Securing Open Source Software - End-to-end, At massive scale, Together

Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before - and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven't yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can...

In this presentation, we’ll share key lessons learned in our experience coordinating the industry-wide remediation of some of the most impactful vulnerabilities ever disclosed (Heartbleed, Shellshock, Rowhammer, and BlueZ), present a threat model of the many unmitigated challenges to securing the open source ecosystem, share new data which illustrates just how fragile and interdependent the security our core infrastructure can be, debate the challenges to securing OSS at scale, and speak unspoken truths of coordinated disclosure and where it can fail...

By: Jennifer Fernick & Christopher Robinson

Full Abstract & Presentation Materials: