Google Site Search

Google
 

Wednesday, October 15, 2008

Securing Open Source (DHS SwA Forum)

I had the privilege of making a presentation on "Securing Open Source" at the DHS SwA Forum at NIST. The forum was cosponsored by DHS, DOD and NIST.

The presentation is available here: Securing Open Source

Additionally, DHS has hosted the recording here:
http://hosted.mediasite.com/hosted5/Viewer/?peid=959ec8119b5b446d9593fd06e3e1cbab


Salient points proposed in the presentation:
a) Choose open source projects with at least one professional company with strong reputation, having stake in the project's success.
b) Choose platforms based on open source projects rather than picking and choosing arbitrary projects on the web.
c) Open Source projects need to work collaboratively with the entities (NIST/MITRE etc) who maintain public vulnerability databases.
d) OSS need to have an email address or an online contact form to report security vulnerabilities in a confidential manner. Remember, for JBoss projects, we have "security@jboss.org"

No comments: