Presented at
Black Hat USA 2021,
Aug. 5, 2021, 1:30 p.m.
(40 minutes).
<div><span>Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before - and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven't yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can.</span></div><div><span><br></span></div><div><span>The combination of distributed community-driven development, public-facing deobfuscated source code, inconsistent use of security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. These are the problems we were aiming to solve with the creation of the Open Source Security Foundation. <br><br></span></div><div><span>In this presentation, we’ll share key lessons learned in our experience coordinating the industry-wide remediation of some of the most impactful vulnerabilities ever disclosed (Heartbleed, Shellshock, Rowhammer, and BlueZ), present a threat model of the many unmitigated challenges to securing the open source ecosystem, share new data which illustrates just how fragile and interdependent the security our core infrastructure can be, debate the challenges to securing OSS at scale, and speak unspoken truths of coordinated disclosure and where it can fail. We will also discuss research advances that are making it easier for adversaries to find and exploit vulnerabilities at scale, and offer guidance for how members of the security community can get involved and contribute meaningfully to improving the security of OSS - especially through coordinated industry-wide efforts.</span></div><div><span><br></span></div><div><span>This presentation will include the official launch announcement of Open Source Security Foundation's (openssf.org) grant program for security research projects to help secure the open source ecosystem!</span></div><div><br data-mce-bogus="1"></div>
Presenters:
-
Jennifer Fernick
- SVP & Global Head of Research, NCC Group
Jennifer Fernick is a computer scientist and the SVP & Global Head of Research at NCC Group, a major information assurance firm, and serves on the Governing Board and Technical Advisory Committee of the Open Source Security Foundation. Most recently, she was Director, Information Security at a large global financial institution, after a tenure as their Senior Cryptographic Security Architect. She spent four years as a PhD researcher at the University of Waterloo, as a member of the Institute for Quantum Computing and the Centre for Applied Cryptographic Research, where her research focused on cryptography & quantum algorithms. Jennifer was a part of the 2018 cohort of the Berkman Assembly at Harvard University and MIT Media Lab, and was a 2019 Technologist Fellow at the National Security Institute at George Mason University. Her career has included designing and building satellite systems, working on bleeding edge cryptography research, building secure systems at massive scale, running incident response events for core pieces of critical infrastructure, and leading the development of global technology standards. She holds a Master of Engineering degree in Systems Design Engineering from the University of Waterloo, and an Honours Bachelor of Science in Cognitive Science & Artificial Intelligence from the University of Toronto. Jennifer spent multiple years as CFP Chair of Crypto & Privacy Village at DEF CON, and has served on the review boards of venues including USENIX CSET, USENIX Enigma, USENIX WOOT, multiple NeurIPS workshops, and IEICE Transactions Japan.
-
Christopher Robinson
- Director of Security Communications, Intel
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. <br> <br>CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/co-lead of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. <br> <br>He enjoys hats, herding cats, and moonlit walks on the beach.
Links:
Similar Presentations: