Maya Kaczorowski is a Product Manager at GitHub overseeing software supply chain security. She was previously in Security & Privacy at Google, focused on container security, and encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises. Outside of work, Maya is passionate about ice cream, puzzling, running, and reading nonfiction.
Relevant Links
LinkedIn - Twitter
As a maintainer of your open-source project, what can, and should you be doing to improve your project's security?
Introduction to Maya, topic (Security for open-source maintainers), and presentation agenda - 0:00
Security issues in open source. Vulnerabilities move as quickly as great ideas or viruses - 0:55
Software dependencies are pervasive - 1:47
The impact of an open-source security attack is much greater, affecting all its dependents (software supply chain attack) - 2:24
Supply chain attack - 3:10
Walking through supply chain attack: event-stream - 5:45
Walking through supply chain attack: eslint - 7:47
Walking through supply chain attack: docker123321 - 9:31
Timeline of software supply chain attacks - 10:55
What your project can do: vulnerability management, security automation, auditing - 11:15
Vulnerability management - 11:55
Walking through a security policy (e.g. SECURITY.md) - 13:40
Security policy: What you might want to ask for (affected versions, reproducible steps, logs, and impact) - 14:49
Security policy: Safe Harbor (“no lasting damage”) - 15:28
Security policy: Tools and examples. Build a policy: hackerone and securitytxt.org. Examples: Microsoft, Electron, GoHarbor. - 16:57
How to respond to vulnerability reports? Develop and release a fix - 17:28
Obtaining a Common Vulnerability & Enumeration (CVE) (reference: https://cve.mitre.org/cve) - 19:05
How to notify users (once you have a fix, tell your users to patch! Explain it’s a security issue. Make it part of your normal release process or out of band. Coordinated disclosure with partners/customers) - 20:39
Security Advisory - 21:45
What if a vulnerability is already public? (Take all the steps already outlined, with more urgency, and publicly. Be transparent and honest, and accept help from users) - 22:42
Test out your process! - 23:29
Security automation: Scan for vulns (tools including https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools, SAST: CodeQL, DAST: OWASP ZAP) - 24:13
Security automation: Update dependencies (apply patches for known security vulnerabilities, and regularly update dependencies to get latest versions) - 24:56
Security automation: Prevent vulns - “Shift left.” Catch issues earlier in IDE, PR, build time, deployment time, anytime before it’s exploited! - 25:41
Security automation: Enforce best practices - 26:06
Auditing: If you can, conduct an audit (full security review, data inputs/outputs and validation) - 26:16
What you can do as a maintainer: Keep your accounts safe (enable 2FA, keep SSH keys safe, don’t commit secrets in code) - 27:24
What’s different in security between hobby open-source project and commercial open-source project? If you have money, pay your security team and pay for an audit, and offer bug bounties. - 28:57
Summary: There are supply chain attacks. Your project needs a way to handle vulnerabilities. Your project can use automation to help avoid security issues. Protect your accounts with 2FA. Pay for security in a commercial project. - 29:54
Share your questions and comments below!
Top comments (0)