I was lucky enough to be selected to present on bundled third-party software security at OSCON 2012 in Portland. This was a great opportunity for me to speak more openly about a topic that I quite enjoy and that consumes a large portion of my day job.
In that session I speak to some of the most common challenges with managing the product, application or service impact of bundled third-party software (TPS) security. I see those challenges as:
- Knowing Where TPS is Used
- Understanding Dependencies
- Inconsistent Package Naming
- Unmanageable Selection Processes
- Learning of Vulnerabilities
- Inconsistent Fixes
- External Development Partners
I also speak to potential remedies such as standardization and bug database instrumentation. We’ve posted the slides from this session online on slideshare.net.
Many thanks to my friends on the Cisco Security Marketing team for posting them.
Check it out and let me know what you think!
The Gentoo Security Team has updated the Security Padawans process and status document with one relatively minor change. New padawans are now explicitly asked to use IRC for questions whenever possible instead of pinging individual team members.
This is in part because the security team has seen a huge surge in new recruits–which is of course a very good problem to have–and secondarily it benefits everyone to see questions answered in the open.
So if you’re a padawan, interested in becoming one, or just want to get a better understanding of how we work, drop into #gentoo-security on freenode.
When someone volunteers on the security team, the first role they are asked to fill is that of a “Scout.” In this role, they primarily work to learn of newly disclosed vulnerabilities, determine if it applies to Gentoo, verify that a bug does not already exist, and then open bugs as appropriate. I wish I could say that this job is out-of-this-world-fantastic-fun. But that just isn’t always the case. At the same time I think that done right, it doesn’t have to be that bad.
So what does “done right” even mean? I am not sure. I can only tell you what “right” means for me, and some of the things I’ve done in recent months to learn of new issues quickly without being buried beneath an unactionable mound of email. I should mention too that I don’t think this is a conclusive list that will work wonders for everyone. Certainly not. So if you’re doing something similar that works well for you, please do let me know about it.
So all that said, let’s dive into it…
Continue reading Gentoo Security Team: Scouting Tips