U.S. Government  2012: Dr. David Wheeler, IDA; Tom Dunn, GTRI  Interviews with experts, suppliers and potential users  Open Security Inventory  OpenCyberSecurity.org Information Portal
Presenter’s Name June 17, 2003  Inertia  We’ve never done it that way before  Procurement  Government acquisition doesn’t match OSS business models  Paperwork impedes small businesses (where most of OSS resides)  Security  Too many Certification and Accreditation (C&A) processes Lessons Learned: Open Source Software and Government 14  Standards / Interoperability  Inhibiting Policies  Policies inhibiting collaboration with public community (ITAR, EAR)  Education  General problem, esp. intellectual property rights and licenses
15 HOST COLLABORATION Establish public and private-sector research and development communities  Open Information Security Foundation  Government Strategic Council  Round Table Summits  Community Outreach
16 Open Source Option If Open Source enables technical agility, administrative flexibility and economic savings, then:  How to leverage these benefits for Federal, state, local governments?  What technical resources and support services are available?  Is the technology secure? Has it been vetted?  Who else in government is using it?  Have acquisition, adoption, policy issues been addressed?  How to interact with “development community?”
17 HOST INVESTMENT Contribute seed investments in advanced R&D activities that produce sustainable project communities through broad adoption by public and private-sector use and support  Suricata IDS Engine  FIPS 140-2 Validated OpenSSL  Government Open Technology Index  Open Security Application Map
Presenter’s Name June 17, 2003 Open Source – OISF and Suricata  Intrusion Detection & Prevention System (IDS/IPS)  Very Fast, Multi-Threaded  Automated Protocol Detection  File Identification and Extraction  GPU Acceleration  A new model for managing and sustaining “open source” innovation  A non-profit to develop and “own” the code  Software Freedom Law Center created the License pro bono  A consortium of companies providing support in exchange for not having to release changes 18 ~$1.2m in DHS funding matched by ~$8m in commercial sponsorship
Presenter’s Name June 17, 2003 Software Assurance 19 “Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.” According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
Presenter’s Name June 17, 2003 Software Evolution 20 Codebases are HUMONGOUS • Common software applications – some apps scale near 60 MLOC • Software Assurance tools typically can’t scale this amount of code • Codebase size contributes to code complexity • More features, usually means more code • Spaghetti code typically results in poor quality of code 50 MLOC
Presenter’s Name June 17, 2003 SWAMP Vision Document http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP- VISION-10.28.13.pdf ”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A software assurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.” Kevin E. Greene, DHS S&T Software Assurance Program Manager
Presenter’s Name June 17, 2003 Cyber-Physical Systems 22 Cyber Physical Systems Are Becoming Ubiquitous: • Smart cars, smart grids, smart medical devices, smart manufacturing, smart homes, and so on • You will “bet your life” on many of these systems • Fast moving field focusing on functionality now and will bolt on security later… Drones Could Help Tulsa Firefighters During Search, Rescue PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks” Just like the Internet in its early days, car networks don’t employ very much security” Opportunity Now To Build Security Into Emerging Cyber Physical Designs  Transportation  Auto, UAVs, Aeronautical, Rail  Manufacturing  Healthcare  Energy  Agriculture  Emergency Response
Presenter’s Name June 17, 2003  http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm  II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)  DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.  HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults. Recent Solicitation 23
Presenter’s Name June 17, 2003  https://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC- 14-R-00035/listing.html.  https://sbir2.st.dhs.gov  TITLE: Automatic Detection and Patching of Vulnerabilities in Embedded Systems  Embedded systems form a ubiquitous, networked, computing substrate that underlies much of modern technological society. Examples include supervisory control and data acquisition (SCADA) systems, medical devices, computer peripherals, communication devices, and vehicles, and the many consumer devices that make up the “Internet of Things”.  Develop innovative techniques to automatically detect and automatically patch vulnerabilities in networked, embedded systems. Future Solicitation SBIR: H-SB014.2-002 24
Presenter’s Name June 17, 2003 CSD New Programs / Ideas  Security for Cloud-Based Systems  Data Privacy Technologies  Mobile Wireless Investigations  Mobile Device Security  Next-Generation DDOS Defenses  Application Security Threat Attack Modeling (ASTAM)  Static Tool Analysis Modernization Project (STAMP)  Network Reputation and Risk Analysis  Data Analytics Methods for Cyber Security  Cyber Security Education  Designed-In Security  Finance Sector Cybersecurity  DNSSEC Applications  Data Provenance for Cybersecurity  Cyber Economic Incentives – based on EO/PPD 25
26 SUMMARY  Research is essential in driving innovation for current and future cybersecurity solutions  DHS S&T continues with aggressive cybersecurity research agenda  Continue emphasis on collaboration, technology transfer and experimental developments  Open source is a key part of our whole program
Presenter’s Name June 17, 2003 For more information, visit http://www.dhs.gov/cyber-research http://www.dhs.gov/st-csd Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 27

