filmov
tv
Open Source Software Security and the Most Common CVEs
Показать описание
How secure is open source software? In this video, get an overview of open source software security, including how CVEs can be exploited, what CVSS scores mean, and the most common vulnerabilities, according to the Open Worldwide Application Security Project (OWASP).
This video is from the webinar, “Open Source Security and Compliance: What Organizations Need to Know” that took place on March 23, 2023. It features Javier Perez, Chief OSS Evangelist and Senior Director of Product Management at Perforce Software.
- - -
About OpenLogic by Perforce:
OpenLogic offers end-to-end enterprise support for organizations using open source software in their infrastructure. With support for over 400 open source packages, guaranteed SLAs, and direct access to highly experienced Enterprise Architects, OpenLogic customers benefit from 24x7 ticket-based technical support, professional services, and training.
Follow OpenLogic on LinkedIn, Twitter, and don’t forget to subscribe to our YouTube channel for more videos on all things open source!
- - -
Transcript (lightly edited for clarity):
When we talk about open source security, or software security in general, it’s about identifying vulnerabilities.
Remember, not every vulnerability will be exploited. An application can have multiple vulnerabilities, not one or two; it could be a dozens of vulnerabilities because it's an extensive application with lots of code and lot of libraries and lot of components. An analogy would be if you are in your house or you're in your own apartment or your office and you leave the door wide open, that's a vulnerability. That doesn’t mean that something bad is going to happen. You are just creating a vulnerability. You left the door wide open, you left. If someone comes and steals something, that's an exploit on your vulnerability. So the same thing applies to software and open source software.
There are many vulnerabilities out there. Really the main issue is if there's an exploit on that vulnerability, and in some cases, vulnerabilities have different ways they can be exploited. So it makes it even harder to address that. Not every part of the application might be affected by the vulnerability, either, and that's the other important point. So there's what is called the vulnerable method. Is the vulnerability really in just one part of the functionality, or is it an everything in the library?
A couple of other concepts – CVEs stands for Common Vulnerability and Exposures. That's basically the ID of the vulnerability once it's been disclosed and it's available on the National Vulnerability Database (NVD). It's disclosed, it's public now. Now everyone knows based on that CVE.
Every vulnerability is also assigned a severity, from zero to 10, with 10 being assigned to the most critical vulnerabilities. That number is the CVSS score, which stands for Common Vulnerability Score System. So these are some of the terms when we talk about open source security.
There are many different types of vulnerabilities. OWASP is an open source organization that looks after our web applications, specifically focusing on security and vulnerabilities. They put out a list with the top 10 types of vulnerabilities in web applications, but really it applies to all software, not just open source software. They updated the list relatively recently, but as you see there on the slide, it includes things like injections, which could be a code injection. That's how you get malware into someone else’s software. Cross-sited scripting is another popular type of vulnerability which is on this top 10 list of vulnerability categories, as well as security at logging in and identification and identification-related failures.
I would recommend, if you're not familiar with the OWASP top 10, to take a look at the list and read the descriptions. Developers should learn about, and should be trained on the OWASP top 10 vulnerabilities so they can avoid these types of vulnerabilities in their code. And that's a key part. One of the ways to address security, Open Source security software in general, and application security is educating, enabling developers so they become more security-aware as opposed to just leaving that job to the security office, to the responsibility of the CISO, the Chief Information Security Officer. You want developers to be familiar with this top 10, so it’s highly recommended to send it to your development teams, or if you're a developer, to go and learn more about this so you can avoid vulnerabilities in your code.
This video is from the webinar, “Open Source Security and Compliance: What Organizations Need to Know” that took place on March 23, 2023. It features Javier Perez, Chief OSS Evangelist and Senior Director of Product Management at Perforce Software.
- - -
About OpenLogic by Perforce:
OpenLogic offers end-to-end enterprise support for organizations using open source software in their infrastructure. With support for over 400 open source packages, guaranteed SLAs, and direct access to highly experienced Enterprise Architects, OpenLogic customers benefit from 24x7 ticket-based technical support, professional services, and training.
Follow OpenLogic on LinkedIn, Twitter, and don’t forget to subscribe to our YouTube channel for more videos on all things open source!
- - -
Transcript (lightly edited for clarity):
When we talk about open source security, or software security in general, it’s about identifying vulnerabilities.
Remember, not every vulnerability will be exploited. An application can have multiple vulnerabilities, not one or two; it could be a dozens of vulnerabilities because it's an extensive application with lots of code and lot of libraries and lot of components. An analogy would be if you are in your house or you're in your own apartment or your office and you leave the door wide open, that's a vulnerability. That doesn’t mean that something bad is going to happen. You are just creating a vulnerability. You left the door wide open, you left. If someone comes and steals something, that's an exploit on your vulnerability. So the same thing applies to software and open source software.
There are many vulnerabilities out there. Really the main issue is if there's an exploit on that vulnerability, and in some cases, vulnerabilities have different ways they can be exploited. So it makes it even harder to address that. Not every part of the application might be affected by the vulnerability, either, and that's the other important point. So there's what is called the vulnerable method. Is the vulnerability really in just one part of the functionality, or is it an everything in the library?
A couple of other concepts – CVEs stands for Common Vulnerability and Exposures. That's basically the ID of the vulnerability once it's been disclosed and it's available on the National Vulnerability Database (NVD). It's disclosed, it's public now. Now everyone knows based on that CVE.
Every vulnerability is also assigned a severity, from zero to 10, with 10 being assigned to the most critical vulnerabilities. That number is the CVSS score, which stands for Common Vulnerability Score System. So these are some of the terms when we talk about open source security.
There are many different types of vulnerabilities. OWASP is an open source organization that looks after our web applications, specifically focusing on security and vulnerabilities. They put out a list with the top 10 types of vulnerabilities in web applications, but really it applies to all software, not just open source software. They updated the list relatively recently, but as you see there on the slide, it includes things like injections, which could be a code injection. That's how you get malware into someone else’s software. Cross-sited scripting is another popular type of vulnerability which is on this top 10 list of vulnerability categories, as well as security at logging in and identification and identification-related failures.
I would recommend, if you're not familiar with the OWASP top 10, to take a look at the list and read the descriptions. Developers should learn about, and should be trained on the OWASP top 10 vulnerabilities so they can avoid these types of vulnerabilities in their code. And that's a key part. One of the ways to address security, Open Source security software in general, and application security is educating, enabling developers so they become more security-aware as opposed to just leaving that job to the security office, to the responsibility of the CISO, the Chief Information Security Officer. You want developers to be familiar with this top 10, so it’s highly recommended to send it to your development teams, or if you're a developer, to go and learn more about this so you can avoid vulnerabilities in your code.
0:05:08
0:07:38
0:50:50
0:02:39
0:29:50
0:00:47
0:24:46
0:28:31
0:00:32
0:51:08
0:23:07
0:14:32
0:08:28
0:00:15
0:00:58
0:42:56
0:00:41
0:09:05
0:27:51
0:39:49
0:40:46
0:01:00
0:01:50
0:13:51