The code is open – but who is looking at it?

When we have new vulnerabilities in decades old code, it begs the question – if it was open and easily accessible, how come no one saw it until now?

This is one of the fallacies of open source – assuming that simply because code is open and freely available, it is inherently secure because surely someone knowledgeable about programming checked it. And this has been proven wrong time and again over the years. Vulnerabilities like those found on some of curl’s earlier commits, from over 20 years ago, are still being disclosed today, and this is just a pervasive effect of the mindset described before.

The thing is, someone may have been looking alright – and then found the bugs and kept them to themselves. There is a whole underground economy model built around this issue. Vulnerability hoarding is happening today, threat groups actively pursue newly discovered but yet undisclosed vulnerabilities and are ready to pay handsomely for them – in fact, more than most bug bounty programs pay. This makes it especially tricky to eliminate, as the financial motivator is very much present.

This talk will address the impact to the Enterprise Open Source space, how companies can implement security measures in their automation pipelines to mitigate the risk and how the mindset should change – from blind trust to a trust-but-verify approach whenever new open source code and applications are deployed – and how to respond as fast as possible to ensure security and system integrity.