Recommandé

September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 

Recommandé

September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: September 13, 2016: Security in the Age of Open Source:
September 13, 2016: Security in the Age of Open Source: Black Duck by Synopsys
 
Security in the Age of Open Source
Security in the Age of Open SourceSecurity in the Age of Open Source
Security in the Age of Open SourceBlack Duck by Synopsys
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleBlack Duck by Synopsys
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Black Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application SecurityBlack Duck by Synopsys
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementBlack Duck by Synopsys
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONRitwick Halder
 
Open Source for Cyber Security
Open Source for Cyber SecurityOpen Source for Cyber Security
Open Source for Cyber SecurityPrabath Siriwardena
 

Contenu connexe

Tendances

Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingBlack Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentBlack Duck by Synopsys
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceBlack Duck by Synopsys
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBlack Duck by Synopsys
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementBlack Duck by Synopsys
 

Tendances (20)

Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Collaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on GivingCollaborative Development the Gift That Keeps on Giving
Collaborative Development the Gift That Keeps on Giving
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
The Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and CybersecurityThe Intersection Between Open Source and Cybersecurity
The Intersection Between Open Source and Cybersecurity
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
 
Making the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationMaking the Strategic Shift to Open Source at Fujitsu Network Communication
Making the Strategic Shift to Open Source at Fujitsu Network Communication
 
Open Source in Application Security
Open Source in Application SecurityOpen Source in Application Security
Open Source in Application Security
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck & IBM Present: Application Security in the Age of Open Source
Black Duck & IBM Present: Application Security in the Age of Open Source
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the CloudShift Risk Left: Security Considerations When Migrating Apps to the Cloud
Shift Risk Left: Security Considerations When Migrating Apps to the Cloud
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Customer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to ComplianceCustomer Case Study: ScienceLogic - Many Paths to Compliance
Customer Case Study: ScienceLogic - Many Paths to Compliance
 
Buyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech ContractsBuyer and Seller Perspectives on Open Source in Tech Contracts
Buyer and Seller Perspectives on Open Source in Tech Contracts
 
The Case for Continuous Open Source Management
The Case for Continuous Open Source ManagementThe Case for Continuous Open Source Management
The Case for Continuous Open Source Management
 

En vedette

OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONRitwick Halder
 
Open source security
Open source securityOpen source security
Open source securitylrigknat
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityJoshua L. Davis
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityDiogo Mónica
 
Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software opensourceacademy
 
Open Source Software Presentation
Open Source Software PresentationOpen Source Software Presentation
Open Source Software PresentationHenry Briggs
 
Open source technology
Open source technologyOpen source technology
Open source technologyaparnaz1
 

En vedette (11)

OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATION
 
Open Source for Cyber Security
Open Source for Cyber SecurityOpen Source for Cyber Security
Open Source for Cyber Security
 
Open source security
Open source securityOpen source security
Open source security
 
Open Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and SecurityOpen Source Software (OSS/FLOSS) and Security
Open Source Software (OSS/FLOSS) and Security
 
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, SecurityWeb Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
 
RFID security ppt
RFID security pptRFID security ppt
RFID security ppt
 
Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software Power Point Presentation on Open Source Software
Power Point Presentation on Open Source Software
 
