Hardening Open Source Development - gronke
34c3 - Resilience - 12/30/2017
As authors it is our responsibility to build secure software and give each other the chance to verify and monitor our work.
Various flaws in development toolchains that allow code execution just by viewing or working in malicious repositories question the integrity of development environments and as such our projects as a whole.
This talk will discuss practical solutions for both technical and social challenges of collaboration.
Not only the software we build can be flawed, but also its dependencies, our tools or just the process of building it.
Vulnerabilities in shell-integrations, code linters, package managers or compilers can become dangerous vectors of malware infection for developers. Beyond that risk we see software shipped straight from the developers editor to a repository, through the build chain, across the CDN, referenced from the package registry, almost directly to the user. Since even our favorite package managers have demonstrated large scale malware delivery, there is reason to seriously question our ability to guarantee our own products safefy at all.
Deciding to distrust our own equipment and abilities leads us to find solutions that work based on collaboration to gain safety against failure or fraud. Cleanly defined merge and release processes with automated quality enforcement and distributed quorum based verification are essential mitigations that allow others to verify our work.
By sharing lessons learned from 15 years of building software in open-source and enterprise environments I want to raise awareness for security in the development process and present practical solutions.