Cheuk Ting Ho
Developer advocate / Data Scientist - support open-source and building the community.
What are the most common security pitfalls?
And how to avoid them
(OSS)
Hello I am Cheuk
-
Open-Source contributor
-
Organisers of community events
-
PSF director and fellow
- Community manager at OpenSSF
Have you heard of OWASP Top 10?
What about open-source?
Top 10 risks with OSS
drum rolls.....
#1 Known Vulnerabilities
#1 Known Vulnerabilities
- Update update update
- Get alerts - sign up for advisories
- Scan known vulnerabilities
#2 Compromise of Legitimate Package
#2 Compromise of Legitimate Package
- 2FA for repositories
- 2FA for everything!!!
- Some 2FA is better than others
#3 Name Confusion Attacks
#3 Name Confusion Attacks
- pip install panda or pip install pandas
- pip install sklearn or pip install sci-kit learn
- Do not pip install malware
- PyPI tries to avoid name-squatting
- But you should double check too
#4 Unmaintained Software
#4 Unmaintained Software
- Check source repo
- When is the last release?
- Check Scorecard score
- Any activities in the last 90 days?
- Don't use unmaintained software!!!
#5 Outdated Software
#5 Outdated Software
- Make sure to use the updated version
- Updated = always has the latest patch
- Outdated = open up vulnerabilities for attacks
- Check your dependencies
#6 Untracked Dependencies
#6 Untracked Dependencies
- Know if your dependencies are updated
- Know if your dependencies has no known vulnerabilities
- Pin and document your dependencies
- Use package/environment managers
#7 License Risk
#7 License Risk
- Not security risk but policy risk
- Check the license
- Is it on the OSI Approved Licenses list?
- Do not use if unlicensed or in doubt
#8 Immature Software
#8 Immature Software
- Check source repo
- Is it well maintained? (check #4)
- How many contributors are there?
- Check Scorecard score
#9 Unapproved Changes (mutable)
#9 Unapproved Changes
- Check source repo
- Do they push to the main branch?
- Any code reviews?
- Check Scorecard score
#10 Under/over-sized Dependency
#10 Under/over-sized Dependency
(It is easy mistake for Pythonistas 🤦♀️)
Track your dependencies (check #7)
And don't add depensency if you don't need it!
So many things to check... how do I know?
How can I communicate this with other part of the business/ organization that is not technical?
Use Scorecard!!!
- an automated tool that assesses a number of checks
- assigns each check a score of 0-10
- Check out the repo
- Or study the free course
- Part of the Linux Foundation
- Focus on Open Source Security
- Not for Profit
- Security newsletters and blog
- Free courses:
- Tools:
Follow OpenSSF!!!
Get this slidedeck:
slides.com/cheukting_ho/oss-security-pitfall
And stickers form me 😉
What are the most common security pitfalls
By Cheuk Ting Ho