Open Source Software Presentation
Open Source Software PresentationOpen Source Software Presentation
Open Source Software Presentation
 
Open source technology
Open source technologyOpen source technology
Open source technology
 
Free Open Source Software - Introduction
Free Open Source Software - IntroductionFree Open Source Software - Introduction
Free Open Source Software - Introduction
 
Open Source Technology
Open Source TechnologyOpen Source Technology
Open Source Technology
 

Similaire à Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity

Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Joshua L. Davis
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017Maurice Dawson
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwarivpnmentor
 
Staying Ahead of the Race - Quantum computing in Cybersecurity
Staying Ahead of the Race - Quantum computing in Cybersecurity Staying Ahead of the Race - Quantum computing in Cybersecurity
Staying Ahead of the Race - Quantum computing in Cybersecurity Lilminow
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
UN Singapore Cyber Programme 15 july19
UN Singapore Cyber Programme 15 july19UN Singapore Cyber Programme 15 july19
UN Singapore Cyber Programme 15 july19consultancyss
 
MSc Dissertation 11058374 Final
MSc Dissertation 11058374 FinalMSc Dissertation 11058374 Final
MSc Dissertation 11058374 FinalJohn Dunne
 
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conference
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conferenceNational Big Data Analytics (BDA) Initiative - //bina/ 2014 conference
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conferencePeter Kua
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Phil Agcaoili
 
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...DaveNjoga1
 
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionCloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionIJERA Editor
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyCharith Perera
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxdonnajames55
 
Sensorpedia
SensorpediaSensorpedia
SensorpediaFranciel
 
Open Source Software Version 5
Open Source Software Version 5Open Source Software Version 5
Open Source Software Version 5Henry Briggs
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)Santosh Khadsare
 
IT Security Services
IT Security ServicesIT Security Services
IT Security ServicesOmar Toor
 
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMMIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMShehanperamuna
 

Similaire à Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity (20)

Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)Homeland Open Security Technologies (HOST)
Homeland Open Security Technologies (HOST)
 
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
STAYING SAFE AND SECURED ON TODAY AND TOMORROW’S AFRICA CYBERSPACE WORKSHOP 2017
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwari
 
Staying Ahead of the Race - Quantum computing in Cybersecurity
Staying Ahead of the Race - Quantum computing in Cybersecurity Staying Ahead of the Race - Quantum computing in Cybersecurity
Staying Ahead of the Race - Quantum computing in Cybersecurity
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
UN Singapore Cyber Programme 15 july19
UN Singapore Cyber Programme 15 july19UN Singapore Cyber Programme 15 july19
UN Singapore Cyber Programme 15 july19
 
Sinnott Paper
Sinnott PaperSinnott Paper
Sinnott Paper
 
MSc Dissertation 11058374 Final
MSc Dissertation 11058374 FinalMSc Dissertation 11058374 Final
MSc Dissertation 11058374 Final
 
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conference
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conferenceNational Big Data Analytics (BDA) Initiative - //bina/ 2014 conference
National Big Data Analytics (BDA) Initiative - //bina/ 2014 conference
 
Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13Southern Risk Council - Cybersecurity Update 10-9-13
Southern Risk Council - Cybersecurity Update 10-9-13
 
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...
Critical Information Infrastructure Cyberspace Situational Awareness_Measure ...
 
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed SolutionCloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
Cloud Forensics: Drawbacks in Current Methodologies and Proposed Solution
 
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, GermanyIOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
IOT-2016 7-9 Septermber, 2016, Stuttgart, Germany
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
 
Sensorpedia
SensorpediaSensorpedia
Sensorpedia
 
Open Source Software Version 5
Open Source Software Version 5Open Source Software Version 5
Open Source Software Version 5
 
The red book
The red book The red book
The red book
 
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
INDIAN NATIONAL CYBER SECURITY POLICY (NCSP-2013)
 
IT Security Services
IT Security ServicesIT Security Services
IT Security Services
 
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEMMIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
MIS Notes For University Students.MANAGEMENT INFORMATION SYSTEM
 

