[Owasp-ireland] Upcoming webcast: Open to Trouble: The Risks of Open Source Code in Application Development

Eoin eoin.keary at owasp.org
Tue Dec 6 12:38:32 UTC 2011


Hey Chapter,

Souds like a good event.....(and debate)....

I don't believe open source is of any higher risk than closed..... (Think
Linux, Struts, Spring)

1. There are more reviewers, users. Issues ted to be caught quicker (for
more popular projects).
2. The code can be reviewed by anyone.
3. The communities are generally larger.
4. The software foodchain is easier to track than closed source.

But there is a risk of

1. Online-line dependencies in the build process - E.g. Maven downloading
dependencies in realtime. ("cool" name is XBI - Cross build Injection).
https://www.fortify.com/downloads2/public/fortify_attacking_the_build.pdf
(from 2007)

2. Not checking check sums (MD5 may be used but is weaker day by day)

Recently (a few moths ago) I reviewed (closed) code for a client for
security (Secure code review). It was developed by a third party. I found 4
issues, all loading obfuscated code from a jar dependency (renamed
ojdbc14.jar to look like an oracle jar). One of which was a Mailer which
sent HTML form submission data to a "funny" range of email addresses. It
would not of worked as port 25, 465 etc was blocked on the firewall in this
case (phew).

See you all on the 8th for beers!!!





On 6 December 2011 12:15, Fabio Cerullo <fcerullo at owasp.org> wrote:

> *Upcoming webcast: Open to Trouble: The Risks of Open Source Code in
> Application Development*
>
>
> If you’re developing your own software and applications or having that
> process outsourced, chances are good that open source code is being used.
> While there are benefits from using open source code, there is also
> significant downside. How does a security department manage the technical
> and operational risks, regulatory/compliance issues and security and brand
> concerns the use of open source code can expose an organization to? Join
> (ISC)2 and Black Duck Software for our final ThinkTank Roundtable of 2011
> on December 15, 2011 at 12:00 noon Eastern time as we examine these risks
> and issues
>
>
> Date: December 15, 2011 at 12:00 noon Eastern
> Registration here: http://www.brighttalk.com/webcast/5385/38563
>
>
> Any questions, please let me know.
>
>
> Thanks,
>
>
> Fabio
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>


-- 
Eoin Keary
OWASP Global Board Member (Vice Chair)

https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20111206/30d4cbb0/attachment.html 


More information about the Owasp-ireland mailing list