COSS Community 🌱

Cover image for OCS 2020 Breakout: Maya Kaczorowski
Joseph (JJ) Jacks for COSS Community

Posted on • Updated on

OCS 2020 Breakout: Maya Kaczorowski

Maya Kaczorowski is a Product Manager at GitHub overseeing software supply chain security. She was previously in Security & Privacy at Google, focused on container security, and encryption at rest and encryption key management. Prior to Google, she was an Engagement Manager at McKinsey & Company, working in IT security for large enterprises. Outside of work, Maya is passionate about ice cream, puzzling, running, and reading nonfiction.

Relevant Links
LinkedIn - Twitter

As a maintainer of your open-source project, what can, and should you be doing to improve your project's security?

Introduction to Maya, topic (Security for open-source maintainers), and presentation agenda - 0:00

Security issues in open source. Vulnerabilities move as quickly as great ideas or viruses - 0:55

Software dependencies are pervasive - 1:47

The impact of an open-source security attack is much greater, affecting all its dependents (software supply chain attack) - 2:24

Supply chain attack - 3:10

Walking through supply chain attack: event-stream - 5:45

Walking through supply chain attack: eslint - 7:47

Walking through supply chain attack: docker123321 - 9:31

Timeline of software supply chain attacks - 10:55

What your project can do: vulnerability management, security automation, auditing - 11:15

Vulnerability management - 11:55

Walking through a security policy (e.g. SECURITY.md) - 13:40

Security policy: What you might want to ask for (affected versions, reproducible steps, logs, and impact) - 14:49

Security policy: Safe Harbor (“no lasting damage”) - 15:28

Security policy: Tools and examples. Build a policy: hackerone and securitytxt.org. Examples: Microsoft, Electron, GoHarbor. - 16:57

How to respond to vulnerability reports? Develop and release a fix - 17:28

Obtaining a Common Vulnerability & Enumeration (CVE) (reference: https://cve.mitre.org/cve) - 19:05

How to notify users (once you have a fix, tell your users to patch! Explain it’s a security issue. Make it part of your normal release process or out of band. Coordinated disclosure with partners/customers) - 20:39

Security Advisory - 21:45

What if a vulnerability is already public? (Take all the steps already outlined, with more urgency, and publicly. Be transparent and honest, and accept help from users) - 22:42

Test out your process! - 23:29

Security automation: Scan for vulns (tools including https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools, SAST: CodeQL, DAST: OWASP ZAP) - 24:13

Security automation: Update dependencies (apply patches for known security vulnerabilities, and regularly update dependencies to get latest versions) - 24:56

Security automation: Prevent vulns - “Shift left.” Catch issues earlier in IDE, PR, build time, deployment time, anytime before it’s exploited! - 25:41

Security automation: Enforce best practices - 26:06

Auditing: If you can, conduct an audit (full security review, data inputs/outputs and validation) - 26:16

What you can do as a maintainer: Keep your accounts safe (enable 2FA, keep SSH keys safe, don’t commit secrets in code) - 27:24

What’s different in security between hobby open-source project and commercial open-source project? If you have money, pay your security team and pay for an audit, and offer bug bounties. - 28:57

Summary: There are supply chain attacks. Your project needs a way to handle vulnerabilities. Your project can use automation to help avoid security issues. Protect your accounts with 2FA. Pay for security in a commercial project. - 29:54


Share your questions and comments below!

Top comments (0)