Plus de Great Wide Open

The Little Meetup That Could
The Little Meetup That CouldThe Little Meetup That Could
The Little Meetup That CouldGreat Wide Open
 
Lightning Talk - 5 Hacks to Getting the Job of Your Dreams
Lightning Talk - 5 Hacks to Getting the Job of Your DreamsLightning Talk - 5 Hacks to Getting the Job of Your Dreams
Lightning Talk - 5 Hacks to Getting the Job of Your DreamsGreat Wide Open
 
Breaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational PullBreaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational PullGreat Wide Open
 
Dealing with Unstructured Data: Scaling to Infinity
Dealing with Unstructured Data: Scaling to InfinityDealing with Unstructured Data: Scaling to Infinity
Dealing with Unstructured Data: Scaling to InfinityGreat Wide Open
 
You Don't Know Node: Quick Intro to 6 Core Features
You Don't Know Node: Quick Intro to 6 Core FeaturesYou Don't Know Node: Quick Intro to 6 Core Features
You Don't Know Node: Quick Intro to 6 Core FeaturesGreat Wide Open
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsGreat Wide Open
 
Lightning Talk - Getting Students Involved In Open Source
Lightning Talk - Getting Students Involved In Open SourceLightning Talk - Getting Students Involved In Open Source
Lightning Talk - Getting Students Involved In Open SourceGreat Wide Open
 
You have Selenium... Now what?
You have Selenium... Now what?You have Selenium... Now what?
You have Selenium... Now what?Great Wide Open
 
How Constraints Cultivate Growth
How Constraints Cultivate GrowthHow Constraints Cultivate Growth
How Constraints Cultivate GrowthGreat Wide Open
 
Troubleshooting Hadoop: Distributed Debugging
Troubleshooting Hadoop: Distributed DebuggingTroubleshooting Hadoop: Distributed Debugging
Troubleshooting Hadoop: Distributed DebuggingGreat Wide Open
 
The Current Messaging Landscape
The Current Messaging LandscapeThe Current Messaging Landscape
The Current Messaging LandscapeGreat Wide Open
 
Understanding Open Source Class 101
Understanding Open Source Class 101Understanding Open Source Class 101
Understanding Open Source Class 101Great Wide Open
 
Elasticsearch for SQL Users
Elasticsearch for SQL UsersElasticsearch for SQL Users
Elasticsearch for SQL UsersGreat Wide Open
 

Plus de Great Wide Open (20)

The Little Meetup That Could
The Little Meetup That CouldThe Little Meetup That Could
The Little Meetup That Could
 
Lightning Talk - 5 Hacks to Getting the Job of Your Dreams
Lightning Talk - 5 Hacks to Getting the Job of Your DreamsLightning Talk - 5 Hacks to Getting the Job of Your Dreams
Lightning Talk - 5 Hacks to Getting the Job of Your Dreams
 
Breaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational PullBreaking Free from Proprietary Gravitational Pull
Breaking Free from Proprietary Gravitational Pull
 
Dealing with Unstructured Data: Scaling to Infinity
Dealing with Unstructured Data: Scaling to InfinityDealing with Unstructured Data: Scaling to Infinity
Dealing with Unstructured Data: Scaling to Infinity
 
You Don't Know Node: Quick Intro to 6 Core Features
You Don't Know Node: Quick Intro to 6 Core FeaturesYou Don't Know Node: Quick Intro to 6 Core Features
You Don't Know Node: Quick Intro to 6 Core Features
 
Hidden Features in HTTP
Hidden Features in HTTPHidden Features in HTTP
Hidden Features in HTTP
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 
Lightning Talk - Getting Students Involved In Open Source
Lightning Talk - Getting Students Involved In Open SourceLightning Talk - Getting Students Involved In Open Source
Lightning Talk - Getting Students Involved In Open Source
 
You have Selenium... Now what?
You have Selenium... Now what?You have Selenium... Now what?
You have Selenium... Now what?
 
