HTML Injection Attacks: Impact and Mitigation Strategies
The Tragedy of Open Source
1. The Tragedy of Open Source
David Nalley
ke4qqq@apache.org
David.Nalley@citrix.com
@ke4qqq
2. #whoami
• Director, VP Infra; The Apache Software
Foundation
• PMC member of Apache {jclouds, CloudStack,
Incubator}
• Employed by Citrix in the Open Source
Business Office
13. And we are so close…
• “Software is eating the world” – Marc
Andreessen.
• Open Source now the defacto model for
cloud, big data, $newtech
• “Open Source software is eating the world” –
Dr. Ibrahim Haddad, Samsung
• “You can’t build a product today without open
source.”
18. A few ideas
• So much opportunity to become part of a
critical software project
• Core Infrastructure Initiative
• Make a case that your organization must
invest
– Pay a vendor
– Contribute upstream
19. • David Nalley
– ke4qqq@apache.org
– David.Nalley@citrix.com
– @ke4qqq
Editor's Notes
Apache web server, Tomcat, Cassandra, Hadoop, Spark, and ~200 other projects
Anyone recognize this logo?
Heart bleed is a security bug disclosed in April 2014 in OpenSSL library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client.
Forbes columnist Joseph Steinberg wrote "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."
Shellshock – one guy Chet Ramey
Flaw existed for more than two decades
ESR: enough eyeballs, all bugs are shallow
Stephen Bellovin CS prof at Columbia Univ. eyeballs more consumed with new features than quality
GNUPG – one guy
Codehaus had lots of projects that called it home. Codehaus had a number of donors, but ended up spending 1,000 per month more than budget, partially because of their own success.
Sustainability is something that I care about a lot.
Bitergia – elephant factor
In my role as a director of the Apache Software Foundation, I get about 70 reports monthly from projects at the ASF, and sustainability is something I look for closely. If a project ceases to remain viable, that is a problem; and we have a process called the Attic for dealing with code from a community that has ceased to function.
CloudStack 12; hadoop 13; httpd 9; cordova 8.
Linux 11; php 7; - git 1; openssl 2; perl 3. ruby 4.
GIT vs SVN – 1 vs 7
1833, the English economist William Forster Lloyd published a pamphlet
1968 ecologist Garrett Hardin
a situation where individuals acting independently and rationally according to each's self-interest behave contrary to the best interests of the whole group by depleting some common resource.
TVs, Cameras, phones, refrigerators….
Where do we go from here:
Google - In the past year, Google has likely dedicated more developer time to optimizing font sizes, colors, icons, and other trivial visual details of their ads and apps, than the OpenSSL developers have spent over the lifetime of their project.
The Website for Arbys - a restaurant which sells horrible roast-beef sandwiches, is developed and maintained by a team of well-paid professionals, who do this as their day job. In a week, the development of the Arby’s website likely receives more developer resources than OpenSSL does in a year.