What are the most common security pitfalls?

And how to avoid them

(OSS)

Hello I am Cheuk

  • Open-Source contributor


     
  • Organisers of community events


     
  • PSF director and fellow
     
  • Community manager at OpenSSF

Have you heard of OWASP Top 10?

What about open-source?

Top 10 risks with OSS

drum rolls.....

#1 Known Vulnerabilities

#1 Known Vulnerabilities

  • Update update update
  • Get alerts - sign up for advisories
  • Scan known vulnerabilities

#2 Compromise of Legitimate Package

#2 Compromise of Legitimate Package

  • 2FA for repositories 
  • 2FA for everything!!!
  • Some 2FA is better than others

#3 Name Confusion Attacks

#3 Name Confusion Attacks

  • pip install panda or pip install pandas
  • pip install sklearn or pip install sci-kit learn
  • Do not pip install malware
  • PyPI tries to avoid name-squatting
  • But you should double check too

#4 Unmaintained Software

#4 Unmaintained Software

  • Check source repo
  • When is the last release?
  • Check Scorecard score
  • Any activities in the last 90 days?
  • Don't use unmaintained software!!!

#5 Outdated Software

#5 Outdated Software

  • Make sure to use the updated version
  • Updated = always has the latest patch
  • Outdated = open up vulnerabilities for attacks
  • Check your dependencies

#6 Untracked Dependencies

#6 Untracked Dependencies

  • Know if your dependencies are updated
  • Know if your dependencies has no known vulnerabilities 
  • Pin and document your dependencies
  • Use package/environment managers

#7 License Risk

#7 License Risk

  • Not security risk but policy risk
  • Check the license
  • Is it on the OSI Approved Licenses list?
  • Do not use if unlicensed or in doubt

#8 Immature Software

#8 Immature Software

  • Check source repo
  • Is it well maintained? (check #4)
  • How many contributors are there?
  • Check Scorecard score

#9 Unapproved Changes (mutable)

#9 Unapproved Changes

  • Check source repo
  • Do they push to the main branch?
  • Any code reviews?
  • Check Scorecard score

#10 Under/over-sized Dependency

#10 Under/over-sized Dependency

(It is easy mistake for Pythonistas 🤦‍♀️)

Track your dependencies (check #7)

And don't add depensency if you don't need it!

So many things to check... how do I know?

How can I communicate this with other part of the business/ organization that is not technical?

Use Scorecard!!!

  • an automated tool that assesses a number of checks
  • assigns each check a score of 0-10
  • Check out the repo
  • Or study the free course

Follow OpenSSF!!!

Get this slidedeck:

slides.com/cheukting_ho/oss-security-pitfall

 

And stickers form me 😉

What are the most common security pitfalls

By Cheuk Ting Ho

What are the most common security pitfalls

  • 245