How Constraints Cultivate Growth
How Constraints Cultivate GrowthHow Constraints Cultivate Growth
How Constraints Cultivate Growth
 
Inner Source 101
Inner Source 101Inner Source 101
Inner Source 101
 
Running MySQL on Linux
Running MySQL on LinuxRunning MySQL on Linux
Running MySQL on Linux
 
Search is the new UI
Search is the new UISearch is the new UI
Search is the new UI
 
Troubleshooting Hadoop: Distributed Debugging
Troubleshooting Hadoop: Distributed DebuggingTroubleshooting Hadoop: Distributed Debugging
Troubleshooting Hadoop: Distributed Debugging
 
The Current Messaging Landscape
The Current Messaging LandscapeThe Current Messaging Landscape
The Current Messaging Landscape
 
Apache httpd v2.4
Apache httpd v2.4Apache httpd v2.4
Apache httpd v2.4
 
Understanding Open Source Class 101
Understanding Open Source Class 101Understanding Open Source Class 101
Understanding Open Source Class 101
 
Thinking in Git
Thinking in GitThinking in Git
Thinking in Git
 
Antifragile Design
Antifragile DesignAntifragile Design
Antifragile Design
 
Elasticsearch for SQL Users
Elasticsearch for SQL UsersElasticsearch for SQL Users
Elasticsearch for SQL Users
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity

