C3Subtitles: 34c3: Hardening Open Source Development
back

Hardening Open Source Development

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:30:28
Language
English
Abstract
<p>As authors it is our responsibility to build secure software and give each other the chance to verify and monitor our work.
Various flaws in development toolchains that allow code execution just by viewing or working in malicious repositories question the integrity of development environments and as such our projects as a whole.</p>
<p>This talk will discuss practical solutions for both technical and social challenges of collaboration.</p>

<p>Not only the software we build can be flawed, but also its dependencies, our tools or just the process of building it.<br/>
Vulnerabilities in shell-integrations, code linters, package managers or compilers can become dangerous vectors of malware infection for developers. Beyond that risk we see software shipped straight from the developers editor to a repository, through the build chain, across the CDN, referenced from the package registry, almost directly to the user. Since even our favorite package managers have demonstrated large scale malware delivery, there is reason to seriously question our ability to guarantee our own products safefy at all.</p>
<p>Deciding to distrust our own equipment and abilities leads us to find solutions that work based on collaboration to gain safety against failure or fraud. Cleanly defined merge and release processes with automated quality enforcement and distributed quorum based verification are essential mitigations that allow others to verify our work.
By sharing lessons learned from 15 years of building software in open-source and enterprise environments I want to raise awareness for security in the development process and present practical solutions.</p>

Talk ID
9249
Event:
34c3
Day
4
Room
Saal Dijkstra
Start
2:30 p.m.
Duration
00:30:00
Track
Resilience
Type of
lecture
Speaker
gronke
0.0% Checking done0.0%
0.0% Syncing done0.0%
22.8% Transcribing done22.8%
77.2% Nothing done yet77.2%

English: Transcribed until

Last revision: 11 months, 3 weeks ago