This document provides an overview of secure coding with open source software. It discusses that open source software is now mainstream, used in many modern innovations. It describes what open source software is, the explosive growth of open source, and popular open source libraries and dependencies. The document outlines roles in open source projects and how to contribute. It discusses security considerations like vulnerabilities in open source libraries and the increased risk with reusing libraries. The document provides examples of popular open source projects like Angular.js and their contributions and vulnerabilities. It emphasizes the real risk is not a lack of fixes but the lack of speed in applying fixes. The importance of software composition analysis and vulnerability management for open source is highlighted.

1. All You Need To Know about Secure Coding with
Open Source Software
Javier Perez - javierperez.mozello.com

2. Open Source Software is Mainstream
● Latest Innovations are all Open Source
AI, Machine Learning, Deep Learning, Blockchain, Virtual Assistance,…
● Millions of Open Source Libraries, all programming languages
2
Augmented Reality Virtual RealityAutonomous Cars

3. What is Open Source Software?
● Source code is publicly available
● Open to collaboration
● Source code available with a license that permits users to freely
run, study, modify and redistribute
OSS

4. Explosive Grow of Open Source
50M+
Developers Worldwide
2.9M+
* Organizations
100M+
* Repositories
* Source: State of the Octoverse, GitHub, November 2019
44M+
* Repositories Created in
2019
1.3M+
* First Time Contributors in
2019

5. App Development in Open Source
1.2M +
NPM Modules with 859 new/day
337K +
Maven Central Modules with 144 new/day
265K +
Packagist Modules with 112 new/day
210K +
PyPI Modules with 117 new/day
202K +
NuGet Modules with 153 new/day
159K +
RubyGems Modules with 18 new/day
* Source: Modulecounts as of May 5, 2020

6. What’s in Open Source Software?
1. Open Source License
2. README
3. Contribution Guidelines
4. Code of Conduct

7. Roles in Open Source Software
● Maintainer
○ ”Owner” and Administrator, publish code, website, social
media.
● Committer
○ Becoming a Committer in projects like Cordova, Node.js, Linux,
and others is a highly regarded and respected role.
● Contributor
○ Opportunity to learn, join a community and meet people.

8. Open Source Software Contributions
● Contribute Upstream
● Company Sponsored or Individually
○ Enhancements, Bug Fixes and
Vulnerability Fixes
● Modified code not contributed back
becomes close code
Top Open Source
Projects 2019
Number of
Contributors
Visual Studio Code 19.1K
Azure Docs 14K
Flutter 13K
First Contributions 11.6K
TensorFlow 9.9K
React Native 9.1K
Kubernetes 6.9K
DefinitelyTyped 6.9K
Ansible 6.8K
Home-Assistant 6.3K
* Source: State of the Octoverse, GitHub, November 2019

9. Open Source Libraries and Dependencies
● Popular Open Source Libraries have many
contributors and they are dependencies for
millions of repositories
● Depending on the Programming Language
Open Source Libraries can have from a few to
1000’s of dependencies
● There are Direct Dependencies and Transitive
Dependencies

10. Security in Open Source Software

11. Vulnerability
Vulnerability
Discovered
Vulnerabilities in Open Source Libraries
● Security is about identify Vulnerabilities
● Vulnerable Method in the Library
● Common Vulnerability and Exposures (CVE)
● Common Vulnerability Score System (CVSS)
● Vulnerabilities outside CVE and NVD

12. Let’s Review a Popular OSS: Angular.JS
● JavaScript Framework that lets you write client-side web applications
and use HTML.
● Over 1,500 direct contributors, 8,971 Commits

13. Other Popular Projects: Tensorflow
● Newer but with more participation

14. Other Popular Projects: Kubernetes

15. Back to Angular.JS: Contributions
● Contributors with hundreds of commits
● Top Committers added 1,438 and 842 commits

16. Angular.JS: Versions and Vulnerabilities
● 140 versions since Mar 2012
● 22 Vulnerabilities, 139 Versions Affected by Vulnerabilities
● Only one “safe version” the latest 1.7.9
● 6 Critical/High Risk Vulnerabilities

17. Angular.JS: Versions and Vulnerabilities
● High-Risk Vulnerabilities with Versions affected

18. Open Source Software Security
● Does you company has this many Developers?
○ ”Given enough eyeballs, all bugs are shallow” - Linus’
Law - Linus Torvalds
● Large Open Source Projects don’t have a Single
Unified Architecture
○ Top developers are contributors
○ It is not the developer’s fault
● Visibility to more Security Champions
● Same security practices used on close software,
i.e. the top 10 OWASP Proactive Controls

19. Not a Single Unified Architecture

20. Increased Risk with Reuse of Libraries
Apache Commons IO Library:
Used by:
18,595
artifacts
Apache
Commons
Lang
16,281
ScalaTest
12,779
Spring
Web
5,475
Apache
Log4j Fastjson
Snake
YAML
Hadoop
Common
Zoo
Keeper
Selenium
Java
* Source: MavenRepository.com

21. More on Open Source Security
● New vulnerabilities are constantly being discovered in
Open Source code
● Most vulnerabilities are unintentional
● Much smaller risk of malicious code being injected
● The smart way to make them public is when you have a fix
(public disclosure)
● More than 98% of public vulnerabilities have a fix
● But you have to keep up with the latest fixes

22. The Real Risk: Not Lack of Fix, Lack of Speed
● Once a vulnerability is disclosed, exploiting it becomes far easier.
The attacker has the full detail of the vulnerability and how it can be
invoked
● Most attacks exploit known vulnerabilities that have never been
patched despite patches being available
● Symantec predicts that "Through 2020, 99% of vulnerabilities
exploited will continue to be ones known by security and IT
professionals for at least one year"

23. Salt Framework Vulnerabilities Example
● Open Source Framework used to monitor and update the state of servers
● IBM Cloud, LinkedIn, and eBay, use Salt to configure servers, relay messages
from the "master server" and issue commands to a specific time schedule.
● Two high severity vulnerabilities
○ CVE-2020-11651 (an authentication bypass)
○ CVE-2020-11652 (a directory traversal)
○ When combined, could allow attackers to bypass login procedures and run code on
Salt master servers left exposed on the internet
● Disclosed publicly on April 30 by researchers at F-Secure Labs and SaltStack
had released updated versions that fixed it the previous day.
● Exploits at: LineageOS, Ghost blog platform, Xen Orchestra and most likely
more

24. Manage your Open Source Usage: SCA
● Visibility of all your Open Source usage
● Visibility of license and vulnerability risk based on policies.
● Vulnerabilities prioritization will reduce significant risk.
● Make SCA scans part of SDLC, and part of CI/CD
● SCA provides insight into remediation and act to prevent security
breaches
● Do not scan once, new vulnerabilities are introduced all the time

25. Apply What You Have Learned Today
● Keep promoting Open Source, keep promoting innovation in your
organization
● Keep and active inventory of the open source you use
● Detect vulnerabilities from NVD and other sources
● Prioritize fixes: Update vulnerable libraries
● SCA Scan Automation: DevSecOps

26. THANK YOU!
Javier Perez - javierperez.mozello.com