  • 1. Open Source and Cyber Security: Open Source Software's Role in Government Cybersecurity Dr. Douglas Maughan U.S. Department of Homeland Security Science and Technology Directorate Director, Cyber Security Division 3 April 2014 1
  • 2. 2
  • 3. Homeland Security Office of Cybersecurity and Communications Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/ Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:  Develop a technology-neutral voluntary cybersecurity framework  Promote/incentivize adoption of cybersecurity practices  Increase the volume, timeliness and quality of cyber threat information sharing  Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure  Explore existing regulation to promote cyber security Presidential Policy Directive-21: Critical Infrastructure  Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to: – Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time – Understand cascading consequences of infrastructure failures – Evaluate and mature the public-private partnership – Update the National Infrastructure Protection Plan – Develop comprehensive research and development plan 3 “America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.” President Barack Obama, 2013 State of the Union Credit: White House / Pete Souza
  • 4. Open Source and Government July 2001 Jan 2003 July 2004 June 2007 May 2003 Stenbit Memo MITRE Bus. Case MITRE Survey OMB Procurement Memo June 2006 OTD Roadmap Launched Oct 2009 OTD Phase 2 DONCIO Guidance DoD NII Guidance Oct 2009 PITAC HPC July 2001 2001 - 03 4
  • 5. 24 September 2010 5 Univ. of Pennsylvania Network Associates Labs WireX Communications DARPA Program (2001-2003)  President’s Information Technology Advisory Committee (PITAC) Report on Open Source Software (OSS) Panel for High Performance Computing (HPC) Critical Findings 1. Federal government should encourage the development of Open Source Software. 2. Federal government should allow Open Source development efforts to compete on a “level playing field” with proprietary solutions in government procurement 3. Government sponsored Open Source projects should choose from a small set of established Open Source licenses after analysis of each license and determination of which may be preferable.
  • 6. 6 Cuts 2.9% from FY2014 budget Gives agencies $79 billion for IT Includes $13 billion for cyber security
  • 7. 7 178 5,815 4,360 178 61 3,479 440 34 National 24K stations 170 1,120 19,902 10,000 3,637 47 COMM/911 6,153 EMS - 21,283 LE - 17,985 Fire - 30,125 and similar health facilities 5,000 Colleges & Universities 6,900 Departments 14,800 Social Services 210,427 Utilities 16,960 327 Transportation 217,926 Public Works ~24,000 Media 14,650 Chemical, Oil and Gas 2,500 Restoration & Repair 402,440 >1.5 million NGOs Veterinarians 21,731 Schools 132,656 Telecom & IT 11,000 Sports Facilities 1,965 State, Tribal, Local Govts 39,3130 Telematics Providers 16,960 Doctors’ Offices, Nursing Homes 19,286 EMPLOYERS 7,601,160 Mental Health Services 15,000 Federal Agencies 16,960 308,500 Insurance Companies Our Stakeholder Community
  • 8. Presenter’s Name June 17, 2003  Malware – Malicious software to disrupt computers  Viruses, worms, …  Theft of Intellectual Property or Data  Hactivism – Cyber protests that are socially or politically motivated  Mobile Devices and Applications and their associated Cyber Attacks  Social Engineering – Entice users to click on Malicious Links  Spear Phishing – Deceptive communications (E-Mails, Texts, Tweets)  Domain Name System (DNS) Hijacking  Router Security – Border Gateway Protocol (BGP) Hijacking  Denial of Service (DOS) – blocking access to web sites  Others ….. Cyber Threats and Sources 8 Nation States Cyber Criminals Hackers/Hacktivists Insider Threats Terrorists, DTOs, etc.
  • 9. Presenter’s Name June 17, 2003 CSD R&D Execution Model • Ironkey – Secure USB – Standard Issue to S&T employees from S&T CIO – Acquired by Imation • Komoku – Rootkit Detection Technology – Acquired by Microsoft • HBGary – Memory and Malware Analysis – Over 100 pilot deployments as part of Cyber Forensics • Endeavor Systems – Malware Analysis tools – Acquired by McAfee • Stanford – Anti-Phishing Technologies – Open source; most browsers have included Stanford R&D • Secure Decisions – Data Visualization – Pilot with DHS/NCSD/US-CERT; Acquisition Successes Research Development Test and Evaluation & Transition (RDTE&T) "Crossing the ‘Valley of Death’: Transitioning Cybersecurity Research into Practice," IEEE Security & Privacy, March-April 2013, Maughan, Douglas; Balenson, David; Lindqvist, Ulf; Tudor, Zachary http://www.computer.org/portal/web/computingnow/securityandprivacy 9
  • 10. Presenter’s Name June 17, 2003 Cyber Security Focus Areas  Trustworthy Cyber Infrastructure  Working with the global Internet community to secure cyberspace  Research Infrastructure to Support Cybersecurity  Developing necessary research infrastructure to support R&D community  R&D Partnerships  Establishing R&D partnerships with private sector, academia, and international partners  Innovation and Transition  Ensuring R&D results become real solutions  Cybersecurity Education  Leading National and DHS cybersecurity education initiatives 10
  • 11. Presenter’s Name June 17, 2003 11  Enhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO 13636 and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors).  Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)  Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills. NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies. A National Problem
  • 12. 12 HOST Program  Homeland Open Security Technology investigates open security methods, models and technologies to identify viable and sustainable approaches to cybersecurity objectives.  Focus on cybersecurity (Open Security) solutions  Priority to Federal, State and local governments  Secondary to critical infrastructure and general IT solutions DISCOVERY – COLLABORATION – INVESTMENT
