Session: 2 for 1: Transparent Vulnerability Management / Success Stories in Open Source: Third Party Security Audits
Transparent Vulnerability Management – Jeremy Stanley
In order to successfully develop software through open community collaboration, tools and workflows are carefully chosen with regard to transparency and visibility of activities. This makes it easier for people to see what’s going on within the project and get involved, but safety-critical activities like security vulnerability management require temporary secrecy, a fundamental conflict presenting unique challenges. With the recent rise of regulatory compliance requirements targeting open source software and communities, care and diligence in these activities are becoming more important than ever.
This presentation will cover the workflows and tooling choices OpenStack’s vulnerability managers have employed and refined for more than a decade, with specific goals of keeping secrets only when necessary and making sure the record of our activities becomes fully public as soon as possible. Our processes are openly documented, with templating and automation that streamlines these sensitive workflows, serving as a model for many other communities as well as forming the basis of popular industry specifications and standard practices over the years. Learn how it’s done, get involved in our community, or apply these principles within your own projects.
Success Stories in Open Source: Third Party Security Audits – Amir Montazery
Independent Security Audits are a proven and effective method for improving the security posture of Open Source Projects. The Open Source Technology Improvement Fund, Inc (ostif.org) has been facilitating and managing security audits for critical open source projects since 2020, helping critical FOSS projects mature and improve. The lecture will share case studies of successful engagements, leaving the audience with insight, best practices, and guidance in the third-party security audit space.
