Episode 9 – Security in Open Source
Archived series ("Inactive feed" status)
When? This feed was archived on October 23, 2017 15:08 (). Last successful fetch was on September 22, 2017 01:43 ()
Why? Inactive feed status. Our servers were unable to retrieve a valid podcast feed for a sustained period.
What now? You might be able to find a more up-to-date version using the search function. This series will no longer be checked for updates. If you believe this to be in error, please check if the publisher's feed link below is valid and contact support to request the feed be restored or if you have any other concerns about this.
Manage episode 163369102 series 1016747
What we’ve been doing
Chris
- Vacation
- Idea refinement & generation
John
- Finding a job
- Freelancing via Networking
Security in Open source
- White Hat vs Black Hat
- Accidental hackers
- Stumbling upon a security issue because of another bug
- All comes down to one thing: Responsible Disclosure
- Don’t
- Not posting publicly
- Not via public Twitter
- Not telling a bunch of friends
- Don’t open a GItHub issue publicly
- Do
- Usually via an email address
- Give examples and proof of concept
- Be willing to work with the team
- Ask even if you think it’s “dumb”
- Don’t
- Places to provide disclosure
- security@ email address
- HackerOne
- Contact Form
- If it’s your project
- Have a policy in place
- How do you handle the commits
- Do they get an issue
- Do you log them for historical reference (privately)
- Announcement schedule
- How do you rate its seriousness?
- Setup an email address (security@)
- Have a policy in place
- Examples
- St Jude Pacemakers
- WordPress 4.6.1
- RevSlider
- Undisclosed Company
How to know if your site is vulnerability?
Links to articles mentioned
- WordPress docs on ‘Responsible Disclosure’ – https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/
- OWASP Rating Methods – https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_4:_Determining_the_Severity_of_the_Risk
- MedSec Holdings & Muddy Watters St. Jude Pacemakers – http://fortune.com/2016/08/31/hacking-st-jude-pacemakers-flawed/
- WordPress 4.6.1 Security Advisory – https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
Security Reading
Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker
The Art of Deception: Controlling the Human Element of Security
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
Reading
- Chris
- John
Thanks for listening to episode 8 of the RFCPodcast. Be sure to subscribe at rfcpodcast.com/subscribe and leave us a review on iTunes, they really do help us out. If you have feedback or are interested in sponsoring an episode of the RFCPodcast be sure to visit rfcpodcast.com/input.
10 episodes