  • 13. 13 HOST DISCOVERY Identify existing resources, methods, techniques, practices  Lessons Learned: Roadblocks and Opportunities for Open Source Software in U.S. Government  2012: Dr. David Wheeler, IDA; Tom Dunn, GTRI  Interviews with experts, suppliers and potential users  Open Security Inventory  OpenCyberSecurity.org Information Portal
  • 14. Presenter’s Name June 17, 2003  Inertia  We’ve never done it that way before  Procurement  Government acquisition doesn’t match OSS business models  Paperwork impedes small businesses (where most of OSS resides)  Security  Too many Certification and Accreditation (C&A) processes Lessons Learned: Open Source Software and Government 14  Standards / Interoperability  Inhibiting Policies  Policies inhibiting collaboration with public community (ITAR, EAR)  Education  General problem, esp. intellectual property rights and licenses
  • 15. 15 HOST COLLABORATION Establish public and private-sector research and development communities  Open Information Security Foundation  Government Strategic Council  Round Table Summits  Community Outreach
  • 16. 16 Open Source Option If Open Source enables technical agility, administrative flexibility and economic savings, then:  How to leverage these benefits for Federal, state, local governments?  What technical resources and support services are available?  Is the technology secure? Has it been vetted?  Who else in government is using it?  Have acquisition, adoption, policy issues been addressed?  How to interact with “development community?”
  • 17. 17 HOST INVESTMENT Contribute seed investments in advanced R&D activities that produce sustainable project communities through broad adoption by public and private-sector use and support  Suricata IDS Engine  FIPS 140-2 Validated OpenSSL  Government Open Technology Index  Open Security Application Map
  • 18. Presenter’s Name June 17, 2003 Open Source – OISF and Suricata  Intrusion Detection & Prevention System (IDS/IPS)  Very Fast, Multi-Threaded  Automated Protocol Detection  File Identification and Extraction  GPU Acceleration  A new model for managing and sustaining “open source” innovation  A non-profit to develop and “own” the code  Software Freedom Law Center created the License pro bono  A consortium of companies providing support in exchange for not having to release changes 18 ~$1.2m in DHS funding matched by ~$8m in commercial sponsorship
  • 19. Presenter’s Name June 17, 2003 Software Assurance 19 “Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.” According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
  • 20. Presenter’s Name June 17, 2003 Software Evolution 20 Codebases are HUMONGOUS • Common software applications – some apps scale near 60 MLOC • Software Assurance tools typically can’t scale this amount of code • Codebase size contributes to code complexity • More features, usually means more code • Spaghetti code typically results in poor quality of code 50 MLOC
  • 21. Presenter’s Name June 17, 2003 SWAMP Vision Document http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP- VISION-10.28.13.pdf ”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A software assurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.” Kevin E. Greene, DHS S&T Software Assurance Program Manager
  • 22. Presenter’s Name June 17, 2003 Cyber-Physical Systems 22 Cyber Physical Systems Are Becoming Ubiquitous: • Smart cars, smart grids, smart medical devices, smart manufacturing, smart homes, and so on • You will “bet your life” on many of these systems • Fast moving field focusing on functionality now and will bolt on security later… Drones Could Help Tulsa Firefighters During Search, Rescue PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks” Just like the Internet in its early days, car networks don’t employ very much security” Opportunity Now To Build Security Into Emerging Cyber Physical Designs  Transportation  Auto, UAVs, Aeronautical, Rail  Manufacturing  Healthcare  Energy  Agriculture  Emergency Response
  • 23. Presenter’s Name June 17, 2003  http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm  II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)  DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.  HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults. Recent Solicitation 23
  • 24. Presenter’s Name June 17, 2003  https://www.fbo.gov/spg/DHS/OCPO/DHS-OCPO/HSHQDC- 14-R-00035/listing.html.  https://sbir2.st.dhs.gov  TITLE: Automatic Detection and Patching of Vulnerabilities in Embedded Systems  Embedded systems form a ubiquitous, networked, computing substrate that underlies much of modern technological society. Examples include supervisory control and data acquisition (SCADA) systems, medical devices, computer peripherals, communication devices, and vehicles, and the many consumer devices that make up the “Internet of Things”.  Develop innovative techniques to automatically detect and automatically patch vulnerabilities in networked, embedded systems. Future Solicitation SBIR: H-SB014.2-002 24
  • 25. Presenter’s Name June 17, 2003 CSD New Programs / Ideas  Security for Cloud-Based Systems  Data Privacy Technologies  Mobile Wireless Investigations  Mobile Device Security  Next-Generation DDOS Defenses  Application Security Threat Attack Modeling (ASTAM)  Static Tool Analysis Modernization Project (STAMP)  Network Reputation and Risk Analysis  Data Analytics Methods for Cyber Security  Cyber Security Education  Designed-In Security  Finance Sector Cybersecurity  DNSSEC Applications  Data Provenance for Cybersecurity  Cyber Economic Incentives – based on EO/PPD 25
  • 26. 26 SUMMARY  Research is essential in driving innovation for current and future cybersecurity solutions  DHS S&T continues with aggressive cybersecurity research agenda  Continue emphasis on collaboration, technology transfer and experimental developments  Open source is a key part of our whole program
  • 27. Presenter’s Name June 17, 2003 For more information, visit http://www.dhs.gov/cyber-research http://www.dhs.gov/st-csd Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) douglas.maughan@dhs.gov 202-254-6145 / 202-360-3170 27